Debian update for irssi
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054 |
| CWE-ID | CWE-126 CWE-476 CWE-787 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Buffer over-read
EUVDB-ID: #VU11471
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5205
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to data access beyond the end of the string when using incomplete escape codes. A remote attacker can trigger buffer over-read and gain access to potentially sensitive information.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_01.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU11473
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5206
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to NULL pointer dereference when the channel topic is set without specifying a sender. A remote attacker can cause the service to crash.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_01.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer over-read
EUVDB-ID: #VU11474
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5207
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to data access beyond the end of the string when using an incomplete variable argument. A remote attacker can trigger buffer over-read and gain access to potentially sensitive information.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_01.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer over-read
EUVDB-ID: #VU11475
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-5208
CWE-ID:
CWE-126 - Buffer over-read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a calculation error in the completion code that triggers heap buffer overflow when completing certain strings. A remote attacker can cause the service to crash.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_01.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU10606
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7050
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a NULL pointer dereference when an "empty" nick has been observed. A remote attacker can use a broken ircd or control over the ircde and cause the service to crash.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_02.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds write
EUVDB-ID: #VU10599
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7051
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to an out-of-bounds write error when printing theme strings. A remote attacker can execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_02.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) NULL pointer dereference
EUVDB-ID: #VU10607
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7052
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to a NULL pointer dereference when the number of windows exceed the available space. A remote attacker can cause a denial of service.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_02.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free error
EUVDB-ID: #VU10608
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7053
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a use-after-free when SASL messages are received in unexpected order. A remote attacker can use a non-conforming ircd, trigger memory corruption and execute arbitrary code on the system.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_02.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free error
EUVDB-ID: #VU10609
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-7054
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness is due to a use-after-free when server is disconnected during netsplits. A remote attacker can trigger memory corruption and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1.0.7-1~deb9u1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://irssi.org/security/irssi_sa_2018_02.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
