CVE Request: irssi: information disclosure vulnerabilit in buf.pl

[Salvatore Bonaccorso <carnil () debian org>]

Hi

An information disclosure vulnerability in the buf.pl script provided
by irssi, a terminal based IRC client has been found. Quoting the
advisory at:

https://irssi.org/2016/09/22/buf.pl-update/

                  ]
> buf.pl update available
>
> Posted on September 22^nd 2016
>
> An information disclosure vulnerability was found, reported and fixed
> in the buf.pl script by its author.
>
> CWE Classification: CWE-732, CWE-538
>
> Impact
>
> Other users on the same machine may be able to retrieve the whole
> window contents after /UPGRADE when the buf.pl script is loaded.
> Furthermore, this dump of the windows contents is never removed
> afterwards.
>
> Since buf.pl is also an Irssi core script and we recommended its use
> to retain your window content, many people could potentially be
> affected by this.
>
> Remote users may be able to retrieve these contents when combined with
> other path traversal vulnerabilities in public facing services on that
> machine.
>
> Detailed analysis
>
> buf.pl restores the scrollbuffer between “/upgrade”s by writing the
> contents to a file, and reading that after the new process was
> spawned. Through that file, the contents of (private) chat
> conversations may leak to other users.
>
> Mitigating facts
>
> Careful users with a limited umask (e.g. 077) are not affected by this
> bug.  However, most Linux systems default to a umask of 022, meaning
> that files written without further restricting the permissions, are
> readable by any user.
>
> Affected versions
>
> All up to 2.13
>
> Fixed versions
>
> buf.pl 2.20
>
> Resolution
>
> Update the buf.pl script with the latest version from scripts.irssi.org.

Upstream fix:
https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a

Debian Bug report: https://bugs.debian.org/838762

Could a CVE be assigned for this issue?

Regards,
Salvatore