irssi Use after free SASL Vulnerability

irssi Use after free SASL Vulnerability

This exploit of the day is very exciting, it affects a chat client that have been actively used since its release in 1999! The vulnerability is affect the sasl( Simple Authentication and Security Layer ) authentication.

If you are running irssi less then 1.2.1 (check with human@computer:~$ irssi -v).

If you have a long time running instance of irssi you will need to restart your session:

[0]: upgrade the irssi package   
[1]: in irssi run /upgrade  , this will load the new binary patch
[2]: reconnect to the irc server

Git code patch

The solutions was to validate the sasl requests better

	rec->sasl_username = g_strdup(src->sasl_username);
	rec->sasl_password = g_strdup(src->sasl_password);

Git commit 5a67b983dc97caeb5df1139aabd0bc4f260a47d8

CVE: CVE-2019-13045

External links:
Irssi blog post
Bugtraq Firo

Stay up to date with Vulnerability Management and build cool things with our API