ASA-201802-8 log original external raw

[ASA-201802-8] irssi: multiple issues
Arch Linux Security Advisory ASA-201802-8 ========================================= Severity: High Date : 2018-02-15 CVE-ID : CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054 Package : irssi Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-616 Summary ======= The package irssi before version 1.1.1-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 1.1.1-1. # pacman -Syu "irssi>=1.1.1-1" The problems have been fixed upstream in version 1.1.1. Workaround ========== None. Description =========== - CVE-2018-7050 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A NULL pointer dereference occurs for an "empty" nick. - CVE-2018-7051 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. Certain nick names could result in out-of-bounds access when printing theme strings. - CVE-2018-7052 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. When the number of windows exceeds the available space, a crash due to a NULL pointer dereference would occur. - CVE-2018-7053 (arbitrary code execution) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when SASL messages are received in an unexpected order. - CVE-2018-7054 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when a server is disconnected during netsplits. Impact ====== A remote attacker is able to crash the application, execute arbitrary code or read memory via a malicious server or by tricking a user to use malicious commands. References ========== https://irssi.org/security/irssi_sa_2018_02.txt https://github.com/irssi/irssi/commit/e91da9e4098e449dc36eaa15354aff67650e7703 https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c https://github.com/irssi/irssi/issues/819 https://github.com/irssi/irssi/commit/5c5ed64180a6b76315ee7b8c6000ee64ad5877a7 https://security.archlinux.org/CVE-2018-7050 https://security.archlinux.org/CVE-2018-7051 https://security.archlinux.org/CVE-2018-7052 https://security.archlinux.org/CVE-2018-7053 https://security.archlinux.org/CVE-2018-7054

[ASA-201802-8] irssi: multiple issues

Arch Linux Security Advisory ASA-201802-8 ========================================= Severity: High Date : 2018-02-15 CVE-ID : CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054 Package : irssi Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-616 Summary ======= The package irssi before version 1.1.1-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 1.1.1-1. # pacman -Syu "irssi>=1.1.1-1" The problems have been fixed upstream in version 1.1.1. Workaround ========== None. Description =========== - CVE-2018-7050 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A NULL pointer dereference occurs for an "empty" nick. - CVE-2018-7051 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. Certain nick names could result in out-of-bounds access when printing theme strings. - CVE-2018-7052 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. When the number of windows exceeds the available space, a crash due to a NULL pointer dereference would occur. - CVE-2018-7053 (arbitrary code execution) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when SASL messages are received in an unexpected order. - CVE-2018-7054 (denial of service) An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when a server is disconnected during netsplits. Impact ====== A remote attacker is able to crash the application, execute arbitrary code or read memory via a malicious server or by tricking a user to use malicious commands. References ========== https://irssi.org/security/irssi_sa_2018_02.txt https://github.com/irssi/irssi/commit/e91da9e4098e449dc36eaa15354aff67650e7703 https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c https://github.com/irssi/irssi/issues/819 https://github.com/irssi/irssi/commit/5c5ed64180a6b76315ee7b8c6000ee64ad5877a7 https://security.archlinux.org/CVE-2018-7050 https://security.archlinux.org/CVE-2018-7051 https://security.archlinux.org/CVE-2018-7052 https://security.archlinux.org/CVE-2018-7053 https://security.archlinux.org/CVE-2018-7054