Bug 22328 - irssi new security issues fixed upstream in 1.0.6 (CVE-2018-520[5-8])
Summary: irssi new security issues fixed upstream in 1.0.6 (CVE-2018-520[5-8])
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-01-06 17:49 CET by Jani Välimaa
Modified: 2018-01-12 20:50 CET (History)
6 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Jani Välimaa 2018-01-06 17:49:33 CET
Upstream has issued an advisory:
http://openwall.com/lists/oss-security/2018/01/06/2

The issues are fixed in 1.0.6.
Comment 1 Jani Välimaa 2018-01-06 17:52:39 CET
Upstream security advisory:
https://irssi.org/security/irssi_sa_2018_01.txt
Jani Välimaa 2018-01-06 18:15:52 CET

Whiteboard: (none) => MGA5TOO

Comment 2 Jani Välimaa 2018-01-06 18:18:29 CET
Pushed fixed version to core/updates_testing for mga6:

SRPM:
irssi-1.0.6-1.mga6

RPMS:
irssi-1.0.6-1.mga6
irssi-devel-1.0.6-1.mga6
irssi-perl-1.0.6-1.mga6
Comment 3 Jani Välimaa 2018-01-06 18:22:21 CET
3/4 patches from upstream applies to mga5's irssi-0.8.21. I'll need to check if other distros has any patches for the one that is failing.
Jani Välimaa 2018-01-06 18:25:12 CET

See Also: (none) => http://bugs.debian.org/886475

Comment 4 Marja Van Waes 2018-01-07 06:54:09 CET
I guess it's too early to assign to QA team, assigning to wally who is working on this.

CC: (none) => marja11
Assignee: bugsquad => jani.valimaa

Comment 5 David Walser 2018-01-07 19:22:27 CET
We don't need to update it for Mageia 5 at this point, but if you're able to check patches for it into SVN, that'd be nice just in case anyone wants to build it for themselves.
Comment 6 David Walser 2018-01-10 23:39:17 CET
Ubuntu has issued an advisory for this on January 10:
https://usn.ubuntu.com/usn/usn-3527-1/

You can get patches for 0.8.x from them.

Severity: normal => major

Comment 7 Jani Välimaa 2018-01-11 19:46:45 CET
Added patches from Ubuntu to mga5's irssi 0.8.21. Pushed new release to core/updates_testing.

SRPMS:
irssi-0.8.21-1.4.mga5

RPMS:
irssi-0.8.21-1.4.mga5
irssi-devel-0.8.21-1.4.mga5
irssi-perl-0.8.21-1.4.mga5

Assignee: jani.valimaa => qa-bugs

Comment 8 Len Lawrence 2018-01-11 22:00:24 CET
Mageia 6 :: x86_64

Updated the three packages and used irssi to attend the QA meeting.
Running well, as always.

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => tarazed25

Comment 9 David Walser 2018-01-12 03:04:40 CET
I don't think we're supposed to be pushing Mageia 5 updates at this point beyond Spectre/Meltdown-related updates, but the Mageia 5 build can be used by those still on 5 while it's still there.

Advisory:
========================

Updated irssi packages fix security vulnerabilities:

Joseph Bisch discovered that Irssi incorrectly handled incomplete escape
codes. If a user were tricked into using malformed commands or opening
malformed files, an attacker could use this issue to cause Irssi to crash,
resulting in a denial of service (CVE-2018-5205).

Joseph Bisch discovered that Irssi incorrectly handled settings the channel
topic without specifying a sender. A malicious IRC server could use this
issue to cause Irssi to crash, resulting in a denial of service
(CVE-2018-5206).

Joseph Bisch discovered that Irssi incorrectly handled incomplete variable
arguments. If a user were tricked into using malformed commands or opening
malformed files, an attacker could use this issue to cause Irssi to crash,
resulting in a denial of service (CVE-2018-5207).

Joseph Bisch discovered that Irssi incorrectly handled completing certain
strings. An attacker could use this issue to cause Irssi to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2018-5208).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5205
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5206
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5208
https://usn.ubuntu.com/usn/usn-3527-1/

CC: (none) => luigiwalser

Comment 10 Lewis Smith 2018-01-12 09:51:43 CET
Thanks Len.
Advisory done from comments 2, 7, 9; for both releases.

(In reply to David Walser from comment #9)
> I don't think we're supposed to be pushing Mageia 5 updates at this point
> beyond Spectre/Meltdown-related updates, but the Mageia 5 build can be used
> by those still on 5 while it's still there.
I am happy to do the Mageia 5 test, as the update is there.

CC: (none) => lewyssmith

Lewis Smith 2018-01-12 09:52:33 CET

Keywords: (none) => advisory

Comment 11 PC LX 2018-01-12 11:38:35 CET
Installed and tested without issues.

System: Mageia 6, x86_64, Intel CPU.

Tests included general IRC stuff, file transfers and general time wasting chats.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ journalctl -xb | grep -o install.*.*irss.*success | sort -u
install irssi-1.0.6-1.mga6.x86_64: success
install irssi-perl-1.0.6-1.mga6.x86_64: success

CC: (none) => mageia

Comment 12 Lewis Smith 2018-01-12 13:14:31 CET
Testing M5 x64

BEFORE upoate: irssi-0.8.21-1.3.mga5   irssi-perl-0.8.21-1.3.mga5
known to work.

AFTER update:  irssi-0.8.21-1.4.mga5   irssi-perl-0.8.21-1.4.mga5
 $ irssi
fires up the curses screen.
/help shows all the possible cammands; /help <command> gives details.
I did /server irc.freenode.net, /nick to give myself a nickname, /join #mageia-qa did just that, showing MOTD, logged-un users etc. Send a line, /part, /quit all works as expected.
This looks an application to remember for 'curses' testing. OKing & validating.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-01-12 20:50:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0069.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.