Security advisory; Crash in parsing IRC color formatting codes
November 11, 2017
Recently, we have been alerted* to a Konversation bug that will result in a crash when parsing certain IRC color formatting codes. Konversation v1.7.3 has been released today (see release post below) and contains a fix for this bug. Additionally, we have updated the 1.5 and 1.6 branches with the fix as well, and encourage distributions still shipping a 1.5.x or 1.6.x version to apply the relevant patch. If you are using v1.4.x, please upgrade, as it is affected as well.
If you are unable to upgrade to a fixed version right now, there’s also a configuration workaround available: You can head to Interface → Colors in the Configure Konversation dialog and uncheck Allow Colored Text in IRC Messages (near the bottom) until you upgrade to v1.7.3 or a patched version of Konversation.
Update: The vulnerability has been assigned CVE-2017-15923.
In summary:
| Affected version | Action to take now |
|---|---|
| v1.4.x | Apply config workround (above) or upgrade to fixed/patched version (below) |
| v1.5.x—v1.6.x | Apply patch or config workaround (above) |
| v1.7.0—v1.7.2 | Upgrade to v1.7.3 (out now) or apply patch or config workaround (above) |
** Thanks to Joseph Bisch!*