Security advisory; Crash in parsing IRC color formatting codes

November 11, 2017

Recently, we have been alerted* to a Konversation bug that will result in a crash when parsing certain IRC color formatting codes. Konversation v1.7.3 has been released today (see release post below) and contains a fix for this bug. Additionally, we have updated the 1.5 and 1.6 branches with the fix as well, and encourage distributions still shipping a 1.5.x or 1.6.x version to apply the relevant patch. If you are using v1.4.x, please upgrade, as it is affected as well.

If you are unable to upgrade to a fixed version right now, there’s also a configuration workaround available: You can head to Interface → Colors in the Configure Konversation dialog and uncheck Allow Colored Text in IRC Messages (near the bottom) until you upgrade to v1.7.3 or a patched version of Konversation.

We will update this post with the relevant CVE number once available.

Update: The vulnerability has been assigned CVE-2017-15923.

In summary:

Affected version Action to take now
v1.4.x Apply config workround (above) or upgrade to fixed/patched version (below)
v1.5.x—v1.6.x Apply patch or config workaround (above)
v1.7.0—v1.7.2 Upgrade to v1.7.3 (out now) or apply patch or config workaround (above)

** Thanks to Joseph Bisch!*