Main Vulnerability Database SB2017071010

SB2017071010 - Fedora 26 update for irssi

Published: July 10, 2017 Updated: April 24, 2025

Security Bulletin ID SB2017071010

CSH Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2017-10965)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error when parsing messages with invalid time stamps in Irssi. A remote attacker can send a specially crafted message and crash the affected server.

2) Use-after-free (CVE-ID: CVE-2017-10966)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when incorrectly using GHashTable interface while updating internal nick list. A remote unauthenticated attacker can create a specially crafted nick name and crash the affected server or execute arbitrary code.

Successful exploitation of the vulnerability may result in remote code execution.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2017-114e1abf9d