Bug 219827

Summary:

irc/irssi: Update to 1.0.3 (security fixes)

Product:

Ports & Packages

Reporter:

VK <vlad-fbsd>

Component:

Individual Port(s)

Assignee:

VK <vlad-fbsd>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

dor.bsd, ports-secteam

Priority:

---

Keywords:

patch, security

Version:

Latest

Flags:

dor.bsd: maintainer-feedback+
vlad-fbsd: merge-quarterly?

Hardware:

Any

OS:

Any

URL:

https://irssi.org/security/irssi_sa_2017_06.txt

Attachments:

Description	Flags
Update irssi to 1.0.3	vlad-fbsd: maintainer-approval+

Description VK 2017-06-06 22:30:58 UTC

Created attachment 183274 [details]
Update irssi to 1.0.3

Two vulnerabilities have been located in Irssi.

(a) When receiving a DCC message without source nick/host, Irssi would
    attempt to dereference a NULL pointer. Found by Joseph
    Bisch. (CWE-690)

(b) When receiving certain incorrectly quoted DCC files, Irssi would
    try to find the terminating quote one byte before the allocated
    memory. Found by Joseph Bisch. (CWE-129, CWE-127)

* Patch:
  https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55

* SA:
  https://irssi.org/security/irssi_sa_2017_06.txt

1.0.3 also includes changes:

v1.0.3 2017-06-06  The Irssi team <staff@irssi.org>
	- Fix out of bounds read when scanning expandos (GL!11).
	- Fix invalid memory access with quoted filenames in DCC
	  (GL#8, GL!12).
	- Fix null-pointer dereference on DCC without address (GL#9, GL!13).
	- Improve integer overflow handling. Originally reported by
          oss-fuzz#525 (#706).
	- Improve nicklist performance from O(N^2) to O(N) (#705).
	- Fix initial screen redraw delay. By Stephen Oberholtzer
	  (#680, bdo#856201).
	- Fix incorrect reset of true colours when resetting background. (#711).
	- Fix missing -notls option in /SERVER. By Jari Matilainen (#117, #702).
	- Fix minor history glitch on overcounter (#462, #685).
	- Improved OpenSSL detection at compile time. By Rodrigo Rebello (#677).
	- Improved NetBSD Terminfo detection. By Maya Rashish (#694, #698).
	- Add missing syntax info for COMPLETION (#687, #688).
        - Minor typo correction in help. By Michael Hansen (#707).

Attached patch builds fine with Poudriere on 11.0, amd64. Run tested with my usual usage pattern.

Comment 1 VK 2017-06-07 12:57:24 UTC

CVEs assigned:

(a) CVE-2017-9468
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9468

(b) CVE-2017-9469
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9469

Comment 2 David O'Rourke 2017-06-08 11:24:17 UTC

Comment on attachment 183274 [details]
Update irssi to 1.0.3

Patch has maintainer approval.

Comment 3 VK 2017-06-08 11:34:01 UTC

Comment on attachment 183274 [details]
Update irssi to 1.0.3

Setting the approval flag on the attachment on behalf of the maintainer, because bugzilla didn't honor my initial requestee field, saw it just now.

Thanks.

Comment 4 VK 2017-06-08 12:15:57 UTC

Independently fixed in r442895.

* https://svnweb.freebsd.org/ports?view=revision&revision=442895