Security

Please report security issues to staff@irssi.org. Thanks!

Past issues overview

Links Exploitable Versions affected Fixed Credit Description
IRSSI-SA-2023-03 2023-03-31
local (remote) 1.3.0 1.4.3 1.4.4 ednash Use after free while using a stale special collector reference
IRSSI-SA-2019-08 2019-08-29
server 1.2.0 1.2.1 1.2.2 Joseph Bisch Use after free when receiving duplicate CAP
IRSSI-SA-2019-06 2019-06-29
client 0.8.18 1.2.0 1.0.8
1.1.3
1.2.1
ilbelkyr Use after free when sending SASL login to the server
IRSSI-SA-2019-01 2019-01-09
client 1.1.0 1.1.1 1.1.2 Use after free when hidden lines were expired from the scroll buffer
IRSSI-SA-2018-02 2018-02-17
remote 1.0.0 1.0.6
1.1.0
1.0.7
1.1.1
Joseph Bisch Use after free when server is disconnected during netsplits. Incomplete fix of CVE-2017-7191.
server 0.8.18 1.0.6
1.1.0
1.0.7
1.1.1
Joseph Bisch Use after free when SASL messages are received in unexpected order.
server * 1.0.6
1.1.0
1.0.7
1.1.1
Joseph Bisch Null pointer dereference when an "empty" nick has been observed by Irssi.
client * 1.0.6
1.1.0
1.0.7
1.1.1
Joseph Bisch When the number of windows exceed the available space, Irssi would crash due to Null pointer dereference.
client 0.8.7 1.0.6
1.1.0
1.0.7
1.1.1
Oss-Fuzz Certain nick names could result in out of bounds access when printing theme strings.
IRSSI-SA-2018-01 2018-01-07
server * 1.0.5 1.0.6 Joseph Bisch When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer.
formats * 1.0.5 1.0.6 Joseph Bisch When using incomplete escape codes, Irssi may access data beyond the end of the string.
server * 1.0.5 1.0.6 Joseph Bisch A calculation error in the completion code could cause a heap buffer overflow when completing certain strings.
formats * 1.0.5 1.0.6 Joseph Bisch When using an incomplete variable argument, Irssi may access data beyond the end of the string.
IRSSI-SA-2017-10 2017-10-23
formats * 1.0.4 1.0.5 Hanno Böck Unterminated colour formatting sequences may cause data access beyond the end of the buffer
server * 1.0.4 1.0.5 Joseph Bisch Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on
server * 1.0.4 1.0.5 Joseph Bisch Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference
server 0.8.17 1.0.4 1.0.5 Joseph Bisch Overlong nicks or targets may result in a NULL pointer dereference while splitting the message
server * 1.0.4 1.0.5 Joseph Bisch Read beyond end of buffer may occur if a Safe channel ID is not long enough
IRSSI-SA-2017-07 2017-07-07
server * 1.0.3 1.0.4 Brian 'geeknik' Carpenter of Geeknik Labs NULL pointer dereference when receiving messages with invalid timestamp
client * 1.0.3 1.0.4 Brian 'geeknik' Carpenter of Geeknik Labs Use after free after nicklist structure has been corrupted while updating a nick group
IRSSI-SA-2017-06 2017-06-06
server * 1.0.2 1.0.3 Joseph Bisch NULL pointer dereference when receiving a DCC message without source nick/host
client * 1.0.2 1.0.3 Joseph Bisch Out of bounds read when parsing incorrectly quoted DCC files
IRSSI-SA-2017-03 2017-03-10
server 1.0.0 1.0.6
1.1.0
1.0.7
1.1.1
APic Use after free while producing list of netjoins. See CVE-2018-7054.
IRSSI-SA-2017-01 2017-01-05
server * 0.8.20 0.8.21 Joseph Bisch NULL pointer dereference in the nickcmp function
server * 0.8.20 0.8.21 Use after free when receiving invalid nick message
formats * 0.8.20 0.8.21 Hanno Böck Out of bounds read when printing the value %[
client 0.8.17 0.8.20 0.8.21 Joseph Bisch Out of bounds read in certain incomplete control codes
server 0.8.18 0.8.20 0.8.21 Hanno Böck and independently by Joseph Bisch Out of bounds read in certain incomplete character sequences
IRSSI-SA-2016 2016-09-14
client 0.8.17 0.8.19 0.8.20 Gabriel Campana and Adrien Guinet from Quarkslab Remote crash and heap corruption in format parsing code
(with truecolor)
client 0.8.17 0.8.19 0.8.20 Gabriel Campana and Adrien Guinet from Quarkslab Remote crash and heap corruption in format parsing code
BUF-PL-SA-2016 buf.pl 2016-09-09
local * 2.13 2.20 Juerd Waalboer Information disclosure vulnerability
0.8.15 issues 2010-04-03
* 0.8.14 0.8.15 Irssi does not verify that the server hostname matches a domain name in the SSL certificate.
client * 0.8.14 0.8.15 Aurelien Delaitre (SATE 2009) core/nicklist.c in Irssi allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel.
0.8.14 issues 2009-05-28
client * 0.8.13 0.8.14 nemo@felinemenace.org Off-by-one error in the event_wallops function allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow.
0.8.11 issues 2007-08-12
local (remote) * 0.8.10 0.8.11 Wouter Coekaerts Multiple CRLF injection vulnerabilities in several scripts for Irssi allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences.
0.8.10 issues 2006-03-01
client 0.8.9+ 0.8.10 The DCC ACCEPT command handler allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command.
0.8.9 issues 2003-12-11
client * 0.8.8 0.8.9 Rico Gloeckner The format_send_to_gui function allows remote IRC users to cause a denial of service (crash).
Historic
client * 0.8.4 0.8.6 ripe@7a69ezine.org Denial of service (crash) via an IRC channel that has a long topic followed by a certain string, possibly triggering a buffer overflow.
remote 0.8.4 The download server was compromised and the download was backdoored, which allows remote attackers to access the system. Always check the GPG signature!
downloaded after 2002-03-14

Reference

"Exploitable by" column:

  • Server: Triggered by malicious inputs sent by a server with complete control over the connection
    Example: malformed raw IRC commands
  • Client: Triggered by malicious inputs sent by remote clients with no privileges over the network
    Example: malformed color codes inside a message
  • Local: Exploitable by unprivileged system users with access to the same filesystem
    Example: CVE-2016-7553 (buf.pl information disclosure)
  • Formats: Exploitable through internal format codes used in themes and configs. These are not normally processed from the network but may be in combination with buggy scripts.
    Example: CVE-2017-5356 (Crash on %[)