220544 – irc/irssi: Update to 1.0.4 (security fixes)

Bug 220544 - irc/irssi: Update to 1.0.4 (security fixes)

Summary: irc/irssi: Update to 1.0.4 (security fixes)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Mark Felder

URL:	https://irssi.org/security/irssi_sa_2...
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2017-07-07 18:00 UTC by VK
Modified:	2017-07-08 14:15 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (dor.bsd) feld: merge-quarterly+

Attachments
Update irssi to 1.0.4 (876 bytes, patch) 2017-07-07 18:00 UTC, VK	dor.bsd: maintainer-approval+	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description VK 2017-07-07 18:00:46 UTC

Created attachment 184158 [details]
Update irssi to 1.0.4

Two security vulnerabilities have been found in irssi, fixed in v1.0.4 (update patch attached):

* CVE-2017-10965

  When receiving messages with invalid time stamps, Irssi would try
  to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter
  of Geeknik Labs. (CWE-690)

* CVE-2017-10966

  While updating the internal nick list, Irssi may incorrectly use
  the GHashTable interface and free the nick while updating it. This
  will then result in use-after-free conditions on each access of
  the hash table. Found by Brian 'geeknik' Carpenter of Geeknik
  Labs. (CWE-416 caused by CWE-227)

* SA:

  https://irssi.org/security/irssi_sa_2017_07.txt

Comment 1 VK 2017-07-07 18:01:29 UTC

Builds with Poudriere 11.1-RC1, 11.0, amd64. Running in production.

Comment 2 commit-hook freebsd_committer

2017-07-08 14:09:33 UTC

A commit references this bug:

Author: feld
Date: Sat Jul  8 14:09:13 UTC 2017
New revision: 445337
URL: https://svnweb.freebsd.org/changeset/ports/445337

Log:
  irc/irssi: Update to 1.0.4

  - Fixes two CVEs

  PR:		220544
  MFH:		2017Q3
  Security:	CVE-2017-10965
  Security:	CVE-2017-10966

Changes:
  head/irc/irssi/Makefile
  head/irc/irssi/distinfo

Comment 3 commit-hook freebsd_committer

2017-07-08 14:10:37 UTC

A commit references this bug:

Author: feld
Date: Sat Jul  8 14:09:52 UTC 2017
New revision: 445338
URL: https://svnweb.freebsd.org/changeset/ports/445338

Log:
  MFH: r445337

  irc/irssi: Update to 1.0.4

  - Fixes two CVEs

  PR:		220544
  Security:	CVE-2017-10965
  Security:	CVE-2017-10966

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q3/
  branches/2017Q3/irc/irssi/Makefile
  branches/2017Q3/irc/irssi/distinfo

Comment 4 commit-hook freebsd_committer

2017-07-08 14:15:43 UTC

A commit references this bug:

Author: feld
Date: Sat Jul  8 14:15:25 UTC 2017
New revision: 445339
URL: https://svnweb.freebsd.org/changeset/ports/445339

Log:
  Document irssi vulnerabilities

  PR:		220544
  Security:	CVE-2017-10965
  Security:	CVE-2017-10966

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Mark Felder freebsd_committer

2017-07-08 14:15:49 UTC

committed, MFH, and vuxml updated.


Thanks!