Security advisory; Crash in parsing IRC color formatting codes
November 11, 2017
Recently, we have been alerted* to a Konversation bug that will result in a crash when parsing certain IRC color formatting codes. Konversation v1.7.3 has been released today (see release post below) and contains a fix for this bug. Additionally, we have updated the 1.5 and 1.6 branches with the fix as well, and encourage distributions still shipping a 1.5.x or 1.6.x version to apply the relevant patch. If you are using v1.4.x, please upgrade, as it is affected as well.
If you are unable to upgrade to a fixed version right now, there’s also a configuration workaround available: You can head to Interface → Colors in the Configure Konversation dialog and uncheck Allow Colored Text in IRC Messages (near the bottom) until you upgrade to v1.7.3 or a patched version of Konversation.
Update: The vulnerability has been assigned CVE-2017-15923.
|Affected version||Action to take now|
|v1.4.x||Apply config workround (above) or upgrade to fixed/patched version (below)|
|v1.5.x—v1.6.x||Apply patch or config workaround (above)|
|v1.7.0—v1.7.2||Upgrade to v1.7.3 (out now) or apply patch or config workaround (above)|
** Thanks to Joseph Bisch!*