CVE-2017-5356 Debian CVE debrief

Who should care

Administrators, users, and package maintainers responsible for Irssi deployments should prioritize this issue, especially where older versions may still be in use. It is most relevant for any environment that exposes Irssi to untrusted remote input.

Technical summary

The supplied advisory data describes a format-string parsing bug in Irssi versions before 0.8.21. A malformed string containing "%[" without a matching closing bracket can drive an out-of-bounds read (CWE-125), causing the client to crash. The published CVSS 3.0 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely triggerable availability-only denial of service.

Defensive priority

High

Recommended defensive actions

• Upgrade Irssi to version 0.8.21 or later.
• Verify packaged or embedded Irssi builds are not still shipping affected versions.
• Use the vendor advisory and downstream distribution notices to confirm remediation status.
• Treat unexpected crashes in affected clients as a security signal and investigate whether malformed remote input was involved.

Evidence notes

The CVE description states the issue affects Irssi before 0.8.21 and can be triggered by a string containing "%[" without a closing "]", causing an out-of-bounds read and crash. NVD supplies the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and classifies the weakness as CWE-125. Reference metadata includes an Irssi vendor advisory, oss-security mailing list posts, a technical write-up, and a Debian LTS notice; no additional reference contents were assumed beyond the supplied corpus.

Official resources