irssi is a modular IRC client for UNIX systems. The program has been found to contain a vulnerability that allows a normal IRC user to remotely crash another user's irssi client.
Credit:
The information has been provided by Timo Sirainen and Rico Gloeckner and Wouter Coekaerts.
Vulnerable systems:
* irssi version 0.8.8 and prior
Immune systems:
* irssi version 0.8.9
Irssi 0.8.9 release fixes a vulnerability that allows normal IRC users to remotely crash another user's irssi client, if either of these conditions is met:
a) Irssi is running on an architecture that requires memory alignment (i.e. not x86)
b) "gui print text" signal is being used by some script or plugin. There are two scripts in scripts.irssi.org's website that do this: nicklist.pl and tab_stop.pl
The bug also enables another minor annoyance to all irssi users: being able to remotely change the message's "level". For example to set it highlighted so it shows up with /last -highlight command.
Technical details:
The problematic call was in src/fe-common/core/formats.c: void format_send_to_gui(TEXT_DEST_REC *dest, const char *text) .. case FORMAT_STYLE_INDENT_FUNC: { const char *start = ptr; .. signal_emit_id(signal_gui_print_text, 6, dest->window, NULL, NULL, GINT_TO_POINTER(GUI_PRINT_FLAG_INDENT_FUNC), str, start, dest);
The "str" parameter was not supposed to be there, so signal handlers treated "start" (user given string) as "dest" and allowed faking dest's contents.
The good thing here is that by default, irssi does not modify dest's content in any signal handler, so arbitrary code execution is not possible. By default only dest->level is read.
