irssi Use after free SASL Vulnerability
This exploit of the day is very exciting, it affects a chat client that have been actively used since its release in 1999! The vulnerability is affect the sasl( Simple Authentication and Security Layer ) authentication.
If you are running irssi less then 1.2.1 (check with human@computer:~$ irssi -v).
If you have a long time running instance of irssi you will need to restart your session:
[0]: upgrade the irssi package
[1]: in irssi run /upgrade , this will load the new binary patch
[2]: reconnect to the irc server
Git code patch
The solutions was to validate the sasl requests better
g_free_not_null(ircconn->usermode);
g_free_not_null(ircconn->alternate_nick);
g_free_not_null(ircconn->sasl_username);
g_free_not_null(ircconn->sasl_password);
}
rec->sasl_username = g_strdup(src->sasl_username);
rec->sasl_password = g_strdup(src->sasl_password);
Git commit 5a67b983dc97caeb5df1139aabd0bc4f260a47d8
CVE: CVE-2019-13045
External links:
Irssi blog post
Bugtraq
Firo
Stay up to date with Vulnerability Management and build cool things with our API
