Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 07 Jul 2017 14:26:53 +0200
From: Ailin Nemui <>
Subject: Irssi 1.0.4: CVE-2017-10965, CVE-2017-10966.

> Irssi 1.0.4 has been released. This release fixes two remote crash 
> issues in Irssi as well as a few bugs, correcting a mistake that was 
> introduced in 1.0.3 while parsing some time-related settings. There 
> are no new features. All Irssi users should upgrade to this version. 
> See the NEWS for details.
> Our bug reporter Brian ‘geeknik’ Carpenter writes:
> >    34 days after reading Fuzzing Irssi, my AFL instance was
> >    finally able to trigger a null pointer dereference in irssi 
> >    1.0.2. […] Hopefully this one isn’t fixed yet.
> >
> >    35 days after reading Fuzzing Irssi, my AFL instance triggered 
> >    a heap-use-after-free in irssi 1.0.2. Compiled on Debian 8 x64 
> >    following the instructions and patches of the referenced 
> >    article. (;
> For more information refer to the security advisory.
> Thanks, Brian!

IRSSI-SA-2017-07 Irssi Security Advisory [1]
CVE-2017-10965, CVE-2017-10966.


Two vulnerabilities have been located in Irssi.

(a) When receiving messages with invalid time stamps, Irssi would try
    to dereference a NULL pointer. Found by Brian 'geeknik' Carpenter
    of Geeknik Labs. (CWE-690)

    CVE-2017-10965 [2] was assigned to this bug

(b) While updating the internal nick list, Irssi may incorrectly use
    the GHashTable interface and free the nick while updating it. This
    will then result in use-after-free conditions on each access of
    the hash table. Found by Brian 'geeknik' Carpenter of Geeknik
    Labs. (CWE-416 caused by CWE-227)

    CVE-2017-10966 [3] was assigned to this bug


(a) May result in denial of service (remote crash).

(b) Undefined behaviour.

Affected versions

All Irssi versions that we observed.

Fixed in

Irssi 1.0.4

Recommended action

Upgrade to Irssi 1.0.4. Irssi 1.0.4 is a maintenance release in the
1.0 series, without any new features.

After installing the updated packages, one can issue the /upgrade
command to load the new binary. TLS connections will require

Mitigating facts

(a) requires control over the ircd

(b) should not happen with a conforming ircd




Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.