SB2016092242 - Fedora 24 update for irssi
Published: September 22, 2016 Updated: April 24, 2025
Security Bulletin ID
SB2016092242
CSH Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Arbitrary code execution (CVE-ID: CVE-2016-7044)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in format_send_to_gui() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
2) Arbitrary code execution (CVE-ID: CVE-2016-7045)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to cause arbitrary code execution on the target system.
The weakness exists due to input validation error. Having tricked the victim into loading specially crafted file attackers can invoke a buffer overflow in unformat_24bit_color() and execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Remediation
Install update from vendor's website.