Security
Please report security issues to [email protected]. Thanks!Past issues overview
Links | Exploitable | Versions affected | Fixed | Credit | Description | ||||
---|---|---|---|---|---|---|---|---|---|
IRSSI-SA-2023-03 | 2023-03-31 | ||||||||
local (remote) | 1.3.0 | – | 1.4.3 | 1.4.4 | ednash | Use after free while using a stale special collector reference | |||
IRSSI-SA-2019-08 | 2019-08-29 | ||||||||
server | 1.2.0 | – | 1.2.1 | 1.2.2 | Joseph Bisch | Use after free when receiving duplicate CAP | |||
IRSSI-SA-2019-06 | 2019-06-29 | ||||||||
client | 0.8.18 | – | 1.2.0 | 1.0.8 1.1.3 1.2.1 |
ilbelkyr | Use after free when sending SASL login to the server | |||
IRSSI-SA-2019-01 | 2019-01-09 | ||||||||
client | 1.1.0 | – | 1.1.1 | 1.1.2 | Use after free when hidden lines were expired from the scroll buffer | ||||
IRSSI-SA-2018-02 | 2018-02-17 | ||||||||
remote | 1.0.0 | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
Joseph Bisch | Use after free when server is disconnected during netsplits. Incomplete fix of CVE-2017-7191. | |||
server | 0.8.18 | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
Joseph Bisch | Use after free when SASL messages are received in unexpected order. | |||
server | * | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
Joseph Bisch | Null pointer dereference when an "empty" nick has been observed by Irssi. | |||
client | * | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
Joseph Bisch | When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference. | |||
client | 0.8.7 | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
Oss-Fuzz | Certain nick names could result in out of bounds access when printing theme strings. | |||
IRSSI-SA-2018-01 | 2018-01-07 | ||||||||
server | * | – | 1.0.5 | 1.0.6 | Joseph Bisch | When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer. | |||
formats | * | – | 1.0.5 | 1.0.6 | Joseph Bisch | When using incomplete escape codes, Irssi may access data beyond the end of the string. | |||
server | * | – | 1.0.5 | 1.0.6 | Joseph Bisch | A calculation error in the completion code could cause a heap buffer overflow when completing certain strings. | |||
formats | * | – | 1.0.5 | 1.0.6 | Joseph Bisch | When using an incomplete variable argument, Irssi may access data beyond the end of the string. | |||
IRSSI-SA-2017-10 | 2017-10-23 | ||||||||
formats | * | – | 1.0.4 | 1.0.5 | Hanno Böck | Unterminated colour formatting sequences may cause data access beyond the end of the buffer | |||
server | * | – | 1.0.4 | 1.0.5 | Joseph Bisch | Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on | |||
server | * | – | 1.0.4 | 1.0.5 | Joseph Bisch | Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference | |||
server | 0.8.17 | – | 1.0.4 | 1.0.5 | Joseph Bisch | Overlong nicks or targets may result in a NULL pointer dereference while splitting the message | |||
server | * | – | 1.0.4 | 1.0.5 | Joseph Bisch | Read beyond end of buffer may occur if a Safe channel ID is not long enough | |||
IRSSI-SA-2017-07 | 2017-07-07 | ||||||||
server | * | – | 1.0.3 | 1.0.4 | Brian 'geeknik' Carpenter of Geeknik Labs | NULL pointer dereference when receiving messages with invalid timestamp | |||
client | * | – | 1.0.3 | 1.0.4 | Brian 'geeknik' Carpenter of Geeknik Labs | Use after free after nicklist structure has been corrupted while updating a nick group | |||
IRSSI-SA-2017-06 | 2017-06-06 | ||||||||
server | * | – | 1.0.2 | 1.0.3 | Joseph Bisch | NULL pointer dereference when receiving a DCC message without source nick/host | |||
client | * | – | 1.0.2 | 1.0.3 | Joseph Bisch | Out of bounds read when parsing incorrectly quoted DCC files | |||
IRSSI-SA-2017-03 | 2017-03-10 | ||||||||
server | 1.0.0 | – | 1.0.6 1.1.0 |
1.0.7 1.1.1 |
APic | Use after free while producing list of netjoins. See CVE-2018-7054. | |||
IRSSI-SA-2017-01 | 2017-01-05 | ||||||||
server | * | – | 0.8.20 | 0.8.21 | Joseph Bisch | NULL pointer dereference in the nickcmp function | |||
server | * | – | 0.8.20 | 0.8.21 | Use after free when receiving invalid nick message | ||||
formats | * | – | 0.8.20 | 0.8.21 | Hanno Böck | Out of bounds read when printing the value %[ | |||
client | 0.8.17 | – | 0.8.20 | 0.8.21 | Joseph Bisch | Out of bounds read in certain incomplete control codes | |||
server | 0.8.18 | – | 0.8.20 | 0.8.21 | Hanno Böck and independently by Joseph Bisch | Out of bounds read in certain incomplete character sequences | |||
IRSSI-SA-2016 | 2016-09-14 | ||||||||
client | 0.8.17 | – | 0.8.19 | 0.8.20 | Gabriel Campana and Adrien Guinet from Quarkslab | Remote crash and heap corruption in format parsing code | |||
(with truecolor) | |||||||||
client | 0.8.17 | – | 0.8.19 | 0.8.20 | Gabriel Campana and Adrien Guinet from Quarkslab | Remote crash and heap corruption in format parsing code | |||
BUF-PL-SA-2016 | buf.pl | 2016-09-09 | |||||||
local | * | – | 2.13 | 2.20 | Juerd Waalboer | Information disclosure vulnerability | |||
0.8.15 issues | 2010-04-03 | ||||||||
* | – | 0.8.14 | 0.8.15 | Irssi does not verify that the server hostname matches a domain name in the SSL certificate. | |||||
client | * | – | 0.8.14 | 0.8.15 | Aurelien Delaitre (SATE 2009) | core/nicklist.c in Irssi allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel. | |||
0.8.14 issues | 2009-05-28 | ||||||||
client | * | – | 0.8.13 | 0.8.14 | [email protected] | Off-by-one error in the event_wallops function allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow. | |||
0.8.11 issues | 2007-08-12 | ||||||||
local (remote) | * | – | 0.8.10 | 0.8.11 | Wouter Coekaerts | Multiple CRLF injection vulnerabilities in several scripts for Irssi allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences. | |||
0.8.10 issues | 2006-03-01 | ||||||||
client | 0.8.9+ | 0.8.10 | The DCC ACCEPT command handler allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command. | ||||||
0.8.9 issues | 2003-12-11 | ||||||||
client | * | – | 0.8.8 | 0.8.9 | Rico Gloeckner | The format_send_to_gui function allows remote IRC users to cause a denial of service (crash). | |||
Historic | |||||||||
client | * | – | 0.8.4 | 0.8.6 | [email protected] | Denial of service (crash) via an IRC channel that has a long topic followed by a certain string, possibly triggering a buffer overflow. | |||
remote | 0.8.4 | The download server was compromised and the download was backdoored, which allows remote attackers to access the system. Always check the GPG signature! | |||||||
downloaded after 2002-03-14 |
Reference
"Exploitable by" column:
-
Server: Triggered by malicious inputs sent by a server with complete control over the connection
Example: malformed raw IRC commands -
Client: Triggered by malicious inputs sent by remote clients with no privileges over the network
Example: malformed color codes inside a message -
Local: Exploitable by unprivileged system users with access to the same filesystem
Example: CVE-2016-7553 (buf.pl information disclosure) -
Formats: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.
Example: CVE-2017-5356 (Crash on%[
)