SB2017030303 - Multiple vulnerabilities in Irssi
Published: March 3, 2017 Updated: July 23, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2017-5193)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a message without a nick.
2) Use-after-free (CVE-ID: CVE-2017-5194)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing an invalid nick message. A remote attackers can cause a denial of service (crash).
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) Out-of-bounds read (CVE-ID: CVE-2017-5195)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Irssi 0.8.17 before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted ANSI x8 color code.
4) Out-of-bounds read (CVE-ID: CVE-2017-5196)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Irssi 0.8.18 before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via vectors involving strings that are not UTF8.
5) Out-of-bounds read (CVE-ID: CVE-2017-5356)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Irssi before 0.8.21 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a string containing a formatting sequence (%[) without a closing bracket (]).
Remediation
Install update from vendor's website.
References
- http://www.openwall.com/lists/oss-security/2017/01/06/1
- http://www.securityfocus.com/bid/95310
- https://irssi.org/security/irssi_sa_2017_01.txt
- https://lists.debian.org/debian-lts-announce/2017/12/msg00022.html
- https://security.gentoo.org/glsa/201701-45
- http://www.openwall.com/lists/oss-security/2017/01/12/8
- http://www.openwall.com/lists/oss-security/2017/01/13/2
- http://www.securityfocus.com/bid/96581
- https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html