Lucene search

ArchLinuxASA-201802-8

HistoryFeb 15, 2018 - 12:00 a.m.

[ASA-201802-8] irssi: multiple issues

2018-02-1500:00:00

security.archlinux.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.4%

JSON

Arch Linux Security Advisory ASA-201802-8

Severity: High
Date : 2018-02-15
CVE-ID : CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053
CVE-2018-7054
Package : irssi
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-616

Summary

The package irssi before version 1.1.1-1 is vulnerable to multiple
issues including arbitrary code execution, information disclosure and
denial of service.

Resolution

Upgrade to 1.1.1-1.

pacman -Syu “irssi>=1.1.1-1”

The problems have been fixed upstream in version 1.1.1.

Workaround

None.

Description

CVE-2018-7050 (arbitrary code execution)

An issue was discovered in Irssi before 1.1.1. A NULL pointer
dereference occurs for an “empty” nick.

CVE-2018-7051 (information disclosure)

An issue was discovered in Irssi before 1.1.1. Certain nick names could
result in out-of-bounds access when printing theme strings.

CVE-2018-7052 (denial of service)

An issue was discovered in Irssi before 1.1.1. When the number of
windows exceeds the available space, a crash due to a NULL pointer
dereference would occur.

CVE-2018-7053 (arbitrary code execution)

An issue was discovered in Irssi before 1.1.1. There is a use-after-
free when SASL messages are received in an unexpected order.

CVE-2018-7054 (arbitrary code execution)

An issue was discovered in Irssi before 1.1.1. There is a use-after-
free when a server is disconnected during netsplits.

Impact

A remote attacker is able to crash the application, execute arbitrary
code or read memory via a malicious server or by tricking a user to use
malicious commands.

References

https://irssi.org/security/irssi_sa_2018_02.txt
https://security.archlinux.org/CVE-2018-7050
https://security.archlinux.org/CVE-2018-7051
https://security.archlinux.org/CVE-2018-7052
https://security.archlinux.org/CVE-2018-7053
https://security.archlinux.org/CVE-2018-7054

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyirssi< 1.1.1-1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ArchLinux	any	any	irssi	< 1.1.1-1	UNKNOWN

References

irssi.org/security/irssi_sa_2018_02.txt

security.archlinux.org/AVG-616

security.archlinux.org/CVE-2018-7050

security.archlinux.org/CVE-2018-7051

security.archlinux.org/CVE-2018-7052

security.archlinux.org/CVE-2018-7053

security.archlinux.org/CVE-2018-7054

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.004 Low

EPSS

Percentile

73.4%

JSON

Related for ASA-201802-8