1727683 – (CVE-2019-13045) CVE-2019-13045 irssi: use after free when sending SASL login to server

Bug 1727683 (CVE-2019-13045) - CVE-2019-13045 irssi: use after free when sending SASL login to server

Summary: CVE-2019-13045 irssi: use after free when sending SASL login to server

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13045
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1727686 1738600
Blocks:	1734285
TreeView+	depends on / blocked

Reported:	2019-07-08 03:41 UTC by Dhananjay Arunesh
Modified:	2021-02-16 21:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:	Irssi 1.0.8, Irssi 1.1.3, Irssi 1.2.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 16:32:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:1616	0	None	None	None	2020-04-28 15:30:24 UTC

Description Dhananjay Arunesh 2019-07-08 03:41:33 UTC

Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when SASL is enabled, has a use after free when sending SASL login to the server.

Reference:
https://www.openwall.com/lists/oss-security/2019/06/29/1

Upstream commit:
https://github.com/irssi/irssi/commit/d23b0d22cc611e43c88d99192a59f413f951a955

Comment 1 Dhananjay Arunesh 2019-07-08 03:42:26 UTC

External References:

https://irssi.org/security/irssi_sa_2019_06.txt

Comment 2 Dhananjay Arunesh 2019-07-08 03:42:54 UTC

Created irssi tracking bugs for this issue:

Affects: fedora-all [bug 1727686]

Comment 3 Dhananjay Arunesh 2019-07-08 03:43:15 UTC

Created irssi tracking bugs for this issue:

Affects: epel-7 [bug 1727687]

Comment 4 Product Security DevOps Team 2019-07-12 13:08:17 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 11 errata-xmlrpc 2020-04-28 15:30:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1616 https://access.redhat.com/errata/RHSA-2020:1616

Comment 12 Product Security DevOps Team 2020-04-28 16:32:56 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13045

Note You need to log in before you can comment on or make changes to this bug.