CVE-2016-7553 Irssi CVE debrief

Who should care

Irssi users, IRC administrators, and distro maintainers on multi-user or shared Unix-like systems should care most, especially where local shell access is available or upgrade-time dump files may persist.

Technical summary

The issue affects the buf.pl script used with Irssi. According to the supplied description, versions before 2.20 in Irssi before 0.8.20 can create a scrollbuffer dump file with overly weak permissions between upgrades. A local attacker with existing system access could read that file and recover sensitive private chat conversations. NVD classifies the issue as AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N and maps it to CWE-275 (Improper Permission Assignment for Critical Resource).

Defensive priority

Low overall, but worth prompt remediation on shared or multi-user systems because the impact is confidentiality exposure through a locally readable file.

Recommended defensive actions

• Apply the vendor patch or updated buf.pl/Irssi release referenced in the advisory.
• Verify upgrade-time scrollbuffer dump files are created with restrictive permissions and are removed after use.
• Review existing systems for leftover dump files and delete any that may contain private chat history.
• Limit local account access on shared hosts and audit file permissions in the Irssi data directory.
• Use the official advisory and package notes to confirm your deployed version is outside the affected range.

Evidence notes

The supplied corpus includes the Irssi vendor advisory, Openwall mailing-list patch notices, a GitHub patch commit, and a Fedora package announcement. The description says 'buf.pl script before 2.20 in Irssi before 0.8.20,' while the NVD CPE criteria lists 'buf.pl' vulnerable through 2.13; this debrief preserves that discrepancy rather than trying to resolve it beyond the supplied data. The issue is consistently framed as a weak-permissions disclosure affecting private chat data. No KEV entry is present in the supplied timeline.

Official resources