[arch-security] [Arch Linux Security Advisory ASA-201411-5] konversation: denial of service
anthraxx at archlinux.org
Sun Nov 9 06:31:47 UTC 2014
Arch Linux Security Advisory ASA-201411-5
Date : 2014-11-09
CVE-ID : CVE-2014-8483
Package : konversation
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE-2014
The package konversation before version 1.5.1-1 is vulnerable to denial
Upgrade to 1.5.1-1.
# pacman -Syu "konversation>=1.5.1-1"
The problem has been fixed upstream  in version 1.5.1.
Konversation's Blowfish ECB encryption support assumes incoming blocks
to be the expected 12 bytes. The lack of a sanity-check for the actual
size can cause a denial of service and an information leak to the local
When using Blowfish ECB encryption with another party (an IRC channel
or user), sending malformed blocks to konversation can result in a
crash or an information leak up to 11 bytes to the local user, due to
an out-of-bounds read on a heap-allocated array.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security