UbuntuUpdates.org

Package "irssi"

Name: irssi

Description:

terminal based IRC client
Latest version: 0.8.19-1ubuntu1.9
Release: xenial (16.04)
Level: updates
Repository: main
Homepage: http://irssi.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "irssi"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "irssi" in Xenial

Repository Area Version
base main 0.8.19-1ubuntu1
security main 0.8.19-1ubuntu1.9

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 0.8.19-1ubuntu1.9 2019-07-04 20:06:46 UTC

  irssi (0.8.19-1ubuntu1.9) xenial-security; urgency=medium

  * SECURITY UPDATE: User after free
    - debian/patches/CVE-2019-13045.patch: copy sasl username
      and password values in src/irc/core/irc-core.c,
      src/irc/core/irc-servers-reconnect.c,
      src/irc/core/irc-servers-setup.c.
    - CVE-2019-13045

 -- <email address hidden> (Leonidas S. Barbosa) Tue, 02 Jul 2019 10:09:59 -0300
Source diff to previous version
CVE-2019-13045 Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server.

Version: 0.8.19-1ubuntu1.8 2019-01-17 15:06:38 UTC

  irssi (0.8.19-1ubuntu1.8) xenial-security; urgency=medium

  * SECURITY UPDATE: Use after free
    - debian/patches/CVE-2019-5882.patch: fix in
      src/fe-text/textbuffer-view.c.
    - CVE-2019-5882

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 16 Jan 2019 09:34:59 -0300
Source diff to previous version
CVE-2019-5882 Irssi 1.1.x before 1.1.2 has a use after free when hidden lines are expired from the scroll buffer.

Version: 0.8.19-1ubuntu1.7 2018-03-06 19:06:53 UTC

  irssi (0.8.19-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: Null pointer dereference
    - debian/patches/CVE-2018-7050.patch: check if
      nick is Null in src/fe-common/core/chat-completion.c.
    - CVE-2018-7050
  * SECURITY UPDATE: Certain nick names result in out-of-bounds
    access
    - debian/patches/CVE-2018-7051.patch: don't read beyond end of
      escaped string in src/fe-common/core/themes.c.
    - CVE-2018-7051
  * SECURITY UPDATE: Null pointer dereference
    - debian/patches/CVE-2018-7052.patch: check if window parent
      is Null in src/fe-text/mainwindows.c.
    - CVE-2018-7052
  * SECURITY UPDATE: use-after-free
    - debian/patches/CVE-2018-7053.patch: avoiding
      reuse sasl timeout in src/irc/core/sasl.c.
    - CVE-2018-7073

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 28 Feb 2018 17:35:02 -0300
Source diff to previous version
CVE-2018-7050 An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A NULL pointer dereference occurs for an "empty" nick.
CVE-2018-7051 An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. Certain nick names could result in out-of-bounds access when printing theme str
CVE-2018-7052 An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. When the number of windows exceeds the available space, a crash due to a NULL p
CVE-2018-7053 An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. There is a use-after-free when SASL messages are received in an unexpected orde
CVE-2018-7073 RESERVED

Version: 0.8.19-1ubuntu1.6 2018-01-10 15:07:05 UTC

  irssi (0.8.19-1ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: buffer overread via incomplete escape codes
    - debian/patches/CVE-2018-5205.patch: check for complete char in
      src/core/misc.c.
    - CVE-2018-5205
  * SECURITY UPDATE: NULL dereference via setting channel topic without
    specifying a sender
    - debian/patches/CVE-2018-5206.patch: do not record topic change time
      when sender is blank in src/irc/core/channel-events.c.
    - CVE-2018-5206
  * SECURITY UPDATE: buffer overread via incomplete variable argument
    - debian/patches/CVE-2018-5207.patch: disable variable arguments code
      in src/core/special-vars.c.
    - CVE-2018-5207
  * SECURITY UPDATE: heap overflow in completion code
    - debian/patches/CVE-2018-5208.patch: check for direct match of
      separator in src/fe-common/core/completion.c.
    - CVE-2018-5208

 -- Marc Deslauriers <email address hidden> Mon, 08 Jan 2018 14:41:10 -0500
Source diff to previous version
CVE-2018-5205 When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string.
CVE-2018-5206 When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer.
CVE-2018-5207 When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string.
CVE-2018-5208 In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings.

Version: 0.8.19-1ubuntu1.5 2017-10-26 21:06:40 UTC

  irssi (0.8.19-1ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: multiple security issues
    - debian/patches/CVE-2017-1096x.patch: check return value of localtime
      in src/core/misc.c, correct GHashTable usage in src/core/nicklist.c.
    - CVE-2017-10965
    - CVE-2017-10966
  * SECURITY UPDATE: multiple security issues
    - debian/patches/CVE-2017-15xxx.patch: address security issues in
      src/core/recode.c, src/fe-common/core/themes.c,
      src/irc/core/channel-events.c, src/irc/core/channels-query.c,
      src/irc/core/irc-servers.c, src/irc/dcc/dcc-chat.c,
      src/irc/dcc/dcc-get.c, src/irc/dcc/dcc-send.c.
    - CVE-2017-15227
    - CVE-2017-15228
    - CVE-2017-15721
    - CVE-2017-15722
    - CVE-2017-15723

 -- Marc Deslauriers <email address hidden> Wed, 25 Oct 2017 08:00:36 -0400
CVE-2017-1096 IBM Jazz Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript cod
CVE-2017-10965 An issue was discovered in Irssi before 1.0.4. When receiving messages with invalid time stamps, Irssi would try to dereference a NULL pointer.
CVE-2017-10966 An issue was discovered in Irssi before 1.0.4. While updating the internal nick list, Irssi could incorrectly use the GHashTable interface and free t
CVE-2017-15227 Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting i
CVE-2017-15228 Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.
CVE-2017-15721 In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue
CVE-2017-15722 In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.
CVE-2017-15723 In Irssi before 1.0.5, overlong nicks or targets may result in a NULL pointer dereference while splitting the message.


About   -   Send Feedback to @ubuntu_updates