26267 – weechat new security issue CVE-2020-8955

Bug 26267 - weechat new security issue CVE-2020-8955

Summary: weechat new security issue CVE-2020-8955

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-02-27 22:52 CET by David Walser
Modified:	2020-03-06 17:15 CET (History)
CC List:	4 users (show)

See Also:
Source RPM:	weechat-2.4-2.mga7.src.rpm
CVE:	CVE-2020-8955
Status comment:	Patch available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-02-27 22:52:56 CET

openSUSE has issued an advisory today (February 27):
https://lists.opensuse.org/opensuse-updates/2020-02/msg00095.html

The upstream commit that fixes the issue is linked from the SUSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=1163889

Mageia 7 is also affected.

David Walser 2020-02-27 22:53:16 CET

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Patch available from upstream

Comment 1 Lewis Smith 2020-02-28 18:56:36 CET

Assigning to Stig who has done the recent updates for this.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2020-02-28 21:14:08 CET

Weechat 2.7.1 has been pushed to Cauldron.

Comment 3 Stig-Ørjan Smelror 2020-02-28 21:18:58 CET

Advisory
========
Weechat has been updated to include a security fix.

CVE-2020-8955: irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2.7 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a malformed IRC message 324 (channel mode).

References
==========
https://nvd.nist.gov/vuln/detail/CVE-2020-8955
https://lists.opensuse.org/opensuse-updates/2020-02/msg00095.html

Files
=====

Uploaded to core/updates_testing

weechat-2.4-2.1.mga7
weechat-perl-2.4-2.1.mga7
weechat-python-2.4-2.1.mga7
weechat-guile-2.4-2.1.mga7
weechat-tcl-2.4-2.1.mga7
weechat-ruby-2.4-2.1.mga7
weechat-lua-2.4-2.1.mga7
weechat-charset-2.4-2.1.mga7
weechat-aspell-2.4-2.1.mga7
weechat-devel-2.4-2.1.mga7

from weechat-2.4-2.1.mga7.src.rpm

Source RPM: weechat-2.7-2.mga8.src.rpm => weechat-2.4-2.mga7.src.rpm
Assignee: smelror => qa-bugs
CVE: (none) => CVE-2020-8955
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Herman Viaene 2020-02-29 11:47:14 CET

MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug21802 Comment 4 and info in https://weechat.org/files/doc/stable/weechat_quickstart.en.html
I can connect to the #mageia-qa channel and post two lines. Nobody there to answer, so OK as far as I could.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-03-01 14:30:55 CET

Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-03-06 15:31:46 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2020-03-06 17:15:52 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0122.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.