Bug 21199 - irssi new security issues CVE-2017-10965 and CVE-2017-10966
Summary: irssi new security issues CVE-2017-10965 and CVE-2017-10966
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO mga5-32-ok advisory MGA6-64-O...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-07-07 17:44 CEST by David Walser
Modified: 2017-07-24 23:54 CEST (History)
5 users (show)

See Also:
Source RPM: irssi-1.0.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-07-07 17:44:44 CEST
Upstream has issued an advisory:
http://openwall.com/lists/oss-security/2017/07/07/3

The issues are fixed in 1.0.4 and the commit to fix them is linked in the message above.

Mageia 5 is also affected.
David Walser 2017-07-07 17:44:55 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-07-08 18:00:05 CEST
openSUSE has issued an advisory for this today (July 8):
https://lists.opensuse.org/opensuse-updates/2017-07/msg00044.html
Comment 2 Jani Välimaa 2017-07-09 19:13:19 CEST
Should be fixed for mga5 with irssi-0.8.21-1.2.mga5 in core/updates_testing.

I will fix mga6 after SVN branching is done.

Assignee: jani.valimaa => qa-bugs

Comment 3 David Walser 2017-07-09 22:17:17 CEST
Full package list so far:
irssi-0.8.21-1.2.mga5
irssi-devel-0.8.21-1.2.mga5
irssi-perl-0.8.21-1.2.mga5

It doesn't sound like these issues are the most serious, so I think we can wait for the Mageia 6 update before pushing this.

CC: (none) => qa-bugs
Assignee: qa-bugs => jani.valimaa

Comment 4 David Walser 2017-07-22 01:31:37 CEST
Updated packages uploaded for Mageia 6 and Cauldron by Jani.  Assigning to QA.

Mageia 6 package list:
irssi-1.0.4-1.mga6
irssi-devel-1.0.4-1.mga6
irssi-perl-1.0.4-1.mga6

Assignee: jani.valimaa => qa-bugs
CC: qa-bugs => jani.valimaa
Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 5 David Walser 2017-07-22 01:42:33 CEST
Advisory:
========================

Updated irssi packages fix security vulnerabilities:

A malicious server could cause irssi to crash by providing an invalid timestamp
(CVE-2017-10965).

Undefined behavior may be triggered when irssi updates the internal nick list
(CVE-2017-10966).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10965
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10966
https://lists.opensuse.org/opensuse-updates/2017-07/msg00044.html
========================

Updated packages in core/updates_testing:
========================
irssi-0.8.21-1.2.mga5
irssi-devel-0.8.21-1.2.mga5
irssi-perl-0.8.21-1.2.mga5
irssi-1.0.4-1.mga6
irssi-devel-1.0.4-1.mga6
irssi-perl-1.0.4-1.mga6

from SRPMS:
irssi-0.8.21-1.2.mga5.src.rpm
irssi-1.0.4-1.mga6.src.rpm
Comment 6 Brian Rockwell 2017-07-22 06:55:03 CEST
$ uname -a
Linux localhost.localdomain 4.4.74-desktop-1.mga5 #1 SMP Mon Jun 26 08:33:18 UTC 2017 i686 i686 i686 GNU/Linux

Installed irssi 8.21-1.2

Irssi v0.8.21 - http://www.irssi.org                                           
23:54 -!-  ___           _
23:54 -!- |_ _|_ _ _____(_)
23:54 -!-  | || '_(_-<_-< |
23:54 -!- |___|_| /__/__/_|
23:54 -!- Irssi v0.8.21 - http://www.irssi.org

connected to freenode and mageia seems to be working as designed.

CC: (none) => brtians1
Whiteboard: MGA5TOO => MGA5TOO mga5-32-ok

Lewis Smith 2017-07-22 10:07:01 CEST

Whiteboard: MGA5TOO mga5-32-ok => MGA5TOO mga5-32-ok advisory
CC: (none) => lewyssmith

Comment 7 Len Lawrence 2017-07-23 10:31:24 CEST
mga6  x86_64

Installed the updates and used ~/.irssi/config
$ irssi
09:20 -!- Mode change [+Zi] for user tarazed
09:20 -!- tarazed [~lcl@cpc105078-sgyl40-2-0-cust252.18-2.cable.virginm.net] 
          has joined #mageia-qa
09:20 -!- Topic for #mageia-qa: Mageia QA channel 
          https://wiki.mageia.org/en/QA_Team | Welcome, join the team! | 
          Meetings here Thursdays @ 19UTC | Updates waiting: 
          http://mageia.madb.org/tools/updates | Here's how: 
          http://bit.ly/Ne2lPP | Tips: http://bit.ly/17RzpIB | Mga6 Tracker 
          http://bit.ly/1VDrJAw
09:20 -!- Topic set by Inigo_Montoya` [~supybot@xvm-164-207.ghst.net] [Thu Jul 
          20 20:38:59 2017]
09:20 [Users #mageia-qa]
09:20 [ [mbot`         ] [ Inigo_Montoya`] [ neoclust    ] [ stef74   ] 
09:20 [ Akien          ] [ jkerr82508    ] [ NyB         ] [ stormi   ] 
09:20 [ Aussie_matt    ] [ King_InuYasha ] [ papoteur_   ] [ tarazed  ] 
09:20 [ barjac         ] [ leuhmanu      ] [ Pharaoh_Atem] [ treegazer] 
09:20 [ davesnothereman] [ Luigi12       ] [ philippem   ] [ wally_   ] 
09:20 [ david_david    ] [ marja         ] [ rindolf     ] [ wikigazer] 
09:20 [ Eagle_Erwin    ] [ marja9        ] [ sander85    ] 
09:20 [ ennael         ] [ MrsB          ] [ Sophie      ] 
09:20 -!- Irssi: #mageia-qa: Total of 30 nicks [0 ops, 0 halfops, 0 voices, 30 
          normal]
09:20 -!- Channel #mageia-qa created Thu Jan  6 12:25:17 2011
09:20 -NickServ(NickServ@services.)- tarazed is not a registered nickname.
09:20 -!- Irssi: Join to #mageia-qa was synced in 7 secs

Typed:
/join #mageia-qa
to actually talk in the Mageia chatroom.
/part
/exit

No apparent problems.

CC: (none) => tarazed25

Len Lawrence 2017-07-23 10:31:44 CEST

Whiteboard: MGA5TOO mga5-32-ok advisory => MGA5TOO mga5-32-ok advisory MGA6-64-OK

Comment 8 Len Lawrence 2017-07-23 12:54:36 CEST
mga6 on i586 virtualbox

Installed irssi and used the default config file in ~/.irssi
$ irssi
Irssi v1.0.3 - http://www.irssi.org                                            
11:33 -!-  ___           _
11:33 -!- |_ _|_ _ _____(_)
11:33 -!-  | || '_(_-<_-< |
11:33 -!- |___|_| /__/__/_|
11:33 -!- Irssi v1.0.3 - http://www.irssi.org
11:33 -!- Irssi: Client: irssi 1.0.3 (20170605 1625)
11:33 -!- Irssi: Not connected to server

/version
-> 11:36 -!- Irssi: Client: irssi 1.0.3 (20170605 1625)

Joined freenode and mageia qa channel:
/join #mageia-qa
-> 11:39 -!- lcl [~lcl@cpc105078-sgyl40-2-0-cust252.18-2.cable.virginm.net] has 
          joined #mageia-qa
   11:39 -!- Topic for #mageia-qa: Mageia QA channel 
/part

Installed the updates and imported config file from the host machine.
$ irssi
11:47 -!- Irssi: #mageia-qa: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 
          normal]
11:47 -!- Channel #mageia-qa created Thu Jan  6 12:25:17 2011
11:47 -NickServ(NickServ@services.)- tarazed is not a registered nickname.
11:47 -!- Irssi: Join to #mageia-qa was synced in 6 secs

/version
11:48 -!- Irssi: Client: irssi 1.0.4 (20170705 1712)
11:48 -!- ircd-seven-1.1.4(20170104-717fbca8dbac,charybdis-3.4-dev). 
          tolkien.freenode.net eHIKMpSZ6 TS6ow 07I
11:48 -!- CHANTYPES=# EXCEPTS INVEX CHANMODES=eIbq,k,flj,CFLMPQScgimnprstz 
....................

/nick tarazed
/join #mageia-qa
11:51 -!- Irssi: You are now talking in #mageia-qa
/part
11:52 -!- tarazed ............  has left #mageia-qa []
/quit

Good enough.
Len Lawrence 2017-07-23 12:54:56 CEST

Whiteboard: MGA5TOO mga5-32-ok advisory MGA6-64-OK => MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK

Comment 9 Len Lawrence 2017-07-23 14:14:10 CEST
mga5  i586  virtualbox

Installed irssi, checked that it worked and installed the updates.

$ irssi
........................
13:07 -!- Irssi: #mageia-qa: Total of 31 nicks [0 ops, 0 halfops, 0 voices, 31 
          normal]
13:07 -!- Channel #mageia-qa created Thu Jan  6 12:25:17 2011
13:07 -NickServ(NickServ@services.)- tarazed is not a registered nickname.
13:07 -!- Irssi: Join to #mageia-qa was synced in 6 secs

/version
13:08 -!- Irssi: Client: irssi 0.8.21 (20170103 1424)
13:08 -!- ircd-seven-1.1.4(20170104-717fbca8dbac,charybdis-3.4-dev). 
          tolkien.freenode.net eHIKMpSZ6 TS6ow 07I

Checked /help and /help <some command>

/join #mageia-qa
13:11 -!- Irssi: You are now talking in #mageia-qa
13:12 < tarazed> Sorry folks - it's me again.
/part
/quit

Good for mga5 as well.
Len Lawrence 2017-07-23 14:14:41 CEST

Whiteboard: MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK => MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK MGA5-32-OK

Comment 10 Lewis Smith 2017-07-24 09:53:09 CEST
Testing M5-64
"Irssi - a modular IRC client for UNIX". Updated to:
 irssi-0.8.21-1.2.mga5
 irssi-perl-0.8.21-1.2.mga5

 $ irssi
 Irssi v0.8.21 - http://www.irssi.org                                           
09:39 -!-  ___           _
09:39 -!- |_ _|_ _ _____(_)
09:39 -!-  | || '_(_-<_-< |
09:39 -!- |___|_| /__/__/_|
09:39 -!- Irssi v0.8.21 - http://www.irssi.org

/help           to see available commands.
/server freenode
/nick <nickname>
/join #mageia-qa
showed the usual header, list of logged-in users. Could talk to it.
/part, /quit
 $

I could not set a nickname before connecting to a server, where it seems to use initially the local login name. There are parameters to give some details on the command line:
 $ irssi -c freenode -n <nickname>

Validating this update.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK MGA5-32-OK => MGA5TOO mga5-32-ok advisory MGA6-64-OK MGA6-32-OK MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2017-07-24 23:54:48 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0216.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.