Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201405-03 ] WeeChat: Multiple vulnerabilities
Date: Sat, 03 May 2014 14:24:22
Message-Id: 5364FA88.9070700@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201405-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: WeeChat: Multiple vulnerabilities
9 Date: May 03, 2014
10 Bugs: #442600
11 ID: 201405-03
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Two vulnerabilities have been found in WeeChat, the worst of which may
19 allow execution of arbitrary code.
20
21 Background
22 ==========
23
24 Wee Enhanced Environment for Chat (WeeChat) is a light and extensible
25 console IRC client.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 net-irc/weechat < 0.3.9.2 >= 0.3.9.2
34
35 Description
36 ===========
37
38 Two vulnerabilities have been discovered in WeeChat:
39
40 * The hook_process() function does not properly handle shell expansions
41 (CVE-2012-5534).
42 * WeeChat does not properly decode colors which could cause a
43 heap-based buffer overflow (CVE-2012-5854).
44
45 Impact
46 ======
47
48 A remote attacker could entice a user to open a specially crafted
49 script or send messages with specially crafted colors, possibly
50 resulting in execution of arbitrary code with the privileges of the
51 process, or a Denial of Service condition.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All WeeChat users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=net-irc/weechat-0.3.9.2"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2012-5534
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5534
71 [ 2 ] CVE-2012-5854
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5854
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-201405-03.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users' machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 https://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2014 Gentoo Foundation, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature