Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> An information disclosure vulnerability in the buf.pl script
>
> https://irssi.org/2016/09/22/buf.pl-update/
> https://bugs.debian.org/838762
> https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a

> > > This patch sets a safer umask of 077 for the scrollbuffer dump, and will
> > > remove the temporary file after use to further reduce the attack surface.

> > Other users on the same machine may be able to retrieve the whole
> > window contents after /UPGRADE when the buf.pl script is loaded.
> > Furthermore, this dump of the windows contents is never removed
> > afterwards.
> >
> > Since buf.pl is also an Irssi core script and we recommended its use
> > to retain your window content, many people could potentially be
> > affected by this.

> > buf.pl restores the scrollbuffer between upgrades by writing the
> > contents to a file, and reading that after the new process was
> > spawned. Through that file, the contents of (private) chat
> > conversations may leak to other users.
> >
> > Mitigating facts
> >
> > Careful users with a limited umask (e.g. 077) are not affected by this
> > bug.  However, most Linux systems default to a umask of 022, meaning
> > that files written without further restricting the permissions, are
> > readable by any user.

Use CVE-2016-7553.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX6LTCAAoJEHb/MwWLVhi2zq8P/jv2PkFRxBcw1jgDgBMydNuc
+50A3BrF0Uj83eta6SaLs/oh794JIPBAK4oLo4qQ4y1wF/BTHHH3euawbh+OwTYU
Uz2LN6tCne6lc/Aig0qdbzrTAYVaLiHX5q7LTP34N7yrVfxtKhoxN15wePu+i4I1
uWmu7UfmowJrORf1hOQajrLtYXgowVpXFjCSju7ZedvM6vJ4yEUFym+UHh+Smasv
tLfTDDdyvquKKdyKNKpbTYjvaS5YB109a4+doacyziBbnXH3PR8P97ZiNK6MrBs4
dfwSV+gfdoTEAyHqg5k49G/EEWM5TgxIPz9ve5SZkTmKLQZ0irWEQOekeTy0Z2XL
nkqu8Ns/mPMe0wP1yvo5NXo8m8aoPpvhuZBxdLU+oHPFM4USn3N00N23qx8Al7VG
cYblMi1b/+w9gzGbV7JpyESDyf2e1eYMt96Lqi5Rv5WzOp0vLlFzJBDGn1fvr7ci
QUldD1AMQ8eqkaYcNJ1tq+4uydDj/Vh8huc/HxDS02Bevma4Kx/xHriX8c7nS0Yp
+gvhxU+xOK56M0Ab2JgcI/Q65He1O3VVrlbpIlPZRv8kPIn61IrYZSW0A25DcFcm
eF8SKi8i1u9/kXZayDAve+aspQfaYwozABrqI5V+b3KHSs/jo/7JThMqk1/5g4XY
oG0zGz58jhOzLNlu3Hgs
=g0/I
-----END PGP SIGNATURE-----