Bug 26267

Summary: weechat new security issue CVE-2020-8955
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: weechat-2.4-2.mga7.src.rpm CVE: CVE-2020-8955
Status comment: Patch available from upstream

Description David Walser 2020-02-27 22:52:56 CET 
openSUSE has issued an advisory today (February 27):
https://lists.opensuse.org/opensuse-updates/2020-02/msg00095.html

The upstream commit that fixes the issue is linked from the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1163889

Mageia 7 is also affected.
David Walser 2020-02-27 22:53:16 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2020-02-28 18:56:36 CET 
Assigning to Stig who has done the recent updates for this.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2020-02-28 21:14:08 CET 
Weechat 2.7.1 has been pushed to Cauldron.
Comment 3 Stig-Ørjan Smelror 2020-02-28 21:18:58 CET 
Advisory
========
Weechat has been updated to include a security fix.

CVE-2020-8955: irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode).

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2020-8955
https://lists.opensuse.org/opensuse-updates/2020-02/msg00095.html

Files
=====

Uploaded to core/updates_testing

weechat-2.4-2.1.mga7
weechat-perl-2.4-2.1.mga7
weechat-python-2.4-2.1.mga7
weechat-guile-2.4-2.1.mga7
weechat-tcl-2.4-2.1.mga7
weechat-ruby-2.4-2.1.mga7
weechat-lua-2.4-2.1.mga7
weechat-charset-2.4-2.1.mga7
weechat-aspell-2.4-2.1.mga7
weechat-devel-2.4-2.1.mga7

from weechat-2.4-2.1.mga7.src.rpm

Source RPM: weechat-2.7-2.mga8.src.rpm => weechat-2.4-2.mga7.src.rpm
Assignee: smelror => qa-bugs
CVE: (none) => CVE-2020-8955
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2020-02-29 11:47:14 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug21802 Comment 4 and info in https://weechat.org/files/doc/stable/weechat_quickstart.en.html
I can connect to the #mageia-qa channel and post two lines. Nobody there to answer, so OK as far as I could.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-03-01 14:30:55 CET 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:31:46 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-06 17:15:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0122.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED