WeeChat :: documentation

WSA	CVE	Score	Severity	Issue	Vulnerability type	Scope	Versions	Fix	Release date
WSA-2020-2	CVE-2020-9759	7.5		Crash on malformed IRC message 352 (WHO).	Out-of-bounds read	IRC	0.4.0 → 2.7	2.7.1	Feb 20, 2020

CVE

CVE-2020-9759 [ MITRE / NVD ]

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (detail)

CVSS score

7.5 / 10

Severity

high

Vulnerability type

Out-of-bounds read (detail)

Scope

IRC

Affected versions

0.4.0 → 2.7

Fixed version

2.7.1 (Feb 20, 2020) - ChangeLog

Tracker

Not available

Commits

Crash when receiving a malformed IRC message 352 (WHO).

With WeeChat ≥ 1.1, you can create a trigger:

/trigger add fix_irc_352 modifier "irc_in_352" "${arguments} =~ .* \*$" "/.*//"

With any older version, there is no simple mitigation, you must upgrade WeeChat.

The issue was discovered by Stuart Nevans Locke.