ASA-2019-00401 – Irssi: Use-after-free when sending SASL login

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00401

Identifier(s)

ASA-2019-00401, CVE-2019-13045, IRSSI-SA-2019-06

Title

Use-after-free when sending SASL login

Vendor(s)

The Irssi team

Product(s)

Irssi

Affected version(s)

Irssi version 0.8.18 and later

Fixed version(s)

Irssi version 1.0.8
Irssi version 1.1.3
Irssi version 1.2.1

Proof of concept

Unknown

Description

Use-after-free when sending SASL login to the server may affect the stability of Irssi. SASL logins may fail, especially during (manual and automated) reconnect.

Technical details

Unknown

Credits

ilbelkyr

Reference(s)

IRSSI-SA-2019-06 Irssi Security Advisory
https://irssi.org/security/html/irssi_sa_2019_06/

memory corruption sasl reconnect?
https://github.com/irssi/irssi/issues/1055

Merge pull request #1058 from ailin-nemui/sasl-reconnect
https://github.com/irssi/irssi/commit/d23b0d22cc611e43c88d99192a59f413f951a955

irssi Use after free SASL Vulnerability
http://blog.firosolutions.com/exploits/irssi2019/

CVE-2019-13045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13045

CVE-2019-13045
https://nvd.nist.gov/vuln/detail/CVE-2019-13045

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.