CVE-2016-2087

NameCVE-2016-2087
DescriptionDirectory traversal vulnerability in the client in HexChat 2.11.0 allows remote IRC servers to read or modify arbitrary files via a .. (dot dot) in the server name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1050-1
Debian Bugs852275

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hexchat (PTS)jessie2.10.1-1+deb8u2vulnerable
stretch2.12.4-3vulnerable
buster2.14.2-4fixed
bullseye2.14.3-6+deb11u1fixed
bookworm2.16.1-1fixed
sid, trixie2.16.2-1fixed
xchat (PTS)jessie2.8.8-7.3vulnerable
buster2.8.8-17fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hexchatsource(unstable)2.12.4-4852275
xchatsourcewheezy2.8.8-7.1+deb7u1DLA-1050-1
xchatsource(unstable)2.8.8-10

Notes

[jessie] - xchat <no-dsa> (Minor issue)
[stretch] - hexchat <no-dsa> (Minor issue)
[jessie] - hexchat <no-dsa> (Minor issue)
https://www.exploit-db.com/exploits/39656/
https://github.com/hexchat/hexchat/issues/1933
https://github.com/hexchat/hexchat/commit/15600f405f2d5bda6ccf0dd73957395716e0d4d3
Would be included in upstream source since the upload 2.12.3-0.1 to unstable but the
Debian packaging reverts the 15600f405f2d5bda6ccf0dd73957395716e0d4d3 commit
The Debian packagging drops the revert in 2.12.4-4 to not diverge from upstream.

Search for package or bug name: Reporting problems