Debian Security Advisory

DSA-1744-1 weechat -- missing input sanitization

Date Reported:
18 Mar 2009
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 519940.
In the Bugtraq database (at SecurityFocus): BugTraq ID 34148.
In Mitre's CVE dictionary: CVE-2009-0661.
More information:

Sebastien Helleu discovered that an error in the handling of color codes in the weechat IRC client could cause an out-of-bounds read of an internal color array. This can be used by an attacker to crash user clients via a crafted PRIVMSG command.

The weechat version in the oldstable distribution (etch) is not affected by this problem.

For the stable distribution (lenny), this problem has been fixed in version 0.2.6-1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version

We recommend that you upgrade your weechat packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Architecture-independent component:
HP Precision:
Intel IA-32:
Intel IA-64:
Big-endian MIPS:
Little-endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.