CVE-2016-2087 in Ubuntu

CVE-2016-2087

Priority

Description

Directory traversal vulnerability in the client in HexChat 2.11.0 allows
remote IRC servers to read or modify arbitrary files via a .. (dot dot) in
the server name.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2087
http://packetstormsecurity.com/files/136564/Hexchat-IRC-Client-2.11.0-Directory-Traversal.html
https://www.exploit-db.com/exploits/39656/

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852275

Notes

mdeslaur

patch is reverted in debian's hexchat package because it was
causing a regression for some use-cases.
logging the server name isn't the default configuration.

Package

Source: hexchat (LP Ubuntu Debian)

Upstream:	released (2.12.2)
Ubuntu 18.04 LTS:	not-affected (2.12.4-4)
Ubuntu 20.04 LTS:	not-affected (2.12.4-4)
Ubuntu 21.10:	not-affected (2.12.4-4)
Ubuntu 22.04 LTS:	not-affected (2.12.4-4)
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Upstream:

https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3

Package

Source: xchat (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	not-affected (2.8.8-10)
Ubuntu 20.04 LTS:	not-affected (2.8.8-10)
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needed)

Patches:

Package

Source: xchat-gnome (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 16.04 ESM:	needs-triage
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was needs-triage)

Patches:

More Information

Updated: 2022-04-25 00:16:59 UTC (commit ecc1009cb19540b950de59270950018900f37f15)