Security

Please report security issues to staff@irssi.org. Thanks!

Past issues overview

Links Exploitable Versions affected Fixed Credit Description
IRSSI-SA-2017-10 2017-10-23
formats * 1.0.4 1.0.5 Hanno Böck Unterminated colour formatting sequences may cause data access beyond the end of the buffer
server * 1.0.4 1.0.5 Joseph Bisch Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on
server * 1.0.4 1.0.5 Joseph Bisch Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference
server 0.8.17 1.0.4 1.0.5 Joseph Bisch Overlong nicks or targets may result in a NULL pointer dereference while splitting the message
server * 1.0.4 1.0.5 Joseph Bisch Read beyond end of buffer may occur if a Safe channel ID is not long enough
IRSSI-SA-2017-07 2017-07-07
server * 1.0.3 1.0.4 Brian 'geeknik' Carpenter of Geeknik Labs NULL pointer dereference when receiving messages with invalid timestamp
client * 1.0.3 1.0.4 Brian 'geeknik' Carpenter of Geeknik Labs Use after free after nicklist structure has been corrupted while updating a nick group
IRSSI-SA-2017-06 2017-06-06
server * 1.0.2 1.0.3 Joseph Bisch NULL pointer dereference when receiving a DCC message without source nick/host
client * 1.0.2 1.0.3 Joseph Bisch Out of bounds read when parsing incorrectly quoted DCC files
IRSSI-SA-2017-03 2017-03-10
server 1.0.0 1.0.1 1.0.2 APic Use after free while producing list of netjoins
IRSSI-SA-2017-01 2017-01-05
server * 0.8.20 0.8.21 Joseph Bisch NULL pointer dereference in the nickcmp function
server * 0.8.20 0.8.21 Use after free when receiving invalid nick message
formats * 0.8.20 0.8.21 Hanno Böck Out of bounds read when printing the value %[
client 0.8.17 0.8.20 0.8.21 Joseph Bisch Out of bounds read in certain incomplete control codes
server 0.8.18 0.8.20 0.8.21 Hanno Böck and independently by Joseph Bisch Out of bounds read in certain incomplete character sequences
BUF-PL-SA-2016 buf.pl 2016-09-09
local * 2.13 2.20 Juerd Waalboer Information disclosure vulnerability
IRSSI-SA-2016 2016-09-14
client 0.8.17 0.8.19 0.8.20 Gabriel Campana and Adrien Guinet from Quarkslab Remote crash and heap corruption in format parsing code
(with truecolor)
client 0.8.17 0.8.19 0.8.20 Gabriel Campana and Adrien Guinet from Quarkslab Remote crash and heap corruption in format parsing code
0.8.15 issues 2010-04-03
* 0.8.14 0.8.15 Irssi does not verify that the server hostname matches a domain name in the SSL certificate.
client * 0.8.14 0.8.15 Aurelien Delaitre (SATE 2009) core/nicklist.c in Irssi allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel.
0.8.14 issues 2009-05-28
client * 0.8.13 0.8.14 [email protected] Off-by-one error in the event_wallops function allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow.
0.8.11 issues 2007-08-12
local (remote) * 0.8.10 0.8.11 Wouter Coekaerts Multiple CRLF injection vulnerabilities in several scripts for Irssi allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences.
0.8.10 issues 2006-03-01
client 0.8.9+ 0.8.10 The DCC ACCEPT command handler allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command.
0.8.9 issues 2003-12-11
client * 0.8.8 0.8.9 Rico Gloeckner The format_send_to_gui function allows remote IRC users to cause a denial of service (crash).
Historic
client * 0.8.4 0.8.6 [email protected] Denial of service (crash) via an IRC channel that has a long topic followed by a certain string, possibly triggering a buffer overflow.
remote 0.8.4 The download server was compromised and the download was backdoored, which allows remote attackers to access the system. Always check the GPG signature!
downloaded after 2002-03-14

Reference

"Exploitable by" column: