Candidate: CVE-2016-2087
PublicDate: 2017-01-18 17:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2087
 http://packetstormsecurity.com/files/136564/Hexchat-IRC-Client-2.11.0-Directory-Traversal.html
 https://www.exploit-db.com/exploits/39656/
Description:
 Directory traversal vulnerability in the client in HexChat 2.11.0 allows
 remote IRC servers to read or modify arbitrary files via a .. (dot dot) in
 the server name.
Ubuntu-Description:
Notes:
 mdeslaur> patch is reverted in debian's hexchat package because it was
 mdeslaur> causing a regression for some use-cases.
 mdeslaur> logging the server name isn't the default configuration.
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852275
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N [7.4 HIGH]

Patches_hexchat:
 upstream: https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3
upstream_hexchat: released (2.12.2)
precise_hexchat: DNE
precise/esm_hexchat: DNE
trusty_hexchat: ignored (reached end-of-life)
trusty/esm_hexchat: DNE (trusty was needed)
vivid/stable-phone-overlay_hexchat: DNE
vivid/ubuntu-core_hexchat: DNE
xenial_hexchat: ignored (end of standard support, was needed)
yakkety_hexchat: ignored (reached end-of-life)
zesty_hexchat: ignored (reached end-of-life)
artful_hexchat: not-affected (2.12.4-4)
bionic_hexchat: not-affected (2.12.4-4)
cosmic_hexchat: not-affected (2.12.4-4)
disco_hexchat: not-affected (2.12.4-4)
eoan_hexchat: not-affected (2.12.4-4)
focal_hexchat: not-affected (2.12.4-4)
groovy_hexchat: not-affected (2.12.4-4)
hirsute_hexchat: not-affected (2.12.4-4)
impish_hexchat: not-affected (2.12.4-4)
jammy_hexchat: not-affected (2.12.4-4)
devel_hexchat: not-affected (2.12.4-4)

Patches_xchat:
upstream_xchat: needs-triage
precise_xchat: ignored (reached end-of-life)
precise/esm_xchat: DNE (precise was needs-triage)
trusty_xchat: ignored (reached end-of-life)
trusty/esm_xchat: DNE (trusty was needed)
vivid/stable-phone-overlay_xchat: DNE
vivid/ubuntu-core_xchat: DNE
xenial_xchat: DNE
yakkety_xchat: DNE
zesty_xchat: DNE
artful_xchat: not-affected (2.8.8-10)
bionic_xchat: not-affected (2.8.8-10)
cosmic_xchat: not-affected (2.8.8-10)
disco_xchat: not-affected (2.8.8-10)
eoan_xchat: not-affected (2.8.8-10)
focal_xchat: not-affected (2.8.8-10)
groovy_xchat: DNE
hirsute_xchat: DNE
impish_xchat: DNE
jammy_xchat: DNE
devel_xchat: DNE

Patches_xchat-gnome:
upstream_xchat-gnome: needs-triage
precise_xchat-gnome: ignored (reached end-of-life)
precise/esm_xchat-gnome: DNE (precise was needs-triage)
trusty_xchat-gnome: ignored (reached end-of-life)
trusty/esm_xchat-gnome: DNE (trusty was needs-triage)
vivid/stable-phone-overlay_xchat-gnome: DNE
vivid/ubuntu-core_xchat-gnome: DNE
xenial_xchat-gnome: ignored (end of standard support, was needs-triage)
esm-infra/xenial_xchat-gnome: needs-triage
yakkety_xchat-gnome: DNE
zesty_xchat-gnome: DNE
artful_xchat-gnome: ignored (reached end-of-life)
bionic_xchat-gnome: DNE
cosmic_xchat-gnome: DNE
disco_xchat-gnome: DNE
eoan_xchat-gnome: DNE
focal_xchat-gnome: DNE
groovy_xchat-gnome: DNE
hirsute_xchat-gnome: DNE
impish_xchat-gnome: DNE
jammy_xchat-gnome: DNE
devel_xchat-gnome: DNE