Bug 224954

Summary: irc/irssi: Update to 1.0.6 (security fixes)
Product: Ports & Packages Reporter: David O'Rourke <dor.bsd>
Component: Individual Port(s)Assignee: Danilo G. Baio <dbaio>
Status: Closed FIXED    
Severity: Affects Many People CC: dbaio
Priority: --- Flags: dor.bsd: maintainer-feedback+
dbaio: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Update irc/irssi port to 1.0.6 dor.bsd: maintainer-approval+

Description David O'Rourke 2018-01-06 19:01:41 UTC
Created attachment 189468 [details]
Update irc/irssi port to 1.0.6

Updates irssi to 1.0.6 to correct CVEs CVE-2018-5206,
CVE-2018-5205, CVE-2018-5208, CVE-2018-5207.

(a) When the channel topic is set without specifying a sender, Irssi
    may dereference NULL pointer. Found by Joseph Bisch. (CWE-476)

    CVE-2018-5206 was assigned to this issue.

(b) When using incomplete escape codes, Irssi may access data beyond
    the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5205 was assigned to this issue.

(c) A calculation error in the completion code could cause a heap
    buffer overflow when completing certain strings. (CWE-126) Found
    by Joseph Bisch.

    CVE-2018-5208 was assigned to this issue.

(d) When using an incomplete variable argument, Irssi may access data
    beyond the end of the string. (CWE-126) Found by Joseph Bisch.

    CVE-2018-5207 was assigned to this issue.

Upstream information about this is recorded at https://irssi.org/security/irssi_sa_2018_01.txt
Comment 1 commit-hook freebsd_committer 2018-01-06 20:44:10 UTC
A commit references this bug:

Author: dbaio
Date: Sat Jan  6 20:43:52 UTC 2018
New revision: 458288
URL: https://svnweb.freebsd.org/changeset/ports/458288

Log:
  security/vuxml: Document multiple vulnerabilities in irc/irssi

  Security:	CVE-2018-5205
  Security:	CVE-2018-5206
  Security:	CVE-2018-5207
  Security:	CVE-2018-5208

  PR:		224954
  Reported by:	tj@mrsk.me (email)
  Reported by:	David O'Rourke <dor.bsd@xm0.uk>

Changes:
  head/security/vuxml/vuln.xml
Comment 2 commit-hook freebsd_committer 2018-01-06 21:19:39 UTC
A commit references this bug:

Author: dbaio
Date: Sat Jan  6 21:18:41 UTC 2018
New revision: 458290
URL: https://svnweb.freebsd.org/changeset/ports/458290

Log:
  irc/irssi: Update to 1.0.6, Fixes multiple security vulnerabilities

  While here, update license and www.

  Changes:	https://raw.githubusercontent.com/irssi/irssi/1.0.6/NEWS

  PR:		224954
  Submitted by:	David O'Rourke <dor.bsd@xm0.uk> (maintainer)
  Reported by:	tj@mrsk.me (email)
  MFH:		2018Q1
  Security:	a3764767-f31e-11e7-95f2-005056925db4

Changes:
  head/irc/irssi/Makefile
  head/irc/irssi/distinfo
  head/irc/irssi/pkg-descr
Comment 3 commit-hook freebsd_committer 2018-01-06 21:22:53 UTC
A commit references this bug:

Author: dbaio
Date: Sat Jan  6 21:22:13 UTC 2018
New revision: 51368
URL: https://svnweb.freebsd.org/changeset/doc/51368

Log:
  Add David O'Rourke to contributors

  Maintainer of irc/irssi

  PR:		224954

Changes:
  head/en_US.ISO8859-1/articles/contributors/contrib.additional.xml
Comment 4 commit-hook freebsd_committer 2018-01-11 12:44:31 UTC
A commit references this bug:

Author: dbaio
Date: Thu Jan 11 12:43:54 UTC 2018
New revision: 458726
URL: https://svnweb.freebsd.org/changeset/ports/458726

Log:
  MFH: r458290

  irc/irssi: Update to 1.0.6, Fixes multiple security vulnerabilities

  While here, update license and www.

  Changes:	https://raw.githubusercontent.com/irssi/irssi/1.0.6/NEWS

  PR:		224954
  Submitted by:	David O'Rourke <dor.bsd@xm0.uk> (maintainer)
  Reported by:	tj@mrsk.me (email)
  Security:	a3764767-f31e-11e7-95f2-005056925db4

  Approved by:	ports-secteam (swills)

Changes:
_U  branches/2018Q1/
  branches/2018Q1/irc/irssi/Makefile
  branches/2018Q1/irc/irssi/distinfo
  branches/2018Q1/irc/irssi/pkg-descr
Comment 5 Danilo G. Baio freebsd_committer 2018-01-11 12:47:13 UTC
Committed, thanks!