Advisory ROSA-SA-2021-1856

Software: irssi 0.8.15
OS: Cobalt 7.9

CVE-ID: CVE-2017-15227
CVE-Crit: HIGH
CVE-DESC: Irssi before 1.0.5 may erroneously fail to remove destroyed channels from the request list when waiting for channel synchronization, resulting in post-release usage conditions on subsequent status updates.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-15228
CVE-Crit: HIGH
CVE-DESC: Irssi before 1.0.5 when installing themes with incomplete color formatting sequences can access data beyond the end of the line.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2017-15721
CVE-Crit: HIGH
CVE-DESC: In Irssi before 1.0.5, some incorrectly formatted DCC CTCP messages could cause null pointer dereferencing. This is a separate but similar issue to CVE-2017-9468.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-15722
CVE-Crit: MEDIUM
CVE-DESC: In some cases, Irssi before 1.0.5 may fail to check if the secure channel ID is long enough, resulting in a read beyond the end of the line.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-15723
CVE-Crit: HIGH
CVE-DESC: In Irssi before 1.0.5, excessively long gaps or targets can cause a null pointer to be dereferenced when splitting a message.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2017-7191
CVE-Crit: CRITICAL
CVE-DESC: netjoin handling in Irssi 1.x before 1.0.2 allows attackers to cause a denial of service (post-release usage) and possibly execute arbitrary code via undefined vectors.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-5205
CVE-Crit: HIGH
CVE-DESC: When using incomplete escape codes, Irssi before 1.0.6 can access data beyond the end of the line.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-5206
CVE-Crit: CRITICAL
CVE-DESC: If the channel topic is set without specifying a sender, Irssi before version 1.0.6 may dereference a null pointer.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-5207
CVE-Crit: HIGH
CVE-DESC: When using an incomplete variable argument, Irssi before 1.0.6 can access data beyond the end of the line.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-5208
CVE-Crit: CRITICAL
CVE-DESC: In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow on completion of certain lines.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-7050
CVE-Crit: HIGH
CVE-DESC: The issue was found in Irssi before 1.0.7 and 1.1.x before 1.1.1. A null pointer dereference occurs for an “empty” nickname.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-7051
CVE-Crit: HIGH
CVE-DESC: An issue was found in Irssi before 1.0.7 and 1.1.x before 1.1.1. Certain aliases can cause access denied when printing subject lines.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-7052
CVE-Crit: HIGH
CVE-DESC: An issue was found in Irssi before 1.0.7 and 1.1.x before 1.1.1. When the number of windows exceeds the available space, a crash will occur due to NULL pointer dereferencing.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-7053
CVE-Crit: CRITICAL
CVE-DESC: The issue was found in Irssi before 1.0.7 and 1.1.x before 1.1.1. When SASL messages are received in an unexpected order, there is a post-release usage mode.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2018-7054
CVE-Crit: CRITICAL
CVE-DESC: The issue was found in Irssi before 1.0.7 and 1.1.x before 1.1.1. When the server is down during netsplits, there is a use-after-free mode. NOTE: this issue occurs due to an incomplete fix for CVE-2017-7191.
CVE-STATUS: default
CVE-REV: default