ASA-201801-12 generated external raw

[ASA-201801-12] irssi: denial of service
Arch Linux Security Advisory ASA-201801-12 ========================================== Severity: Medium Date : 2018-01-16 CVE-ID : CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 Package : irssi Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-575 Summary ======= The package irssi before version 1.0.6-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.0.6-1. # pacman -Syu "irssi>=1.0.6-1" The problems have been fixed upstream in version 1.0.6. Workaround ========== None. Description =========== - CVE-2018-5205 (denial of service) When using incomplete escape codes, irssi before 1.0.6 may access data beyond the end of the string. - CVE-2018-5206 (denial of service) When the channel topic is set without specifying a sender, irssi before 1.0.6 may dereference a NULL pointer. - CVE-2018-5207 (denial of service) When using an incomplete variable argument, irssi before 1.0.6 may access data beyond the end of the string. - CVE-2018-5208 (denial of service) In Irssi before 1.0.6 a calculation error in the completion code could cause a heap buffer overflow when completing certain strings. Impact ====== A remote attacker is able to crash the application via a malicious server or by tricking a user to use malicious commands. References ========== http://www.openwall.com/lists/oss-security/2018/01/06/2 https://irssi.org/security/irssi_sa_2018_01.txt https://github.com/irssi/irssi/commit/7a83c63701b7395ee6cc606905314318eef77971 https://github.com/irssi/irssi/commit/54d453623d879ea83d0818a80bd14151192953ec https://github.com/irssi/irssi/commit/cc17837a9b326ec9100a35981348fa0f5d6316fa https://github.com/irssi/irssi/commit/2361d4b1e5d38701f35146219ceddd318ac4e645 https://security.archlinux.org/CVE-2018-5205 https://security.archlinux.org/CVE-2018-5206 https://security.archlinux.org/CVE-2018-5207 https://security.archlinux.org/CVE-2018-5208