Arch Linux Security Advisory ASA-201710-30

Severity: High
Date : 2017-10-22
CVE-ID : CVE-2017-15227 CVE-2017-15228 CVE-2017-15721 CVE-2017-15722
CVE-2017-15723
Package : irssi
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-461

Summary

The package irssi before version 1.0.5-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution

Upgrade to 1.0.5-1.

pacman -Syu “irssi>=1.0.5-1”

The problems have been fixed upstream in version 1.0.5.

Workaround

None.

Description

• CVE-2017-15227 (arbitrary code execution)

While waiting for the channel synchronization, Irssi < 1.0.5 may
incorrectly fail to remove destroyed channels from the query list,
resulting in use-after-free conditions when updating the state later
on. To be exploited, this issue requires a broken IRCd or control over
the IRCd.

• CVE-2017-15228 (denial of service)

When installing themes with unterminated colour formatting sequences,
Irssi < 1.0.5 may access data beyond the end of the string.

• CVE-2017-15721 (denial of service)

Certain incorrectly formatted DCC CTCP messages could cause NULL-
pointer dereference in Irssi < 1.0.5. This is a separate, but similar
issue to CVE-2017-9468. To be exploited, this issue requires a broken
IRCd or control over the IRCd.

• CVE-2017-15722 (denial of service)

In certain cases Irssi may fail to verify that a Safe channel ID is
long enough, causing reads beyond the end of the string. To be
exploited, this issue requires a broken IRCd or control over the IRCd.

• CVE-2017-15723 (denial of service)

Overlong nicks or targets may result in a NULL-pointer dereference in
Irssi >= 0.8.17 and < 1.0.5 while splitting the message. Most IRC
servers typically have length limits in place that would prevent this
issue.

Impact

A remote attacker can cause a denial of service by sending crafted IRC
messages, or tricking the user into installing a crafted theme. A
remote attacker in control of the IRCd to which the user is connected,
or in position of man-in-the-middle, might be able to execute arbitrary
code on the affected host.

References

https://irssi.org/security/irssi_sa_2017_10.txt
https://github.com/irssi/irssi/commit/49ace3251b79a9e97c6e4d0bc640f9143dc71b90
https://github.com/irssi/irssi/commit/2edd816e7db13b4ac0b20df9bf7fe55ee7718215
https://github.com/irssi/irssi/commit/00c80cb6fcca40cfc421fe3fc181115ac4907191
https://github.com/irssi/irssi/commit/9f0dc4766c7aa80e34aa2cde94323fb49971abdf
https://github.com/irssi/irssi/commit/45dfe2ba3889c5dc23a9bea3214f158cc651a043
https://github.com/irssi/irssi/commit/0840eaec7bf56740029aae614e393f8cf76f6946
https://security.archlinux.org/CVE-2017-15227
https://security.archlinux.org/CVE-2017-15228
https://security.archlinux.org/CVE-2017-15721
https://security.archlinux.org/CVE-2017-15722
https://security.archlinux.org/CVE-2017-15723