Upstream has issued an advisory today (October 22): http://openwall.com/lists/oss-security/2017/10/22/4 The issues are fixed in 1.0.5. The upstream commit fixing the issues is linked from the message above. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOOCC: (none) => jani.valimaa
Updated packages uploaded for Mageia 5, Mageia 6, and Cauldron by Jani. Advisory: ======================== Updated irssi packages fix security vulnerabilities: While waiting for the channel synchronization, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on (CVE-2017-15227). When installing themes with unterminated color formatting sequences, Irssi may access data beyond the end of the string. (CVE-2017-15228). Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference (CVE-2017-15721). In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string (CVE-2017-15722). Overlong nicks or targets may result in a NULL pointer dereference while splitting the message (CVE-2017-15723). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15227 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15228 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15721 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15722 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15723 http://openwall.com/lists/oss-security/2017/10/22/4 ======================== Updated packages in core/updates_testing: ======================== irssi-0.8.21-1.3.mga5 irssi-devel-0.8.21-1.3.mga5 irssi-perl-0.8.21-1.3.mga5 irssi-1.0.5-1.mga6 irssi-devel-1.0.5-1.mga6 irssi-perl-1.0.5-1.mga6 from SRPMS: irssi-0.8.21-1.3.mga5.src.rpm irssi-1.0.5-1.mga6.src.rpm
CC: (none) => cookerVersion: Cauldron => 6Assignee: cooker => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Advisory reference...we can use the upstream URL instead of the openwall one: https://irssi.org/security/irssi_sa_2017_10.txt
openSUSE has issued an advisory for this today (October 23): https://lists.opensuse.org/opensuse-updates/2017-10/msg00082.html
mga6::x86_64 There does not seem to be any way to reproduce the issues connected with the CVEs. Installed the three packages and used the commandline to invoke irssi, using the existing user configuration to connect to freenode. Credentials passed automatically. Joined #mageia-qa and left a short message. Checked the /away command via /help, noting that it does not tell you how to get back. /away -one <message> worked. Experimented with commands like /reconnect and bogus commands like /unaway and /back. Tried /away -one and that removed the away status OK. It works fine.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
mga5::x86_64 Installed irssi-devel and that pulled in irssi and irssi-perl. $ irssi Connected to freenode courtesy of the config file in $HOME/.irssi. /join #mageia-qa Posted a message and lurked awhile. /away -one did not work. Had to: /away -one <message> to see the Zzzz in the status bar. /away -one to return to the chatroom. /part /quit $ That is as far as I can push it. It looks OK.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues. Tx to Lewis bug21199 Comment 10, I could connect to mageia-qa, post to it (no response received) and quit. Seems to work OK
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK MGA5-32-OKCC: (none) => herman.viaene
Got confirmation by e-mail from Marja that she saw my inputs. Tx.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0393.html
Status: NEW => RESOLVEDResolution: (none) => FIXED