[ASA-201802-8] irssi: multiple issues
Arch Linux Security Advisory ASA-201802-8 ========================================= Severity: High Date : 2018-02-15 CVE-ID : CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054 Package : irssi Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-616 Summary ======= The package irssi before version 1.1.1-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and denial of service. Resolution ========== Upgrade to 1.1.1-1. # pacman -Syu "irssi>=1.1.1-1" The problems have been fixed upstream in version 1.1.1. Workaround ========== None. Description =========== - CVE-2018-7050 (arbitrary code execution) An issue was discovered in Irssi before 1.1.1. A NULL pointer dereference occurs for an "empty" nick. - CVE-2018-7051 (information disclosure) An issue was discovered in Irssi before 1.1.1. Certain nick names could result in out-of-bounds access when printing theme strings. - CVE-2018-7052 (denial of service) An issue was discovered in Irssi before 1.1.1. When the number of windows exceeds the available space, a crash due to a NULL pointer dereference would occur. - CVE-2018-7053 (arbitrary code execution) An issue was discovered in Irssi before 1.1.1. There is a use-after- free when SASL messages are received in an unexpected order. - CVE-2018-7054 (arbitrary code execution) An issue was discovered in Irssi before 1.1.1. There is a use-after- free when a server is disconnected during netsplits. Impact ====== A remote attacker is able to crash the application, execute arbitrary code or read memory via a malicious server or by tricking a user to use malicious commands. References ========== https://irssi.org/security/irssi_sa_2018_02.txt https://security.archlinux.org/CVE-2018-7050 https://security.archlinux.org/CVE-2018-7051 https://security.archlinux.org/CVE-2018-7052 https://security.archlinux.org/CVE-2018-7053 https://security.archlinux.org/CVE-2018-7054
participants (1)
-
Santiago Torres-Arias