CVE Request: Irssi out of bounds read in format string

[Ailin Nemui <ailin.nemui () gmail com>]

Hi,

can you please check whether the following Irssi issue needs a CVE

- Printing the value %[ leads to oob read

This has been reported to the Irssi project by Hanno Böck and is
already fixed as part of the last CVE request, however I failed to
include this issue in the initial report. Hanno has blogged about this
at [1] and linked it to the other issue which we credited him for (but
it is in fact a separate issue).

Thanks,

[1] https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html


On Thu, 2017-01-05 at 15:45 +0100, Ailin Nemui wrote:
> Dear oss-security List,
>
> Please provide some CVEs for the following issues.
>
> Thanks,
>
>
> Multiple vulnerabilities in Irssi [1]
> =====================================
>
>
> Description
> -----------
>
> Four vulnerabilities have been located in Irssi.
>
> (a) A NULL pointer dereference in the nickcmp function found by Joseph
>     Bisch. (CWE-690)
>
> (b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
>
> (c) Out of bounds read in certain incomplete control codes found by
>     Joseph Bisch. (CWE-126)
>
> (d) Out of bounds read in certain incomplete character sequences found
>     by Hanno Böck and independently by J. Bisch. (CWE-126)
>
>
> Impact
> ------
>
> These issues may result in denial of service (remote crash).
>
>
> Affected versions
> -----------------
>
> (a) All Irssi versions that we observed
> (b) All Irssi versions that we observed
> (c) Irssi 0.8.17 and later
> (d) Irssi 0.8.18 and later
>
>
> Fixed in
> --------
>
> Irssi 0.8.21, Irssi 1.0.0
>
>
> Recommended action
> ------------------
>
> Upgrade to Irssi 0.8.21. Irssi 0.8.21 is a maintenance release
> without any new features.
>
> After installing the updated packages, one can issue the /upgrade
> command to load the new binary. TLS connections will require
> /reconnect.
>
>
> A Note to Distributors
> ----------------------
>
> First of all, thanks to every maintainer for their awesome job in
> packaging Irssi and backporting security fixes.
>
> When we had to release a security advisory last year with Irssi
> 0.8.20, we noticed there was a huge confusion amongst Ubuntu users
> about whether their Irssi version was safe to use.
>
> Since all our releases 0.8.19, 0.8.20 and 0.8.21 have been bug
> fix only, we think distributions should just ship the release.
>
> But if the security fixes only are backported on top of an old
> version, we would like to urge distributions to consider indicating
> this in a way that is visible inside Irssi. One way to do this would
> be to manually overwrite the PACKAGE_VERSION and marking your package
> as patched. This can be done for example like this:
>
>   ./configure PACKAGE_VERSION=0.8.17-sa201701
>
>
> You can then check the version from inside Irssi with /eval echo $J
>
> As an added benefit over relying on dpkg, this will also correctly
> report whether you had /upgrade done or not. We are looking for a ways
> to make this easier to handle for both packagers and us, so if you
> have a good idea on this matter please speak forth.
>
>
> Mitigating facts
> ----------------
>
> (a) requires control over the ircd
>
> (b), (d) require control over the ircd or otherwise can be triggered /
>     avoided by the user themselves
>
>
> Patch
> -----
>
> https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d
>
>
> References
> ----------
>
> [1] https://irssi.org/security/irssi_sa_2017_01.txt