BID:39377

Irssi Denial of Service and SSL Hostname Verification Security Bypass Vulnerabilities

Info

Irssi Denial of Service and SSL Hostname Verification Security Bypass Vulnerabilities

Bugtraq ID:	39377
Class:	Design Error
CVE:	CVE-2010-1155 CVE-2010-1156
Remote:	Yes
Local:	No
Published:	Apr 12 2010 12:00AM
Updated:	Jun 21 2010 04:19PM
Credit:	Reported by the vendor
Vulnerable:	Ubuntu Ubuntu Linux 9.10 sparc Ubuntu Ubuntu Linux 9.10 powerpc Ubuntu Ubuntu Linux 9.10 lpia Ubuntu Ubuntu Linux 9.10 i386 Ubuntu Ubuntu Linux 9.10 amd64 Ubuntu Ubuntu Linux 9.04 sparc Ubuntu Ubuntu Linux 9.04 powerpc Ubuntu Ubuntu Linux 9.04 lpia Ubuntu Ubuntu Linux 9.04 i386 Ubuntu Ubuntu Linux 9.04 amd64 Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 Ubuntu Ubuntu Linux 8.04 LTS sparc Ubuntu Ubuntu Linux 8.04 LTS powerpc Ubuntu Ubuntu Linux 8.04 LTS lpia Ubuntu Ubuntu Linux 8.04 LTS i386 Ubuntu Ubuntu Linux 8.04 LTS amd64 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux x86_64 -current Slackware Linux 13.0 x86_64 Slackware Linux 13.0 Slackware Linux 12.2 Slackware Linux 12.1 Slackware Linux 12.0 Slackware Linux 11.0 Slackware Linux -current S.u.S.E. openSUSE 11.2 S.u.S.E. openSUSE 11.1 S.u.S.E. openSUSE 11.0 Red Hat Fedora 13 Red Hat Fedora 12 Mandriva Linux Mandrake 2010.0 x86_64 Mandriva Linux Mandrake 2010.0 Mandriva Linux Mandrake 2009.1 x86_64 Mandriva Linux Mandrake 2009.1 irssi irssi 0.8.14 irssi irssi 0.8.13 irssi irssi 0.8.11 irssi irssi 0.8.9 irssi irssi 0.8.8 irssi irssi 0.8.7 irssi irssi 0.8.6 irssi irssi 0.8.5 irssi irssi 0.8.4 - Debian Linux 2.2 sparc - Debian Linux 2.2 powerpc - Debian Linux 2.2 IA-32 - Debian Linux 2.2 arm - Debian Linux 2.2 alpha - Debian Linux 2.2 68k - Mandriva Linux Mandrake 8.2 - Mandriva Linux Mandrake 8.1 ia64 - Mandriva Linux Mandrake 8.1 - Mandriva Linux Mandrake 8.0 ppc - Mandriva Linux Mandrake 8.0 - RedHat Linux 7.3 i386 - RedHat Linux 7.2 ia64 - RedHat Linux 7.2 i386 - RedHat Linux 7.1 i386 - S.u.S.E. Linux 8.0 i386 - S.u.S.E. Linux 7.3 i386 - S.u.S.E. Linux 7.2 i386 irssi irssi 0.8.10rc5

Not Vulnerable:	irssi irssi 0.8.15

Discussion

Irssi Denial of Service and SSL Hostname Verification Security Bypass Vulnerabilities

Irssi is prone to a denial-of-service vulnerability and a security-bypass vulnerability.

An attacker can exploit these issues to gain unauthorized access to the affected computer and to crash the affected application.

Versions prior to Irssi 0.8.15 are vulnerable.

Exploit / POC

Irssi Denial of Service and SSL Hostname Verification Security Bypass Vulnerabilities

An attacker may exploit the security-bypass issue by using readily available network utilities. Currently we are not aware of any working exploits for the denial-of-service issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Irssi Denial of Service and SSL Hostname Verification Security Bypass Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

Ubuntu Ubuntu Linux 9.10 sparc