svn commit: r452673 - head/security/vuxml

Danilo G. Baio dbaio at FreeBSD.org
Sun Oct 22 17:46:41 UTC 2017 

Author: dbaio
Date: Sun Oct 22 17:46:40 2017
New Revision: 452673
URL: https://svnweb.freebsd.org/changeset/ports/452673

Log:
  security/vuxml: Document multiple vulnerabilities in irc/irssi
  
  Security:	CVE-2017-15721
  Security:	CVE-2017-15722
  Security:	CVE-2017-15723
  Security:	CVE-2017-15727
  Security:	CVE-2017-15228
  
  PR:		223169
  Reported by:	David O'Rourke <dor.bsd at xm0.uk>

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Oct 22 17:23:33 2017	(r452672)
+++ head/security/vuxml/vuln.xml	Sun Oct 22 17:46:40 2017	(r452673)
@@ -58,6 +58,48 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="85e2c7eb-b74b-11e7-8546-5cf3fcfdd1f1">
+    <topic>irssi -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>irssi</name>
+	<range><lt>1.0.5,1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Irssi reports:</p>
+	<blockquote cite="https://irssi.org/security/irssi_sa_2017_10.txt">
+	  <p>When installing themes with unterminated colour formatting
+	  sequences, Irssi may access data beyond the end of the string.</p>
+	  <p>While waiting for the channel synchronisation, Irssi may
+	  incorrectly fail to remove destroyed channels from the query list,
+	  resulting in use after free conditions when updating the state later
+	  on.</p>
+	  <p>Certain incorrectly formatted DCC CTCP messages could cause NULL
+	  pointer dereference.</p>
+	  <p>Overlong nicks or targets may result in a NULL pointer dereference
+	  while splitting the message.</p>
+	  <p>In certain cases Irssi may fail to verify that a Safe channel ID
+	  is long enough, causing reads beyond the end of the string.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://irssi.org/security/irssi_sa_2017_10.txt</url>
+      <cvename>CVE-2017-15721</cvename>
+      <cvename>CVE-2017-15722</cvename>
+      <cvename>CVE-2017-15723</cvename>
+      <cvename>CVE-2017-15227</cvename>
+      <cvename>CVE-2017-15228</cvename>
+      <freebsdpr>223169</freebsdpr>
+    </references>
+    <dates>
+      <discovery>2017-10-10</discovery>
+      <entry>2017-10-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="a692bffe-b6ad-11e7-a1c2-e8e0b747a45a">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-head mailing list