Upstream has issued an advisory today (October 22):
The issues are fixed in 1.0.5. The upstream commit fixing the issues is linked from the message above.
Mageia 5 and Mageia 6 are also affected.
Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron by Jani.
Updated irssi packages fix security vulnerabilities:
While waiting for the channel synchronization, Irssi may incorrectly fail to
remove destroyed channels from the query list, resulting in use after free
conditions when updating the state later on (CVE-2017-15227).
When installing themes with unterminated color formatting sequences, Irssi may
access data beyond the end of the string. (CVE-2017-15228).
Certain incorrectly formatted DCC CTCP messages could cause NULL pointer
In certain cases Irssi may fail to verify that a Safe channel ID is long
enough, causing reads beyond the end of the string (CVE-2017-15722).
Overlong nicks or targets may result in a NULL pointer dereference while
splitting the message (CVE-2017-15723).
Updated packages in core/updates_testing:
MGA6TOO, MGA5TOO =>
Advisory reference...we can use the upstream URL instead of the openwall one:
openSUSE has issued an advisory for this today (October 23):
There does not seem to be any way to reproduce the issues connected with the CVEs.
Installed the three packages and used the commandline to invoke irssi, using the existing user configuration to connect to freenode. Credentials passed automatically. Joined #mageia-qa and left a short message. Checked the /away command via /help, noting that it does not tell you how to get back.
/away -one <message>
worked. Experimented with commands like /reconnect and bogus commands like /unaway and /back. Tried /away -one and that removed the away status OK.
It works fine.
Installed irssi-devel and that pulled in irssi and irssi-perl.
Connected to freenode courtesy of the config file in $HOME/.irssi.
Posted a message and lurked awhile.
did not work. Had to:
/away -one <message>
to see the Zzzz in the status bar.
to return to the chatroom.
That is as far as I can push it. It looks OK.
MGA5TOO MGA6-64-OK =>
MGA5TOO MGA6-64-OK MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce
No installation issues.
Tx to Lewis bug21199 Comment 10, I could connect to mageia-qa, post to it (no response received) and quit.
Seems to work OK
MGA5TOO MGA6-64-OK MGA5-64-OK =>
MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OKCC:
Got confirmation by e-mail from Marja that she saw my inputs. Tx.
An update for this issue has been pushed to the Mageia Updates repository.