Bug 8044 - Fix a security problem of buffer overflow when decoding IRC colors in strings.
: Fix a security problem of buffer overflow when decoding IRC colors in strings.
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: https://savannah.nongnu.org/bugs/?37704
: has_procedure mga2-64-OK, MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-11 14:45 CET by Funda Wang
Modified: 2012-11-17 17:25 CET (History)
4 users (show)

See Also:
Source RPM: weechat-0.3.6-3.1.mga2
CVE:
Status comment:


Attachments

Description Funda Wang 2012-11-11 14:45:41 CET
A buffer overflow is causing a crash or freeze of WeeChat (0.36 to 0.39) when decoding IRC colors in strings. The packages have been patched to fix this problem.

Relevant packages:
weechat-0.3.6-3.1.mga2
Comment 1 claire robinson 2012-11-11 18:37:24 CET
Is there a CVE for this Funda please?
Comment 2 Funda Wang 2012-11-11 23:40:40 CET
No at the moment. See: http://www.weechat.org/security/
Comment 3 David Walser 2012-11-12 14:10:53 CET
CVE requested on Saturday, should be a response here soon:
http://seclists.org/oss-sec/2012/q4/252
Comment 4 claire robinson 2012-11-13 10:36:22 CET
SRPM: weechat-0.3.6-3.1.mga2.src.rpm
------------------------------------
weechat-aspell
weechat-charset
weechat-debug
weechat-devel
weechat-lua
weechat-perl
weechat-python
weechat-ruby
weechat-tcl
weechat
Comment 5 David Walser 2012-11-13 12:28:36 CET
This is CVE-2012-5854.

http://seclists.org/oss-sec/2012/q4/268
Comment 6 claire robinson 2012-11-13 16:55:15 CET
Weechat is an irc client for the terminal

Start with 
$ weechat

Connect to freenode
/connect freenode

Set nick
/nick MrsBTest

Join QA
/join #mageia-qa


Not able to reproduce this and asking the devs on IRC got me nowhere so just checking the updated version seems to connect and join a channel.

Testing complete mga2 64
Comment 7 Marc Lattemann 2012-11-13 20:47:15 CET
basic functionality tested on mga2 i586 (connect and join channel...).

validate update

Suggested Advisory
==================
A buffer overflow is causing a crash or freeze of WeeChat (0.36 to 0.39) when
decoding IRC colors in strings. The packages have been patched to fix this
problem.

SRPM: weechat-0.3.6-3.1.mga2.src.rpm

Can sysadmin push packages to Updates? Thanks.
Comment 8 David Walser 2012-11-14 00:05:52 CET
Don't forget to include the CVE reference in the advisory.

It is CVE-2012-5854.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5854
https://savannah.nongnu.org/bugs/?37704
Comment 9 Thomas Backlund 2012-11-17 17:25:38 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0330

Note You need to log in before you can comment on or make changes to this bug.