Security vulnerabilities in version 0.3.4

This page lists all known and fixed security vulnerabilities in version 0.3.4 (back to the list of all versions).

Overview: 6 vulnerabilities

WSA CVE Score Severity Issue Scope Vulnerability type Versions Fix Release date
WSA-2020-3 CVE-2020-9760 7.5
Buffer overflow on new IRC message 005 with nick prefixes. IRC Out-of-bounds write 0.3.4 → 2.7 2.7.1
WSA-2017-2 CVE-2017-14727 7.5
Use of invalid pointer in build of log filename. Logger Access of uninitialized pointer 0.3.2 → 1.9 1.9.1
WSA-2017-1 CVE-2017-8073 7.5
Buffer overflow when receiving a DCC file. IRC Out-of-bounds write 0.3.3 → 1.7 1.7.1
WSA-2013-2 - 5.5
Crash on send of unknown commands to IRC server. IRC Access of uninitialized pointer 0.3.0 → 0.4.0 0.4.1
WSA-2012-2 CVE-2012-5534 10.0
Remote execution of commands via scripts. API Improper input validation 0.3.0 → 0.3.9.1 0.3.9.2
WSA-2011-1 CVE-2011-1428 5.3
Possible man-in-the-middle attack in TLS connection to IRC server. IRC Improper certificate validation 0.1.3 → 0.3.4 0.3.5

WSA-2020-3: [IRC] Buffer overflow on new IRC message 005 with nick prefixes.

Vulnerability
CVE
CVE-2020-9760 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.4 → 2.7
Fixed version
2.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
A buffer overflow happens when a new IRC message 005 is received with longer nick prefixes.
Note: a "normal" IRC server should not send again a message 005 with new nick prefixes, so the problem should be limited to malicious IRC servers.
Mitigation
There is no known mitigation.
The upgrade of WeeChat to the latest stable version is highly recommended.
Credit
The issue was discovered by Stuart Nevans Locke.

WSA-2017-2: [Logger] Use of invalid pointer in build of log filename.

Vulnerability
CVE
CVE-2017-14727 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Access of uninitialized pointer (detail)
Scope
Logger
Affected versions
0.3.2 → 1.9
Fixed version
1.9.1 () - ChangeLog
Tracker
Not available
Commits
Description
Date/time conversion specifiers are expanded after replacing buffer local variables in name of log files. In some cases, this can lead to an error in function strftime and a crash caused by the use of an uninitialized buffer.
Mitigation
You can unload the logger plugin, thus stopping recording of all buffers: /plugin unload logger.
Credit
The issue was discovered by Joseph Bisch.

WSA-2017-1: [IRC] Buffer overflow when receiving a DCC file.

Vulnerability
CVE
CVE-2017-8073 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)
CVSS score
7.5 / 10
Severity
high
Vulnerability type
Out-of-bounds write (detail)
Scope
IRC
Affected versions
0.3.3 → 1.7
Fixed version
1.7.1 () - ChangeLog
Tracker
Not available
Commits
Description
Buffer overflow when removing quotes in DCC filename.
Mitigation
With WeeChat ≥ 1.1, you can create a trigger:

/trigger add irc_dcc_quotes modifier "irc_in_privmsg" "${arguments} =~ ^[^ ]+ :${\x01}DCC SEND ${\x22} " "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.
Credit
The issue was discovered by Tobias Stoeckmann.

WSA-2013-2: [IRC] Crash on send of unknown commands to IRC server.

Vulnerability
CVE
Not available
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (detail)
CVSS score
5.5 / 10
Severity
medium
Vulnerability type
Access of uninitialized pointer (detail)
Scope
IRC
Affected versions
0.3.0 → 0.4.0
Fixed version
0.4.1 () - ChangeLog
Tracker
Not available
Commits
Description
Strings are built with uncontrolled format when unknown IRC commands are sent to server, if option irc.network.send_unknown_commands is enabled.
Mitigation
There are multiple ways to mitigate this issue:

WSA-2012-2: [API] Remote execution of commands via scripts.

Vulnerability
CVE
CVE-2012-5534 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (detail)
CVSS score
10.0 / 10
Severity
critical
Vulnerability type
Improper input validation (detail)
Scope
API
Affected versions
0.3.0 → 0.3.9.1
Fixed version
0.3.9.2 () - ChangeLog
Tracker
Commits
Description
Untrusted command for function hook_process could lead to execution of commands, because of shell expansions (so the problem is only caused by some scripts, not by WeeChat itself).
Mitigation
Remove/unload all scripts calling the API function hook_process.

WSA-2011-1: [IRC] Possible man-in-the-middle attack in TLS connection to IRC server.

Vulnerability
CVE
CVE-2011-1428 [ MITRE / NVD ]
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (detail)
CVSS score
5.3 / 10
Severity
medium
Vulnerability type
Improper certificate validation (detail)
Scope
IRC
Affected versions
0.1.3 → 0.3.4
Fixed version
0.3.5 () - ChangeLog
Tracker
Commits
Description
Due to insufficient check of TLS certificate in IRC plugin, man-in-the-middle attackers can spoof a server via an arbitrary certificate.
Mitigation
There is no known mitigation.
The upgrade of WeeChat to the latest stable version is highly recommended.