~ubuntu-security/ubuntu-cve-tracker/master

Candidate: CVE-2016-2087
PublicDate: 2017-01-18
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2087
 http://packetstormsecurity.com/files/136564/Hexchat-IRC-Client-2.11.0-Directory-Traversal.html
 https://www.exploit-db.com/exploits/39656/
Description:
 Directory traversal vulnerability in the client in HexChat 2.11.0 allows
 remote IRC servers to read or modify arbitrary files via a .. (dot dot) in
 the server name.
Ubuntu-Description:
Notes:
 mdeslaur> patch is reverted in debian's hexchat package because it was
 mdeslaur> causing a regression for some use-cases.
 mdeslaur> logging the server name isn't the default configuration.
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852275
Priority: low
Discovered-by:
Assigned-to:

Patches_hexchat:
 upstream: https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3
upstream_hexchat: released (2.12.2)
precise_hexchat: DNE
precise/esm_hexchat: DNE
trusty_hexchat: needs-triage
vivid/stable-phone-overlay_hexchat: DNE
vivid/ubuntu-core_hexchat: DNE
xenial_hexchat: needs-triage
yakkety_hexchat: ignored (reached end-of-life)
zesty_hexchat: needed
devel_hexchat: not-affected (2.12.4-4)

Patches_xchat:
upstream_xchat: needs-triage
precise_xchat: ignored (reached end-of-life)
precise/esm_xchat: DNE (precise was needs-triage)
trusty_xchat: needs-triage
vivid/stable-phone-overlay_xchat: DNE
vivid/ubuntu-core_xchat: DNE
xenial_xchat: DNE
yakkety_xchat: DNE
zesty_xchat: DNE
devel_xchat: not-affected (2.8.8-10)

Patches_xchat-gnome:
upstream_xchat-gnome: needs-triage
precise_xchat-gnome: ignored (reached end-of-life)
precise/esm_xchat-gnome: DNE (precise was needs-triage)
trusty_xchat-gnome: needs-triage
vivid/stable-phone-overlay_xchat-gnome: DNE
vivid/ubuntu-core_xchat-gnome: DNE
xenial_xchat-gnome: needs-triage
yakkety_xchat-gnome: DNE
zesty_xchat-gnome: DNE
devel_xchat-gnome: DNE