oss-sec mailing list archives

Re: CVE request: irssi 0.8.15

From: Wouter Coekaerts <coekie () irssi org>
Date: Tue, 13 Apr 2010 22:47:08 +0200

Hi,

I believe assignment of CVE-2010-1154 is redundant here, given that
CVE-2010-1155 is about the completely missing server name check.  If it
wasn't checking names, it wasn't handling \0 in names incorrectly.


Indeed. It never checked the hostname at all, so there was no mishandling of \0.

The crash bits mentioned in the changelog are very ambiguous. The git tree
isn't any more clear than that. There appear to be two crashes, both sound
like NULL pointer dereferences that cannot be triggered by an attacker. If
I'm wrong, please speak up.


It is about this entry in the changelog/NEWS:
- Fix crash when checking for fuzzy nick match when not on the channel.
  Reported by Aurelien Delaitre (SATE 2009).

The fix is revision 5126
( http://svn.irssi.org/cgi-bin/viewvc.cgi/irssi/trunk/src/core/nicklist.c?root=irssi&r1=4922&r2=5126
)

It is only exploitable (resulting in a crash) at the exact moment the
victim is leaving a channel.
With some good timing it can be triggered by an attacker.

Regards,

Wouter aka coekie
Irssi developer.

Current thread:

CVE request: irssi 0.8.15 Tobias Heinlein (Apr 11)
- <Possible follow-ups>
- Re: CVE request: irssi 0.8.15 Josh Bressers (Apr 12)
  - Re: CVE request: irssi 0.8.15 Steven M. Christey (Apr 12)
    - Re: CVE request: irssi 0.8.15 Josh Bressers (Apr 13)
  - Re: CVE request: irssi 0.8.15 Tomas Hoger (Apr 13)
- Re: CVE request: irssi 0.8.15 Wouter Coekaerts (Apr 13)
  - Re: Re: CVE request: irssi 0.8.15 Jamie Strandboge (Apr 17)
    - Re: Re: CVE request: irssi 0.8.15 Wouter Coekaerts (Apr 26)
    - Re: Re: CVE request: irssi 0.8.15 Steve Langasek (Apr 27)