cnvd - cnvd-2016-08459

cnvd-2016-08459

Vulnerability from cnvd

Title: Irssi 'buf.pl'本地信息泄露漏洞

Description:

Irssi是Timo Sirainen用C语言写的一个文本用户界面的IRC客户端程序，她的发布遵循GPL（GNU General Public License）。

Irssi中存在本地信息泄露漏洞，本地攻击者可以利用该漏洞获取敏感信息。

Severity: 中

Patch Name: Irssi 'buf.pl'本地信息泄露漏洞的补丁

Patch Description:

Irssi是Timo Sirainen用C语言写的一个文本用户界面的IRC客户端程序，她的发布遵循GPL（GNU General Public License）。

Irssi中存在本地信息泄露漏洞，本地攻击者可以利用该漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布更新，参考链接如下： https://irssi.org/2016/09/22/buf.pl-update/

Reference: http://www.securityfocus.com/bid/93155

Impacted products

Name
['Irssi Irssi 0.8.9', 'Irssi Irssi 0.8.4']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "93155"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-7553"
    }
  },
  "description": "Irssi\u662fTimo Sirainen\u7528C\u8bed\u8a00\u5199\u7684\u4e00\u4e2a\u6587\u672c\u7528\u6237\u754c\u9762\u7684IRC\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u5979\u7684\u53d1\u5e03\u9075\u5faaGPL\uff08GNU General Public License\uff09\u3002\r\n\r\nIrssi\u4e2d\u5b58\u5728\u672c\u5730\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Salvatore Bonaccorso",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u66f4\u65b0\uff0c\u53c2\u8003\u94fe\u63a5\u5982\u4e0b\uff1a\r\nhttps://irssi.org/2016/09/22/buf.pl-update/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-08459",
  "openTime": "2016-10-09",
  "patchDescription": "Irssi\u662fTimo Sirainen\u7528C\u8bed\u8a00\u5199\u7684\u4e00\u4e2a\u6587\u672c\u7528\u6237\u754c\u9762\u7684IRC\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u5979\u7684\u53d1\u5e03\u9075\u5faaGPL\uff08GNU General Public License\uff09\u3002\r\n\r\nIrssi\u4e2d\u5b58\u5728\u672c\u5730\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Irssi \u0027buf.pl\u0027\u672c\u5730\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Irssi Irssi 0.8.9",
      "Irssi Irssi 0.8.4"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/93155",
  "serverity": "\u4e2d",
  "submitTime": "2016-09-27",
  "title": "Irssi \u0027buf.pl\u0027\u672c\u5730\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2016-7553 (GCVE-0-2016-7553)

Vulnerability from cvelistv5

Published

2017-02-27 22:00

Modified

2024-08-06 02:04

Severity ?

CWE

Summary

The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file.

References

▼	URL	Tags
	http://www.openwall.com/lists/oss-security/2016/09/26/4	mailing-list, x_refsource_MLIST
	http://www.openwall.com/lists/oss-security/2016/09/24/1	mailing-list, x_refsource_MLIST
	https://irssi.org/security/buf_pl_sa_2016.txt	x_refsource_CONFIRM
	https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/	vendor-advisory, x_refsource_FEDORA
	http://www.securityfocus.com/bid/93155	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:04:55.277Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20160926 Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"
          },
          {
            "name": "[oss-security] 20160924 CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://irssi.org/security/buf_pl_sa_2016.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"
          },
          {
            "name": "FEDORA-2016-39de4eb5e7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"
          },
          {
            "name": "93155",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/93155"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-09-22T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-02-28T13:57:01",
        "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
        "shortName": "debian"
      },
      "references": [
        {
          "name": "[oss-security] 20160926 Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"
        },
        {
          "name": "[oss-security] 20160924 CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://irssi.org/security/buf_pl_sa_2016.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"
        },
        {
          "name": "FEDORA-2016-39de4eb5e7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"
        },
        {
          "name": "93155",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/93155"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@debian.org",
          "ID": "CVE-2016-7553",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The buf.pl script before 2.20 in Irssi before 0.8.20 uses weak permissions for the scrollbuffer dump file created between upgrades, which might allow local users to obtain sensitive information from private chat conversations by reading the file."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20160926 Re: CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/09/26/4"
            },
            {
              "name": "[oss-security] 20160924 CVE Request: irssi: information disclosure vulnerabilit in buf.pl",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2016/09/24/1"
            },
            {
              "name": "https://irssi.org/security/buf_pl_sa_2016.txt",
              "refsource": "CONFIRM",
              "url": "https://irssi.org/security/buf_pl_sa_2016.txt"
            },
            {
              "name": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a",
              "refsource": "CONFIRM",
              "url": "https://github.com/irssi/scripts.irssi.org/commit/f1b1eb154baa684fad5d65bf4dff79c8ded8b65a"
            },
            {
              "name": "FEDORA-2016-39de4eb5e7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OM3WHWQ7RIAOZSOZZUM4CUYGKSIAGJJ/"
            },
            {
              "name": "93155",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/93155"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
    "assignerShortName": "debian",
    "cveId": "CVE-2016-7553",
    "datePublished": "2017-02-27T22:00:00",
    "dateReserved": "2016-09-09T00:00:00",
    "dateUpdated": "2024-08-06T02:04:55.277Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted