Security update for irssi SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2524-1 Final 1 1 2016-10-07T13:29:02Z current 2016-10-07T13:29:02Z 2016-10-07T13:29:02Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for irssi The IRC client irssi was updated to 0.8.20, fixing various bugs and security issues. * CVE-2016-7044: The unformat_24bit_color function in the format parsing code in Irssi, when compiled with true-color enabled, allowed remote attackers to cause a denial of service (heap corruption and crash) via an incomplete 24bit color code. * CVE-2016-7045: The format_send_to_gui function in the format parsing code in Irssi allowed remote attackers to cause a denial of service (heap corruption and crash) via vectors involving the length of a string. See https://irssi.org/security/irssi_sa_2016.txt for more details. * CVE-2016-7553: A information disclosure vulnerability in irssi buf.pl See https://irssi.org/2016/09/22/buf.pl-update/ for more information. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). 5661 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1001215 SUSE Bug 1001215 https://bugzilla.suse.com/999199 SUSE Bug 999199 https://www.suse.com/security/cve/CVE-2016-7044/ SUSE CVE CVE-2016-7044 page https://www.suse.com/security/cve/CVE-2016-7045/ SUSE CVE CVE-2016-7045 page https://www.suse.com/security/cve/CVE-2016-7553/ SUSE CVE CVE-2016-7553 page SUSE Package Hub 12 irssi-0.8.20-9.1 irssi-devel-0.8.20-9.1 irssi-0.8.20-9.1 as a component of SUSE Package Hub 12 irssi-devel-0.8.20-9.1 as a component of SUSE Package Hub 12 The unformat_24bit_color function in the format parsing code in Irssi before 0.8.20, when compiled with true-color enabled, allows remote attackers to cause a denial of service (heap corruption and crash) via an incomplete 24bit color code. CVE-2016-7044 SUSE Package Hub 12:irssi-0.8.20-9.1 SUSE Package Hub 12:irssi-devel-0.8.20-9.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7044.html CVE-2016-7044 https://bugzilla.suse.com/999199 SUSE Bug 999199 The format_send_to_gui function in the format parsing code in Irssi before 0.8.20 allows remote attackers to cause a denial of service (heap corruption and crash) via vectors involving the length of a string. CVE-2016-7045 SUSE Package Hub 12:irssi-0.8.20-9.1 SUSE Package Hub 12:irssi-devel-0.8.20-9.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7045.html CVE-2016-7045 https://bugzilla.suse.com/999199 SUSE Bug 999199 The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file. CVE-2016-7553 SUSE Package Hub 12:irssi-0.8.20-9.1 SUSE Package Hub 12:irssi-devel-0.8.20-9.1 low 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7553.html CVE-2016-7553 https://bugzilla.suse.com/1001215 SUSE Bug 1001215