Lucene search

ArchLinuxASA-201706-11

HistoryJun 12, 2017 - 12:00 a.m.

[ASA-201706-11] irssi: denial of service

2017-06-1200:00:00

security.archlinux.org

0.011 Low

EPSS

Percentile

84.5%

JSON

Arch Linux Security Advisory ASA-201706-11

Severity: Medium
Date : 2017-06-12
CVE-ID : CVE-2017-9468 CVE-2017-9469
Package : irssi
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-293

Summary

The package irssi before version 1.0.3-1 is vulnerable to denial of
service.

Resolution

Upgrade to 1.0.3-1.

pacman -Syu “irssi>=1.0.3-1”

The problems have been fixed upstream in version 1.0.3.

Workaround

None.

Description

CVE-2017-9468 (denial of service)

In Irssi before 1.0.3, when receiving a DCC message without source
nick/host, it attempts to dereference a NULL pointer. Thus, remote IRC
servers can cause a crash.

CVE-2017-9469 (denial of service)

In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC
files, it tries to find the terminating quote one byte before the
allocated memory. Thus, remote attackers might be able to cause a
crash.

Impact

A remote attacker can cause a denial of service by sending a crafted
DCC message.

References

https://github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55
http://openwall.com/lists/oss-security/2017/06/06/4
https://irssi.org/security/irssi_sa_2017_06.txt
https://security.archlinux.org/CVE-2017-9468
https://security.archlinux.org/CVE-2017-9469

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyirssi< 1.0.3-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ArchLinux	any	any	irssi	< 1.0.3-1	UNKNOWN

References

openwall.com/lists/oss-security/2017/06/06/4

github.com/irssi/irssi/commit/fb08fc7f1aa6b2e616413d003bf021612301ad55

irssi.org/security/irssi_sa_2017_06.txt

security.archlinux.org/AVG-293

security.archlinux.org/CVE-2017-9468

security.archlinux.org/CVE-2017-9469

0.011 Low

EPSS

Percentile

84.5%

JSON

Related for ASA-201706-11