--- # - # name: Name of the bug group / security advisory, e.g.: IRSSI-SA-2099-01 # link: link to the advisory, e.g.: http://www.openwall.com/xxx (optional) # affected_note: Some additional info for the Versions column, e.g.: script.pl if group affects only a single script (optional) # release_date: date of release in YYYY-mm-dd format, e.g.: 2099-01-02 # repo: repository for the git commit, e.g.: scripts.irssi.org (optional, defaults to irssi) # git_commit: git commit for the whole advisory (optional) # # List of bugs # bugs: # - # cve: CVE of bug, e.g.: CVE-2099-0999 (optional) # name: name for the bug (in reference to the group), e.g.: (a) (optional) # link: link to more information about the bug (optional) # # additional external links to display in the first column (optional) # external_links: # - # id: text for the link # url: href for the link # - # # add more links here... # exploitable_by: one of server/client/local/formats/local (remote)/remote # affected_note_top: some remark to show on a row before the versions (optional) # # which versions are affected # affected_versions: # from: first version affected # to: last version affected # affected_note_bottom: some remarks to show below the versions, e.g.: only with compile flags xxx # fixed_version: first version with the fix # repo: repository for the git commit, e.g.: scripts.irssi.org (optional, defaults to irssi) # git_commit: git commit of the individual bug fix (optional) # credit: whom to credit for the discovery # description: Content of the description column # - # # add the next bug here... # - # # Add the next bug group / security advisory here... - name: Historic bugs: - cve: CVE-2002-0983 exploitable_by: client affected_versions: to: 0.8.4 fixed_version: 0.8.6 git_commit: b9b0917897bd3b78d105c3229deb390daa204cdd credit: ripe@7a69ezine.org description: | Denial of service (crash) via an IRC channel that has a long topic followed by a certain string, possibly triggering a buffer overflow. - cve: CVE-2002-1840 exploitable_by: remote affected_versions: from: 0.8.4 affected_note_bottom: 'downloaded after 2002-03-14' description: | The download server was compromised and the download was backdoored, which allows remote attackers to access the system. Always check the GPG signature! - name: 0.8.9 issues release_date: 2003-12-11 bugs: - cve: CVE-2003-1020 exploitable_by: client affected_versions: to: 0.8.8 fixed_version: 0.8.9 git_commit: ae7f177fb0ac0732239d3ff1b8dd208a31a7354d credit: Rico Gloeckner description: | The format_send_to_gui function allows remote IRC users to cause a denial of service (crash). - name: 0.8.10 issues release_date: 2006-03-01 bugs: - cve: CVE-2006-0458 exploitable_by: client affected_versions: from: 0.8.9+ fixed_version: 0.8.10 git_commit: 6d42a00287ff144c5c597b5da158961e0c22847d description: | The DCC ACCEPT command handler allows remote attackers to cause a denial of service (application crash) via certain crafted arguments in a DCC command. - name: 0.8.11 issues release_date: 2007-08-12 bugs: - cve: CVE-2007-4396 exploitable_by: local (remote) affected_versions: to: 0.8.10 fixed_version: 0.8.11 git_commit: f0fb4c19d45e25fddee76e7c442b1e900666cd0c credit: 'Wouter Coekaerts' description: | Multiple CRLF injection vulnerabilities in several scripts for Irssi allow user-assisted remote attackers to execute arbitrary IRC commands via CRLF sequences. - name: 0.8.14 issues release_date: 2009-05-28 bugs: - cve: CVE-2009-1959 exploitable_by: client affected_versions: to: 0.8.13 fixed_version: 0.8.14 git_commit: 1f9c560a7408bf5550e030b5ac0c07dad5435eb1 credit: nemo@felinemenace.org description: | Off-by-one error in the event_wallops function allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow. - name: 0.8.15 issues release_date: 2010-04-03 bugs: - cve: CVE-2010-1155 affected_versions: to: 0.8.14 fixed_version: 0.8.15 git_commit: bb4ce4562bd04eeb24a5953dd8da5c843c04e328 description: | Irssi does not verify that the server hostname matches a domain name in the SSL certificate. - cve: CVE-2010-1156 exploitable_by: client affected_versions: to: 0.8.14 fixed_version: 0.8.15 git_commit: 1aa10ece887afd5d64eca1211aeced6cab310680 credit: 'Aurelien Delaitre (SATE 2009)' description: | core/nicklist.c in Irssi allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel. - name: IRSSI-SA-2016 release_date: 2016-09-14 git_commit: 295a4b77f07f14602eeaa371f00ddbf09910c82b bugs: - cve: CVE-2016-7044 exploitable_by: client affected_versions: from: 0.8.17 to: 0.8.19 affected_note_bottom: '(with truecolor)' fixed_version: 0.8.20 credit: 'Gabriel Campana and Adrien Guinet from Quarkslab' description: 'Remote crash and heap corruption in format parsing code' - cve: CVE-2016-7045 exploitable_by: client affected_versions: from: 0.8.17 to: 0.8.19 fixed_version: 0.8.20 credit: 'Gabriel Campana and Adrien Guinet from Quarkslab' description: 'Remote crash and heap corruption in format parsing code' - name: BUF-PL-SA-2016 affected_note: buf.pl release_date: 2016-09-09 git_commit: f1b1eb154baa684fad5d65bf4dff79c8ded8b65a repo: scripts.irssi.org bugs: - cve: CVE-2016-7553 exploitable_by: local affected_versions: to: '2.13' fixed_version: '2.20' credit: 'Juerd Waalboer' description: 'Information disclosure vulnerability' - name: IRSSI-SA-2017-01 release_date: 2017-01-05 git_commit: 6c6c42e3d1b49d90aacc0b67f8540471cae02a1d bugs: - cve: CVE-2017-5193 exploitable_by: server affected_versions: to: 0.8.20 fixed_version: 0.8.21 credit: 'Joseph Bisch' description: 'NULL pointer dereference in the nickcmp function' - cve: CVE-2017-5194 exploitable_by: server affected_versions: to: 0.8.20 fixed_version: 0.8.21 credit: ~ description: 'Use after free when receiving invalid nick message' - cve: CVE-2017-5356 exploitable_by: formats affected_versions: to: 0.8.20 fixed_version: 0.8.21 credit: 'Hanno Böck' description: 'Out of bounds read when printing the value %[' - cve: CVE-2017-5195 exploitable_by: client affected_versions: from: 0.8.17 to: 0.8.20 fixed_version: 0.8.21 credit: 'Joseph Bisch' description: 'Out of bounds read in certain incomplete control codes' - cve: CVE-2017-5196 exploitable_by: server affected_versions: from: 0.8.18 to: 0.8.20 fixed_version: 0.8.21 credit: 'Hanno Böck and independently by Joseph Bisch' description: 'Out of bounds read in certain incomplete character sequences' - name: IRSSI-SA-2017-03 release_date: 2017-03-10 git_commit: 77b2631c78461965bc9a7414aae206b5c514e1b3 bugs: - cve: CVE-2017-7191 exploitable_by: server affected_versions: from: 1.0.0 to: 1.0.1 fixed_version: 1.0.2 credit: APic description: 'Use after free while producing list of netjoins' - name: IRSSI-SA-2017-06 release_date: 2017-06-06 git_commit: fb08fc7f1aa6b2e616413d003bf021612301ad55 bugs: - cve: CVE-2017-9468 exploitable_by: server affected_versions: to: 1.0.2 fixed_version: 1.0.3 credit: 'Joseph Bisch' description: 'NULL pointer dereference when receiving a DCC message without source nick/host' - cve: CVE-2017-9469 exploitable_by: client affected_versions: to: 1.0.2 fixed_version: 1.0.3 credit: 'Joseph Bisch' description: 'Out of bounds read when parsing incorrectly quoted DCC files' - name: IRSSI-SA-2017-07 release_date: 2017-07-07 git_commit: 5e26325317c72a04c1610ad952974e206384d291 bugs: - cve: CVE-2017-10965 exploitable_by: server affected_versions: to: 1.0.3 fixed_version: 1.0.4 credit: Brian 'geeknik' Carpenter of Geeknik Labs description: 'NULL pointer dereference when receiving messages with invalid timestamp' - cve: CVE-2017-10966 exploitable_by: client affected_versions: to: 1.0.3 fixed_version: 1.0.4 credit: Brian 'geeknik' Carpenter of Geeknik Labs description: 'Use after free after nicklist structure has been corrupted while updating a nick group' - name: IRSSI-SA-2017-10 release_date: 2017-10-23 git_commit: 43e44d553d44e313003cee87e6ea5e24d68b84a1 bugs: - cve: CVE-2017-15228 exploitable_by: formats affected_versions: to: 1.0.4 fixed_version: 1.0.5 credit: 'Hanno Böck' description: 'Unterminated colour formatting sequences may cause data access beyond the end of the buffer' - cve: CVE-2017-15227 exploitable_by: server affected_versions: to: 1.0.4 fixed_version: 1.0.5 credit: 'Joseph Bisch' description: 'Failure to remove destroyed channels from the query list while waiting for the channel synchronisation may result in use after free conditions when updating the state later on' - cve: CVE-2017-15721 exploitable_by: server affected_versions: to: 1.0.4 fixed_version: 1.0.5 credit: 'Joseph Bisch' description: 'Certain incorrectly formatted DCC CTCP messages could cause NULL pointer dereference' - cve: CVE-2017-15723 exploitable_by: server affected_versions: from: 0.8.17 to: 1.0.4 fixed_version: 1.0.5 credit: 'Joseph Bisch' description: 'Overlong nicks or targets may result in a NULL pointer dereference while splitting the message' - cve: CVE-2017-15722 exploitable_by: server affected_versions: to: 1.0.4 fixed_version: 1.0.5 credit: 'Joseph Bisch' description: 'Read beyond end of buffer may occur if a Safe channel ID is not long enough' - name: IRSSI-SA-2018-01 release_date: 2018-01-07 bugs: - cve: CVE-2018-5206 exploitable_by: server affected_versions: to: 1.0.5 fixed_version: 1.0.6 credit: 'Joseph Bisch' description: 'When the channel topic is set without specifying a sender, Irssi may dereference NULL pointer.' - cve: CVE-2018-5205 exploitable_by: formats affected_versions: to: 1.0.5 fixed_version: 1.0.6 credit: 'Joseph Bisch' description: 'When using incomplete escape codes, Irssi may access data beyond the end of the string.' - cve: CVE-2018-5208 exploitable_by: server affected_versions: to: 1.0.5 fixed_version: 1.0.6 credit: 'Joseph Bisch' description: 'A calculation error in the completion code could cause a heap buffer overflow when completing certain strings.' - cve: CVE-2018-5207 exploitable_by: formats affected_versions: to: 1.0.5 fixed_version: 1.0.6 credit: 'Joseph Bisch' description: 'When using an incomplete variable argument, Irssi may access data beyond the end of the string.'