BUF-PL-SA-2016 Irssi Security Advisory [1]
==========================================
information disclosure vulnerability in buf.pl
CVE-2016-7553

Description
-----------

An information disclosure vulnerability was found, reported and fixed
in the buf.pl script by its author.

(a) Information disclosure vulnerability found by Juerd Waalboer.
    (CWE-732, CWE-538)

    CVE-2016-7553 [2] was assigned to this issue.


Impact
------

(a) Other users on the same machine may be able to retrieve the whole
    window contents after /UPGRADE when the buf.pl script is loaded.
    Furthermore, this dump of the windows contents is never removed
    afterwards.

    Since buf.pl is also an Irssi core script and we recommended its
    use to retain your window content, many people could potentially be
    affected by this.

    Remote users may be able to retrieve these contents when combined
    with other path traversal vulnerabilities in public facing services
    on that machine.


Affected versions
-----------------

(a) All buf.pl versions that we observed


Fixed in
--------

buf.pl 2.20


Recommended action
------------------

Update the buf.pl script with the latest version from
https://scripts.irssi.org


Mitigating facts
----------------

(a) Careful users with a limited umask (e.g. 077) are not affected by
    this bug. However, most Linux systems default to a umask of 022,
    meaning that files written without further restricting the
    permissions, are readable by any user.


Patch
-----

https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a


Discussion
----------

(a) buf.pl restores the scrollbuffer between "/upgrade"s by writing the
    contents to a file, and reading that after the new process was
    spawned. Through that file, the contents of (private) chat
    conversations may leak to other users.


References
----------

[1] https://irssi.org/security/buf_pl_sa_2016.txt
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7553