Security update for irssi SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0057-1 Final 1 1 2018-01-09T17:57:14Z current 2018-01-09T17:57:14Z 2018-01-09T17:57:14Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for irssi This update for irssi to version 1.0.6 fixes several issues that may affect the stability of irssi: - CVE-2018-5205: Data access beyond the end of the string when using incomplete escape codes - CVE-2018-5206: NULL pointer dereference when the channel topic is set without specifying a sender - CVE-2018-5207: When using an incomplete variable argument, Irssi may access data beyond the end of the string - CVE-2018-5208: Heap buffer overflow when completing certain strings The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-18 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1074958 SUSE Bug 1074958 https://www.suse.com/security/cve/CVE-2018-5205/ SUSE CVE CVE-2018-5205 page https://www.suse.com/security/cve/CVE-2018-5206/ SUSE CVE CVE-2018-5206 page https://www.suse.com/security/cve/CVE-2018-5207/ SUSE CVE CVE-2018-5207 page https://www.suse.com/security/cve/CVE-2018-5208/ SUSE CVE CVE-2018-5208 page SUSE Package Hub 12 irssi-1.0.6-36.1 irssi-devel-1.0.6-36.1 irssi-1.0.6-36.1 as a component of SUSE Package Hub 12 irssi-devel-1.0.6-36.1 as a component of SUSE Package Hub 12 When using incomplete escape codes, Irssi before 1.0.6 may access data beyond the end of the string. CVE-2018-5205 SUSE Package Hub 12:irssi-1.0.6-36.1 SUSE Package Hub 12:irssi-devel-1.0.6-36.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5205.html CVE-2018-5205 https://bugzilla.suse.com/1074958 SUSE Bug 1074958 When the channel topic is set without specifying a sender, Irssi before 1.0.6 may dereference a NULL pointer. CVE-2018-5206 SUSE Package Hub 12:irssi-1.0.6-36.1 SUSE Package Hub 12:irssi-devel-1.0.6-36.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5206.html CVE-2018-5206 https://bugzilla.suse.com/1074958 SUSE Bug 1074958 When using an incomplete variable argument, Irssi before 1.0.6 may access data beyond the end of the string. CVE-2018-5207 SUSE Package Hub 12:irssi-1.0.6-36.1 SUSE Package Hub 12:irssi-devel-1.0.6-36.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5207.html CVE-2018-5207 https://bugzilla.suse.com/1074958 SUSE Bug 1074958 In Irssi before 1.0.6, a calculation error in the completion code could cause a heap buffer overflow when completing certain strings. CVE-2018-5208 SUSE Package Hub 12:irssi-1.0.6-36.1 SUSE Package Hub 12:irssi-devel-1.0.6-36.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-5208.html CVE-2018-5208 https://bugzilla.suse.com/1074958 SUSE Bug 1074958