News

🎆 Irssi 1.1.1 and 1.0.7 Released 🎆

Posted on February 15th 2018

Happy Lunar New Year from the Irssi Team!

Irssi 1.1.1 and 1.0.7 have been released! They contain some critical updates which we hope you’ll enjoy. There are no new features. All Irssi users should upgrade to this version. See the NEWS for details.

For more information refer to the security advisory.

One of bigger issues that was silent to us was a bug in OpenSSL that has been fixed six years ago. It causes Irssi to crash. None of the developers were using such old software. Unfortunately, Debian jessie and Ubuntu 14.04 still use OpenSSL from before that.

The other important bug was that netsplits would crash Irssi when getting disconnected. Sorry for this bug. It shows that the netsplit code is badly tested since it doesn’t occur so frequently. We could really benefit from some unit tests here…

An odd issue was found in the configure script. Our development box has a version of autotools that was patched by the distribution to fix a minor syntax issue. Unfortunately, that patch broke the POSIX sh compatibility of the generated files! (The bug is only present in the 1.1.0 release tarballs.)

Another invisible issue was that the test suite would mysteriously fail on sufficiently old systems. Turns out the required TAP output is only present in GLib 2.40 and later (and of course not documented). Again, no-one on the team was using anything older…

A surprising issue was uncovered when using negative numbers to manipulate window sizes. Let’s just say Irssi totally didn’t expect you to do this. (It will crash your Irssi and possibly show odd display glitches.)

Irssi 1.0.7 also includes a patch for some /server add/modify commands that could crash Irssi. This was originally scheduled for 1.0.6 but forgotten! Oops.

This release can be downloaded from our releases page. Binary test packages for various Linux distributions are automatically generated by the openSUSE Build Service and are available for download in the irssi-test and irssi-oldtest repositories.

Please check with your distro whether they provide officially updated packages.

We currently do not have any alternate advice.

In the meantime, the following interesting changes happened in the development version:

  • Sideways split support was added into Irssi (#697)
  • Ben Paxton backported code to colourise the input prompt, originally by Jonas Hurrelmann. This can be used for spell checking or nick colouring. (#764)
  • Manish Goregaokar contributed code that will add a colon behind all the tab-completed nicks (#822)
  • another take at the netsplit printing optimisations was merged (now with less crashes??) (#832)
  • the theme engine was added to Google’s Oss-Fuzz and already uncovered several deficiencies
  • Niklas Luokkala added the binding that selects the previous completion during tab completion to Shift+Tab by default (#830)
  • Martin Staron contributed code that might fix storing of DCC GETs on Android phones or FAT partitions (#844)
  • CAP 3.2 capability negotiation is now supported (#775)

Feel welcome to join our IRC channel, or discuss this news on reddit or Twitter.

The Irssi Team.

PyIRCFuzz

Posted by Joseph Bisch on January 24th 2018

This blog post is a follow up to my first post on this blog about fuzzing Irssi. This time we will look at using pyircfuzz instead of afl-fuzz.

First we are going to get pyircfuzz itself and run it. Pyircfuzz acts as an IRC server, but it sends a variety of messages (not always well formed) to the IRC client(s) that are connected in an attempt to crash the client(s).

git clone https://github.com/josephbisch/pyircfuzz
cd pyircfuzz
python3 ircfuzz.py

Next we need to get Irssi and checkout 1.0.2, because we know it actually has bugs for us to find. Then, after we have built Irssi, we are going to run it and connect to the pyircfuzz instance on localhost and log the error output to a file.

git clone https://github.com/irssi/irssi
cd irssi
git checkout 1.0.2
ASAN_OPTIONS=detect_leaks=0 ./autogen.sh CC=clang CFLAGS="-g -Og -fsanitize=address"
make
./src/fe-text/irssi -c localhost 2> asan.log

Here is a picture of what Irssi looks like at this point. It crashed so quickly (remember we are using an outdated version of Irssi) that I didn’t have time to get a screenshot of the fuzzing in action.

Here is the AddressSanitizer output (from asan.log):

Read more... the Irssi Team.

Irssi 1.1.0 Released

Posted on January 15th 2018

Happy new year again from the Irssi Team!

Irssi 1.1.0 has been released. This release is the result of all the contributions Irssi received in the past year. Of course, it includes all the security fixes from Irssi 1.0.6.

Will Storey, Joseph Bisch, Edward Tomasz Napierala and Jari Matitainen contributed to this release and accepted our invitation to join the project, as well as external contributions from Robert Bisewski, Paul Townsend, Oscar Linderholm, Rodrigo Rebello, Stephen Oberholtzer, Paolo Martini, Martijn Dekker, Tim Konick, Hanno Böck, Tristan Pepin Michael Hansen, and Lasse Toimela. In total 151 files changed, with 6214 line insertions and 1062 line deletions. Thanks everyone!

We rushed in some last minute fixes into 1.1.0 so as they wouldn’t have to sit on the queue until next year. We hope it doesn’t affect stability of the release too much. Thanks for those helping us test by running the Git version!

Some notable changes:

  • /server does not connect to servers anymore, we recommend using /connect! You can also change servers using /server connect
  • /foreach now emits commands instead of sending text to the targets

Some interesting new features:

  • If you use the per window command history, global history can now be accessed with Ctrl+Arrows
  • History entries can now be deleted (e.g. to remove some secrets)
  • East-asian users will enjoy /set break_wide to make words wrap more naturally
  • On FreeBSD, Irssi now supports the Capsicum sandbox (experimental)
  • Lines with certain levels can be hidden from screen (not ignored), using /window hidelevel

Some new developments:

  • Fuzzing code has been added to the repository, which may help find certain kinds of bugs (and already has!)
  • Module authors can now use net_start_ssl for StartTLS (used e.g. by Quassel)
  • Irssi now has a folder for unit tests!

See the NEWS for details.

After installing the new release, you can use /upgrade to re-launch your Irssi binary, but don’t forget to /save first. TLS connections will break and require manual /reconnect 1 and so on. To save and restore the window content, load the buf.pl script and make sure it is in autorun. Starting with Irssi 1.1.0, you can also save and restore your command history – check this comment until someone comes up with a proper script.

We are committed to put security, stability and regression fixes on subsequent 1.1.x releases, as we have done for 1.0.

As usual, there remains a lot to be done. We are always looking for help, so you can check the bugs and see if you can fix some, or implement some of the enhancement requests. The initial version of horizontal splits has already landed in Git and thus should be included in Irssi 1.2.0.

This release can be downloaded from our releases page. Binary test packages for various Linux distributions are automatically generated by the openSUSE Build Service and are available for download in the irssi-test repository.

By the way, test packages for the Git version are also available for download in the irssi-git repository, and an archive of the old stable version is available in irssi-oldtest.

We are also looking for packagers who want to take the challenge of adding compatible builds of irssi-{python,otr,xmpp,icb,quassel,fish,theme-indent,…} to either distributions or the openSUSE Build Service (has to support all our current targets there.)

Feel welcome to join our IRC channel, or discuss this news, on reddit.

The Irssi Team.

Irssi 1.0.6 Released

Posted on January 7th 2018

Happy new year from the Irssi Team!

Irssi 1.0.6 has been released. This release fixes a few security issues in Irssi as well as a few bugs. There are no new features. All Irssi users should upgrade to this version. See the NEWS for details.

Most issues have been identified using fuzzing, thanks to Joseph Bisch.

For more information refer to the security advisory.

This release can be downloaded from our releases page. Binary test packages for various Linux distributions are automatically generated by the openSUSE Build Service and are available for download in the irssi-test repository.

Please check with your distro whether they provide officially updated packages.

We currently do not have any alternate advice.

The Irssi Team.

Irssi 1.0.5 Released

Posted on October 22nd 2017

Irssi 1.0.5 has been released. This release fixes a few security issues in Irssi as well as a few bugs. There are no new features. All Irssi users should upgrade to this version. See the NEWS for details.

Most issues have been identified using fuzzing, thanks to Hanno Böck and Joseph Bisch. We expect Joseph will be able to tell you more about his newest fuzzer at freenode.live on the weekend!

For more information refer to the security advisory.

This release can be downloaded from our releases page. Binary test packages for various Linux distributions are automatically generated by the openSUSE Build Service and are available for download in the irssi-test repository.

Please check with your distro whether they provide officially updated packages.

We currently do not have any alternate advice.

The Irssi Team.

Irssi 1.0.4 Released

Posted on July 7th 2017

Irssi 1.0.4 has been released. This release fixes two remote crash issues in Irssi as well as a few bugs, correcting a mistake that was introduced in 1.0.3 while parsing some time-related settings. There are no new features. All Irssi users should upgrade to this version. See the NEWS for details.

Our bug reporter Brian ‘geeknik’ Carpenter writes:

34 days after reading Fuzzing Irssi, my AFL instance was finally able to trigger a null pointer dereference in irssi 1.0.2. […] Hopefully this one isn’t fixed yet.

35 days after reading Fuzzing Irssi, my AFL instance triggered a heap-use-after-free in irssi 1.0.2. Compiled on Debian 8 x64 following the instructions and patches of the referenced article. (;

For more information refer to the security advisory.

Thanks, Brian!

This release can be downloaded from our releases page. Binary test packages for various Linux distributions are automatically generated by the openSUSE Build Service and are available for download in the irssi-test repository.

Please check with your distro whether they provide officially updated packages.

We currently do not have any alternate advice.

The Irssi Team.

Irssi 1.0.3 Released

Posted on June 6th 2017

Irssi 1.0.3 has been released. This release fixes two remote crash issue in Irssi as well as a few bug fixes, the most notable that TLS can now be disabled from within the text-UI. There are no new features. All Irssi users should upgrade to this version. See the NEWS for details.

Read the security advisory.

Read more... the Irssi Team.

Fuzzing Irssi

Posted by Joseph Bisch on May 12th 2017

Hello fellow Irssi users and people interested in learning about fuzzing,

There have been recent efforts within the Irssi and open source security communities to make Irssi more secure through the use of fuzzing. For example the security bugs revealed in the first Irssi security advisory of 2017 were found by fuzzing. In this blog post, we will cover an introduction to fuzzing, how to fuzz Irssi, and a look at a couple of actual bugs found in past versions of Irssi.

Read more... the Irssi Team.