Your message dated Sun, 12 Nov 2017 15:33:02 +0000 with message-id <[email protected]> and subject line Bug#879521: fixed in irssi 1.0.2-1+deb9u3 has caused the Debian Bug report #879521, regarding irssi: multiple vulnerabilities fixed in irssi 1.0.5 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 879521: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879521 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: irssi Severity: grave Tags: security Justification: user security hole Hi, irssi 1.0.5 has been released, fixing multiple vulnerabilities (a) When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. (CWE-126) Found by Hanno Böck. CVE-2017-15228 was assigned to this issue. (b) While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. Found by Joseph Bisch. (CWE-416 caused by CWE-672) CVE-2017-15227 was assigned to this issue. (c) Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. Found by Joseph Bisch. This is a separate, but similar issue to CVE-2017-9468. (CWE-690) CVE-2017-15721 was assigned to this issue. (d) Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. Found by Joseph Bisch. (CWE-690) CVE-2017-15723 was assigned to this issue. (e) In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string. Found by Joseph Bisch. (CWE-126) CVE-2017-15722 was assigned to this issue. Can you prepare updates for sid, stretch and jessie (please coordinate with security team at [email protected] for the latter two)? Please add CVE numbers to the changelog so we can track them easily. Regards, -- Yves-Alexis Debian security team -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (450, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Source: irssi Source-Version: 1.0.2-1+deb9u3 We believe that the bug you reported is fixed in the latest version of irssi, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <[email protected]> (supplier of updated irssi package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Nov 2017 23:00:22 +0100 Source: irssi Binary: irssi irssi-dev Architecture: source Version: 1.0.2-1+deb9u3 Distribution: stretch-security Urgency: high Maintainer: Rhonda D'Vine <[email protected]> Changed-By: Salvatore Bonaccorso <[email protected]> Closes: 879521 Description: irssi - terminal based IRC client irssi-dev - terminal based IRC client - development files Changes: irssi (1.0.2-1+deb9u3) stretch-security; urgency=high . * Non-maintainer upload by the Security Team. * Address IRSSI-SA-2017-10. - CVE-2017-15228: Unterminated colour formatting sequences may cause data access beyond the end of the buffer. - CVE-2017-15227: Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. - CVE-2017-15722: Read beyond end of buffer may occur if a Safe channel ID is not long enough. (Closes: #879521) Checksums-Sha1: 8c2eaba7e87cc4e998b73e0d7f8b6943a07478a0 2093 irssi_1.0.2-1+deb9u3.dsc 9e6660d6f8eb105cd84fc51e0467f46b799583bd 23200 irssi_1.0.2-1+deb9u3.debian.tar.xz Checksums-Sha256: 879138ebd05e9e853357979b7791c43ae76586686e6de8d870b7a8ab1f4ea50a 2093 irssi_1.0.2-1+deb9u3.dsc f7a205277275b7ac03d7a05743ee8df841955c8287802c0b2f38d321b4cc0dc5 23200 irssi_1.0.2-1+deb9u3.debian.tar.xz Files: 8874e4e0bdbd1dc82b2cf12289d5d0ab 2093 net optional irssi_1.0.2-1+deb9u3.dsc 113bb55eb6aeaaf879032cb4c8c7f7dc 23200 net optional irssi_1.0.2-1+deb9u3.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAln6RRpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELIwP/3tGeLtprSCeaXwFGp3pSJbEQdtW8B8k /XaIhmNbMx0fXoLQkp9fv6O/4KFCYEtK94L/p4xIGW1PNkXIpor9S2KUIJSFGZmS 0qvB3A97/y6qWorJI2yFJAA0Derg5tuohZg3fGEA9g38/b5t2wzGNSEHzVW0WiPp v9fGGDkW00uG76v1VuQ5dVz7pseLxqvIJnW8GWO5ZsKRMCSRC2G+Sy6/MbRvbxq3 R73mCjyfRGT6TMcvnnPb9mJx4x+nnT47FDi3yuGVUWgVu0TAE1uhGWXsNx8M+PIr DTXpAQGPgd8iAbbVVJO0Mkfe9PhT1hnfYKUzdCBu1rhubl/en/f3hpuXG7xRCHNp 6Pp265SNgzgTclYFIA89+daMBxHXWf+I9AQA7wDNMydnoM+2EYYdTjyA6dhXcn15 M7cgbeByZW0KtB3O5SOhyYhGiIeTPForW3psDbsiaJo9IiD6MzJQieJz/1S5pDTw tqy0Us8yhCBhOF7DX5RzIVyWB/gN4us32eViVk2bs4hg1j336LIKa1FoqsDS2RUr dajAWPQ60UmRvUe8Nmnr+VxvTCvb3iFVEhjY1hKSwM9e90rD9mR2zhomJMAAaVVK MgpFghBtt1QssIKHC00mxd0nVGBXaknMzKhayXvM8BAcOOdJoe2w30nT1fegM02+ BnZq06AGHTGQ =6Wv0 -----END PGP SIGNATURE-----
--- End Message ---
