Security

Please report security issues to staff@irssi.org. Thanks!

Past issues overview

Links		Exploitable	Versions affected			Fixed	Credit	Description
IRSSI-SA-2023-03						2023-03-31
	CVE-2023-29132	local (remote)	1.3.0	–	1.4.3	1.4.4	ednash	Use after free while using a stale special collector reference
	CVE-2023-29132	local (remote)	1.3.0	–	1.4.3	1.4.4	ednash
IRSSI-SA-2019-08						2019-08-29
	CVE-2019-15717	server	1.2.0	–	1.2.1	1.2.2	Joseph Bisch	Use after free when receiving duplicate CAP
	CVE-2019-15717	server	1.2.0	–	1.2.1	1.2.2	Joseph Bisch	Use after free when receiving duplicate CAP
IRSSI-SA-2019-06						2019-06-29
	CVE-2019-13045	client	0.8.18	–	1.2.0	1.0.8 1.1.3 1.2.1	ilbelkyr	Use after free when sending SASL login to the server
	CVE-2019-13045	client	0.8.18	–	1.2.0	1.0.8 1.1.3 1.2.1	ilbelkyr	Use after free when sending SASL login to the server
IRSSI-SA-2019-01						2019-01-09
	CVE-2019-5882	client	1.1.0	–	1.1.1	1.1.2		Use after free when hidden lines were expired from the scroll buffer
	CVE-2019-5882	client	1.1.0	–	1.1.1	1.1.2
IRSSI-SA-2018-02						2018-02-17
	CVE-2018-7054	remote	1.0.0	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch	Use after free when server is disconnected during netsplits. Incomplete fix of CVE-2017-7191.
	CVE-2018-7054	remote	1.0.0	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch
	CVE-2018-7053	server	0.8.18	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch	Use after free when SASL messages are received in unexpected order.
	CVE-2018-7053	server	0.8.18	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch
	CVE-2018-7050	server	*	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch	Null pointer dereference when an "empty" nick has been observed by Irssi.
	CVE-2018-7050	server	*	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch
	CVE-2018-7052	client	*	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch	When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference.
	CVE-2018-7052	client	*	–	1.0.6 1.1.0	1.0.7 1.1.1	Joseph Bisch
	CVE-2018-7051	client	0.8.7	–	1.0.6 1.1.0	1.0.7 1.1.1	Oss-Fuzz	Certain nick names could result in out of bounds access when printing theme strings.
	CVE-2018-7051	client	0.8.7	–	1.0.6 1.1.0	1.0.7 1.1.1	Oss-Fuzz
IRSSI-SA-2018-01						2018-01-07
	CVE-2018-5206	server	*	–	1.0.5	1.0.6	Joseph Bisch	When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer.
	CVE-2018-5206	server	*	–	1.0.5	1.0.6	Joseph Bisch
	CVE-2018-5205	formats	*	–	1.0.5	1.0.6	Joseph Bisch	When using incomplete escape codes, Irssi may access data beyond the end of the string.
	CVE-2018-5205	formats	*	–	1.0.5	1.0.6	Joseph Bisch
	CVE-2018-5208	server	*	–	1.0.5	1.0.6	Joseph Bisch	A calculation error in the completion code could cause a heap buffer overflow when completing certain strings.
	CVE-2018-5208	server	*	–	1.0.5	1.0.6	Joseph Bisch
	CVE-2018-5207	formats	*	–	1.0.5	1.0.6	Joseph Bisch	When using an incomplete variable argument, Irssi may access data beyond the end of the string.
	CVE-2018-5207	formats	*	–	1.0.5	1.0.6	Joseph Bisch
IRSSI-SA-2017-10						2017-10-23
	CVE-2017-15228	formats	*	–	1.0.4	1.0.5	Hanno Böck	Unterminated colour formatting sequences may cause data access beyond the end of the buffer
	CVE-2017-15228	formats	*	–	1.0.4	1.0.5	Hanno Böck
	CVE-2017-15227	server	*	–	1.0.4	1.0.5	Joseph Bisch	Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on
	CVE-2017-15227	server	*	–	1.0.4	1.0.5	Joseph Bisch
	CVE-2017-15721	server	*	–	1.0.4	1.0.5	Joseph Bisch	Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference
	CVE-2017-15721	server	*	–	1.0.4	1.0.5	Joseph Bisch
	CVE-2017-15723	server	0.8.17	–	1.0.4	1.0.5	Joseph Bisch	Overlong nicks or targets may result in a NULL pointer dereference while splitting the message
	CVE-2017-15723	server	0.8.17	–	1.0.4	1.0.5	Joseph Bisch
	CVE-2017-15722	server	*	–	1.0.4	1.0.5	Joseph Bisch	Read beyond end of buffer may occur if a Safe channel ID is not long enough
	CVE-2017-15722	server	*	–	1.0.4	1.0.5	Joseph Bisch
IRSSI-SA-2017-07						2017-07-07
	CVE-2017-10965	server	*	–	1.0.3	1.0.4	Brian 'geeknik' Carpenter of Geeknik Labs	NULL pointer dereference when receiving messages with invalid timestamp
	CVE-2017-10965	server	*	–	1.0.3	1.0.4	Brian 'geeknik' Carpenter of Geeknik Labs
	CVE-2017-10966	client	*	–	1.0.3	1.0.4	Brian 'geeknik' Carpenter of Geeknik Labs	Use after free after nicklist structure has been corrupted while updating a nick group
	CVE-2017-10966	client	*	–	1.0.3	1.0.4	Brian 'geeknik' Carpenter of Geeknik Labs
IRSSI-SA-2017-06						2017-06-06
	CVE-2017-9468	server	*	–	1.0.2	1.0.3	Joseph Bisch	NULL pointer dereference when receiving a DCC message without source nick/host
	CVE-2017-9468	server	*	–	1.0.2	1.0.3	Joseph Bisch
	CVE-2017-9469	client	*	–	1.0.2	1.0.3	Joseph Bisch	Out of bounds read when parsing incorrectly quoted DCC files
	CVE-2017-9469	client	*	–	1.0.2	1.0.3	Joseph Bisch
IRSSI-SA-2017-03						2017-03-10
	CVE-2017-7191	server	1.0.0	–	1.0.6 1.1.0	1.0.7 1.1.1	APic	Use after free while producing list of netjoins. See CVE-2018-7054.
	CVE-2017-7191	server	1.0.0	–	1.0.6 1.1.0	1.0.7 1.1.1	APic
IRSSI-SA-2017-01						2017-01-05
	CVE-2017-5193	server	*	–	0.8.20	0.8.21	Joseph Bisch	NULL pointer dereference in the nickcmp function
	CVE-2017-5193	server	*	–	0.8.20	0.8.21	Joseph Bisch	NULL pointer dereference in the nickcmp function
	CVE-2017-5194	server	*	–	0.8.20	0.8.21		Use after free when receiving invalid nick message
	CVE-2017-5194	server	*	–	0.8.20	0.8.21		Use after free when receiving invalid nick message
	CVE-2017-5356	formats	*	–	0.8.20	0.8.21	Hanno Böck	Out of bounds read when printing the value %[
	CVE-2017-5356	formats	*	–	0.8.20	0.8.21	Hanno Böck	Out of bounds read when printing the value %[
	CVE-2017-5195	client	0.8.17	–	0.8.20	0.8.21	Joseph Bisch	Out of bounds read in certain incomplete control codes
	CVE-2017-5195	client	0.8.17	–	0.8.20	0.8.21	Joseph Bisch	Out of bounds read in certain incomplete control codes
	CVE-2017-5196	server	0.8.18	–	0.8.20	0.8.21	Hanno Böck and independently by Joseph Bisch	Out of bounds read in certain incomplete character sequences
	CVE-2017-5196	server	0.8.18	–	0.8.20	0.8.21	Hanno Böck and independently by Joseph Bisch
IRSSI-SA-2016						2016-09-14
	CVE-2016-7044	client	0.8.17	–	0.8.19	0.8.20	Gabriel Campana and Adrien Guinet from Quarkslab	Remote crash and heap corruption in format parsing code
	CVE-2016-7044	client	(with truecolor)				Gabriel Campana and Adrien Guinet from Quarkslab	Remote crash and heap corruption in format parsing code
	CVE-2016-7045	client	0.8.17	–	0.8.19	0.8.20	Gabriel Campana and Adrien Guinet from Quarkslab	Remote crash and heap corruption in format parsing code
	CVE-2016-7045	client	0.8.17	–	0.8.19	0.8.20	Gabriel Campana and Adrien Guinet from Quarkslab	Remote crash and heap corruption in format parsing code
BUF-PL-SA-2016			buf.pl			2016-09-09
	CVE-2016-7553	local	*	–	2.13	2.20	Juerd Waalboer	Information disclosure vulnerability
	CVE-2016-7553	local	*	–	2.13	2.20	Juerd Waalboer	Information disclosure vulnerability
0.8.15 issues						2010-04-03
	CVE-2010-1155		*	–	0.8.14	0.8.15		Irssi does not verify that the server hostname matches a domain name in the SSL certificate.
	CVE-2010-1155		*	–	0.8.14	0.8.15
	CVE-2010-1156	client	*	–	0.8.14	0.8.15	Aurelien Delaitre (SATE 2009)	core/nicklist.c in Irssi allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel.
	CVE-2010-1156	client	*	–	0.8.14	0.8.15	Aurelien Delaitre (SATE 2009)
0.8.14 issues						2009-05-28
	CVE-2009-1959	client	*	–	0.8.13	0.8.14	nemo@felinemenace.org	Off-by-one error in the event_wallops function allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow.
	CVE-2009-1959	client	*	–	0.8.13	0.8.14	nemo@felinemenace.org
0.8.11 issues						2007-08-12
	CVE-2007-4396	local (remote)	*	–	0.8.10	0.8.11	Wouter Coekaerts	Multiple CRLF injection vulnerabilities in several scripts for Irssi allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences.
	CVE-2007-4396	local (remote)	*	–	0.8.10	0.8.11	Wouter Coekaerts
0.8.10 issues						2006-03-01
	CVE-2006-0458	client	0.8.9+			0.8.10		The DCC ACCEPT command handler allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command.
	CVE-2006-0458	client	0.8.9+			0.8.10
0.8.9 issues						2003-12-11
	CVE-2003-1020	client	*	–	0.8.8	0.8.9	Rico Gloeckner	The format_send_to_gui function allows remote IRC users to cause a denial of service (crash).
	CVE-2003-1020	client	*	–	0.8.8	0.8.9	Rico Gloeckner
Historic
	CVE-2002-0983	client	*	–	0.8.4	0.8.6	ripe@7a69ezine.org	Denial of service (crash) via an IRC channel that has a long topic followed by a certain string, possibly triggering a buffer overflow.
	CVE-2002-0983	client	*	–	0.8.4	0.8.6	ripe@7a69ezine.org
	CVE-2002-1840	remote	0.8.4					The download server was compromised and the download was backdoored, which allows remote attackers to access the system. Always check the GPG signature!
	CVE-2002-1840	remote	downloaded after 2002-03-14

Reference

"Exploitable by" column:

Server: Triggered by malicious inputs sent by a server with complete control over the connection
Example: malformed raw IRC commands
Client: Triggered by malicious inputs sent by remote clients with no privileges over the network
Example: malformed color codes inside a message
Local: Exploitable by unprivileged system users with access to the same filesystem
Example: CVE-2016-7553 (buf.pl information disclosure)
Formats: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.
Example: CVE-2017-5356 (Crash on %[)