Slackware Linux update for irssi
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054 CVE-2019-5882 |
| CWE-ID | CWE-476 CWE-787 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Slackware Linux Operating systems & Components / Operating system |
| Vendor | Slackware |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) NULL pointer dereference
EUVDB-ID: #VU10606
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7050
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a NULL pointer dereference when an "empty" nick has been observed. A remote attacker can use a broken ircd or control over the ircde and cause the service to crash.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU10599
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7051
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an out-of-bounds write error when printing theme strings. A remote attacker can execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) NULL pointer dereference
EUVDB-ID: #VU10607
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7052
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a NULL pointer dereference when the number of windows exceed the available space. A remote attacker can cause a denial of service.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free error
EUVDB-ID: #VU10608
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7053
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a use-after-free when SASL messages are received in unexpected order. A remote attacker can use a non-conforming ircd, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free error
EUVDB-ID: #VU10609
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7054
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness is due to a use-after-free when server is disconnected during netsplits. A remote attacker can trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU16953
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5882
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct DoS attack.
The vulnerability exists due to a use-after-free error when hidden lines are expired from the scroll buffer. A remote attacker can trigger memory corruption and cause the service to crash.
MitigationUpdate the affected package irssi.
Vulnerable software versionsSlackware Linux: 14.0 - 14.2
External linkshttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2019&m=slackware-security.478665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
