Vulnerabilities > CVE-2017-15227 - Use After Free vulnerability in Irssi
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1189.NASL description This security update for irssi to version 1.0.5 addresses the following security issues : - CVE-2017-15228: When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. This issue could have resulted in denial of service (remote crash) when installing a malicious or broken theme file. - CVE-2017-15227: While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15722: In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string. last seen 2020-06-05 modified 2017-10-24 plugin id 104114 published 2017-10-24 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104114 title openSUSE Security Update : irssi (openSUSE-2017-1189) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2017-1189. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(104114); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-15227", "CVE-2017-15228", "CVE-2017-15721", "CVE-2017-15722", "CVE-2017-15723"); script_name(english:"openSUSE Security Update : irssi (openSUSE-2017-1189)"); script_summary(english:"Check for the openSUSE-2017-1189 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This security update for irssi to version 1.0.5 addresses the following security issues : - CVE-2017-15228: When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. This issue could have resulted in denial of service (remote crash) when installing a malicious or broken theme file. - CVE-2017-15227: While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15721: Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15723: Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. This issue could have caused denial of service (remote crash) when connecting to a malicious or broken ircd. - CVE-2017-15722: In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064540" ); script_set_attribute( attribute:"solution", value:"Update the affected irssi packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:irssi-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"irssi-1.0.5-14.14.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"irssi-debuginfo-1.0.5-14.14.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"irssi-debugsource-1.0.5-14.14.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"irssi-devel-1.0.5-14.14.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"irssi-1.0.5-17.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"irssi-debuginfo-1.0.5-17.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"irssi-debugsource-1.0.5-17.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"irssi-devel-1.0.5-17.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "irssi / irssi-debuginfo / irssi-debugsource / irssi-devel"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1217.NASL description Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client, which may lead to denial of service or other unspecified impact. For Debian 7 last seen 2020-03-17 modified 2017-12-26 plugin id 105424 published 2017-12-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105424 title Debian DLA-1217-1 : irssi security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1284.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-12-01 plugin id 104903 published 2017-12-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104903 title EulerOS 2.0 SP2 : irssi (EulerOS-SA-2017-1284) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4016.NASL description Multiple vulnerabilities have been discovered in Irssi, a terminal based IRC client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2017-10965 Brian last seen 2020-06-01 modified 2020-06-02 plugin id 104400 published 2017-11-06 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104400 title Debian DSA-4016-1 : irssi - security update NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3465-1.NASL description Brian Carpenter discovered that Irssi incorrectly handled messages with invalid time stamps. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-10965) Brian Carpenter discovered that Irssi incorrectly handled the internal nick list. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-10966) Joseph Bisch discovered that Irssi incorrectly removed destroyed channels from the query list. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15227) Hanno Bock discovered that Irssi incorrectly handled themes. If a user were tricked into using a malicious theme, a attacker could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15228) Joseph Bisch discovered that Irssi incorrectly handled certain DCC CTCP messages. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15721) Joseph Bisch discovered that Irssi incorrectly handled certain channel IDs. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15722) Joseph Bisch discovered that Irssi incorrectly handled certain long nicks or targets. A malicious IRC server could use this issue to cause Irssi to crash, resulting in a denial of service. (CVE-2017-15723). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104212 published 2017-10-27 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104212 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : irssi vulnerabilities (USN-3465-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_85E2C7EBB74B11E785465CF3FCFDD1F1.NASL description Irssi reports : When installing themes with unterminated colour formatting sequences, Irssi may access data beyond the end of the string. While waiting for the channel synchronisation, Irssi may incorrectly fail to remove destroyed channels from the query list, resulting in use after free conditions when updating the state later on. Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference. Overlong nicks or targets may result in a NULL pointer dereference while splitting the message. In certain cases Irssi may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string. last seen 2020-06-01 modified 2020-06-02 plugin id 104062 published 2017-10-23 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104062 title FreeBSD : irssi -- multiple vulnerabilities (85e2c7eb-b74b-11e7-8546-5cf3fcfdd1f1) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2017-298-01.NASL description New irssi packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 104146 published 2017-10-26 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/104146 title Slackware 14.0 / 14.1 / 14.2 / current : irssi (SSA:2017-298-01) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1283.NASL description According to the versions of the irssi package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Irssi before 1.0.5, when installing themes with unterminated colour formatting sequences, may access data beyond the end of the string.(CVE-2017-15228) - Irssi before 1.0.5, while waiting for the channel synchronisation, may incorrectly fail to remove destroyed channels from the query list, resulting in use-after-free conditions when updating the state later on.(CVE-2017-15227) - In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages could cause a NULL pointer dereference. This is a separate, but similar, issue relative to CVE-2017-9468.(CVE-2017-15721) - In certain cases, Irssi before 1.0.5 may fail to verify that a Safe channel ID is long enough, causing reads beyond the end of the string.(CVE-2017-15722) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-12-01 plugin id 104902 published 2017-12-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104902 title EulerOS 2.0 SP1 : irssi (EulerOS-SA-2017-1283)
References
- http://openwall.com/lists/oss-security/2017/10/22/4
- http://openwall.com/lists/oss-security/2017/10/22/4
- https://irssi.org/security/irssi_sa_2017_10.txt
- https://irssi.org/security/irssi_sa_2017_10.txt
- https://lists.debian.org/debian-lts-announce/2017/12/msg00022.html
- https://lists.debian.org/debian-lts-announce/2017/12/msg00022.html
- https://www.debian.org/security/2017/dsa-4016
- https://www.debian.org/security/2017/dsa-4016