IRSSI-SA-2017-03 Irssi Security Advisory [1]

use after free condition during netjoin processing

CVE-2017-7191

Description

1. Use after free while producing list of netjoins (CWE-416)

   This issue was found and reported to us by APic.

   See CVE-2018-7054 for an update regarding this issue, this fix was incomplete.

   CVE-2017-7191 [2] was assigned to this issue.

Impact

This issue usually leads to segmentation faults. Targeted code execution should be difficult.

Affected versions

1. Irssi 1.0.0 and later

   We believe Irssi 0.8.21 and prior are not affected since a different code path causes the netjoins to be flushed prior to reaching the use after free condition.

Fixed in

Irssi 1.0.7, 1.1.1

Recommended action

Upgrade to Irssi 1.0.2. Irssi 1.0.2 is a maintenance release without any new features.

Patch

irssi/irssi@77b2631c7...

References

1. https://irssi.org/security/irssi_sa_2017_03.txt
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7191