CVE-2016-2087

NameCVE-2016-2087
DescriptionDirectory traversal vulnerability in the client in HexChat 2.11.0 allows remote IRC servers to read or modify arbitrary files via a .. (dot dot) in the server name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1050-1
NVD severitymedium (attack range: remote)
Debian Bugs852275

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hexchat (PTS)jessie2.10.1-1+deb8u2vulnerable
stretch2.12.4-3vulnerable
buster2.14.2-2fixed
sid2.14.2-3fixed
xchat (PTS)jessie2.8.8-7.3vulnerable
buster2.8.8-15fixed
sid2.8.8-16fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hexchatsource(unstable)2.12.4-4medium852275
xchatsource(unstable)2.8.8-10medium
xchatsourcewheezy2.8.8-7.1+deb7u1mediumDLA-1050-1

Notes

[jessie] - xchat <no-dsa> (Minor issue)
[stretch] - hexchat <no-dsa> (Minor issue)
[jessie] - hexchat <no-dsa> (Minor issue)
https://www.exploit-db.com/exploits/39656/
https://github.com/hexchat/hexchat/issues/1933
https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3
Would be included in upstream source since the upload 2.12.3-0.1 to unstable but the
Debian packaging reverts the 15600f405f2d5bda6ccf0dd73957395716e0d4d3 commit
The Debian packagging drops the revert in 2.12.4-4 to not diverge from upstream.

Search for package or bug name: Reporting problems