security-related fixes:
- Fix out of bounds read when compressing colour sequences. Found by Hanno Böck (GL#12, GL!18).
- Fix use after free condition during a race condition when waiting on channel sync during a rejoin (GL#13, GL!19).
- Fix null pointer dereference when parsing certain malformed CTCP DCC messages (GL#14, GL!20).
- Fix crash due to null pointer dereference when failing to split messages due to overlong nick or target (GL#15, GL!21).
- Fix out of bounds read when trying to skip a safe channel ID without verifying that the ID is long enough (GL#16, GL!22).
- Fix return of random memory when inet_ntop failed (#769).
fixes include
v1.0.3 2017-06-06 The Irssi team <staff@irssi.org>
- Fix out of bounds read when scanning expandos (GL!11).
- Fix invalid memory access with quoted filenames in DCC
(GL#8, GL!12).
- Fix null-pointer dereference on DCC without address (GL#9, GL!13).
- Improve integer overflow handling. Originally reported by
oss-fuzz#525 (#706).
v1.0.2 2017-03-10 The Irssi team <staff@irssi.org>
- Prevent some null-pointer crashes (GL!9).
- Correct dereferencing of already freed server objects during
output of netjoins. Found by APic (GL!10, GL#7).
only) - ok jca@ krw@
(a) A NULL pointer dereference in the nickcmp function found by Joseph
Bisch. (CWE-690)
(b) Use after free when receiving invalid nick message (Issue #466, CWE-146)
(c) Out of bounds read in certain incomplete control codes found by
Joseph Bisch. (CWE-126)
(d) Out of bounds read in certain incomplete character sequences found
by Hanno Böck and independently by J. Bisch. (CWE-126)
were problems with irssi-icb (will be fixed in following commit). I made some
small changes from the earlier diff: add PKGSPEC so that plugins pick up the
correct version of irssi, use a better license marker, and install the
irssi-config script that irssi-icb looks for.
Changes to the port:
- normalize paths;
- make term_charset work;
- note the net/irssi-silc in DESCR;
- cleanup;
very initial diff, testing and ok maintainer Wiktor Izdebski
ok jasper@
--
This release fixes a bug that could lead to a remote crash.
Users using irssi on non x86 arches are urged to upgrade.
Also fixes a bug in window layout restoring queries that could
also cause a crash in all arches.
Based on submission from Robert Nagy <thuglife@bsd.hu> with mods
from me.
'This is just the original 0.8.4 package. The 'a' was added after
version number in the package file just to make sure it's not confused
with the backdoored version.'
*) same checksum as non-backdoored version
*) gpg signature/fingerprint verified
*) I suck
