On Mon, Jan 23, 2017 at 06:31:18AM +0100, Salvatore Bonaccorso wrote:
> Source: hexchat
> Version: 2.10.1-1
> Severity: important
> Tags: security
>
> Hi,
>
> the following vulnerability was published for hexchat. Opening a bug
> to have a BTS reference.
>
> CVE-2016-2087[0]:
> | Directory traversal vulnerability in the client in HexChat 2.11.0
> | allows remote IRC servers to read or modify arbitrary files via a ..
> | (dot dot) in the server name.
>
> As noted by Mattia Rizzolo already, the fixing commit is reverted in
> the Debian packaging due to regression for some usecases, and waiting
> for a better fix.
What's the status? Is there now a proper fix?
Cheers,
Moritz