Upstream has issued an advisory: http://openwall.com/lists/oss-security/2018/01/06/2 The issues are fixed in 1.0.6.
Upstream security advisory: https://irssi.org/security/irssi_sa_2018_01.txt
Whiteboard: (none) => MGA5TOO
Pushed fixed version to core/updates_testing for mga6: SRPM: irssi-1.0.6-1.mga6 RPMS: irssi-1.0.6-1.mga6 irssi-devel-1.0.6-1.mga6 irssi-perl-1.0.6-1.mga6
3/4 patches from upstream applies to mga5's irssi-0.8.21. I'll need to check if other distros has any patches for the one that is failing.
See Also: (none) => http://bugs.debian.org/886475
I guess it's too early to assign to QA team, assigning to wally who is working on this.
CC: (none) => marja11Assignee: bugsquad => jani.valimaa
We don't need to update it for Mageia 5 at this point, but if you're able to check patches for it into SVN, that'd be nice just in case anyone wants to build it for themselves.
Ubuntu has issued an advisory for this on January 10: https://usn.ubuntu.com/usn/usn-3527-1/ You can get patches for 0.8.x from them.
Severity: normal => major
Added patches from Ubuntu to mga5's irssi 0.8.21. Pushed new release to core/updates_testing. SRPMS: irssi-0.8.21-1.4.mga5 RPMS: irssi-0.8.21-1.4.mga5 irssi-devel-0.8.21-1.4.mga5 irssi-perl-0.8.21-1.4.mga5
Assignee: jani.valimaa => qa-bugs
Mageia 6 :: x86_64 Updated the three packages and used irssi to attend the QA meeting. Running well, as always.
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OKCC: (none) => tarazed25
I don't think we're supposed to be pushing Mageia 5 updates at this point beyond Spectre/Meltdown-related updates, but the Mageia 5 build can be used by those still on 5 while it's still there. Advisory: ======================== Updated irssi packages fix security vulnerabilities: Joseph Bisch discovered that Irssi incorrectly handled incomplete escape codes. If a user were tricked into using malformed commands or opening malformed files, an attacker could use this issue to cause Irssi to crash, resulting in a denial of service (CVE-2018-5205). Joseph Bisch discovered that Irssi incorrectly handled settings the channel topic without specifying a sender. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service (CVE-2018-5206). Joseph Bisch discovered that Irssi incorrectly handled incomplete variable arguments. If a user were tricked into using malformed commands or opening malformed files, an attacker could use this issue to cause Irssi to crash, resulting in a denial of service (CVE-2018-5207). Joseph Bisch discovered that Irssi incorrectly handled completing certain strings. An attacker could use this issue to cause Irssi to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2018-5208). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5206 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5207 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5208 https://usn.ubuntu.com/usn/usn-3527-1/
CC: (none) => luigiwalser
Thanks Len. Advisory done from comments 2, 7, 9; for both releases. (In reply to David Walser from comment #9) > I don't think we're supposed to be pushing Mageia 5 updates at this point > beyond Spectre/Meltdown-related updates, but the Mageia 5 build can be used > by those still on 5 while it's still there. I am happy to do the Mageia 5 test, as the update is there.
CC: (none) => lewyssmith
Keywords: (none) => advisory
Installed and tested without issues. System: Mageia 6, x86_64, Intel CPU. Tests included general IRC stuff, file transfers and general time wasting chats. $ uname -a Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ journalctl -xb | grep -o install.*.*irss.*success | sort -u install irssi-1.0.6-1.mga6.x86_64: success install irssi-perl-1.0.6-1.mga6.x86_64: success
CC: (none) => mageia
Testing M5 x64 BEFORE upoate: irssi-0.8.21-1.3.mga5 irssi-perl-0.8.21-1.3.mga5 known to work. AFTER update: irssi-0.8.21-1.4.mga5 irssi-perl-0.8.21-1.4.mga5 $ irssi fires up the curses screen. /help shows all the possible cammands; /help <command> gives details. I did /server irc.freenode.net, /nick to give myself a nickname, /join #mageia-qa did just that, showing MOTD, logged-un users etc. Send a line, /part, /quit all works as expected. This looks an application to remember for 'curses' testing. OKing & validating.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0069.html
Status: NEW => RESOLVEDResolution: (none) => FIXED