34 days after reading https://irssi.org/2017/05/12/fuzzing-irssi/, I was finally able to trigger a null pointer dereference in irssi 1.0.2.
Timeline:
Report to vendor: 15 June 2017
Acknowledge by vendor: 15 June 2017
Fixed by vendor: 7 July 2017
Advisory:
http://seclists.org/oss-sec/2017/q3/80
Patch:
https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206
./irssi < test000
CAP LS
NICK root
USER root root /dev/stdin :root
ASAN:DEADLYSIGNAL
=================================================================
==23308==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f4505521e56 bp 0x7fff0bf30d90 sp 0x7fff0bf30518 T0)
==23308==The signal is caused by a READ memory access.
==23308==Hint: address points to the zero page.
#0 0x7f4505521e55 in strlen /build/glibc-cxyGtm/glibc-2.24/string/../sysdeps/x86_64/strlen.S:76
#1 0x4536dc in __interceptor_strlen.part.31 (/root/irssi-1.0.2/src/fe-text/irssi+0x4536dc)
#2 0x6bf3c9 in my_asctime /root/irssi-1.0.2/src/core/misc.c:565:8
#3 0x594d51 in event_topic_info /root/irssi-1.0.2/src/fe-common/irc/fe-events-numeric.c:275:19
#4 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
#5 0x6f4207 in signal_emit /root/irssi-1.0.2/src/core/signals.c:286:3
#6 0x62cd3d in irc_server_event /root/irssi-1.0.2/src/irc/core/irc.c:308:7
#7 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
#8 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
#9 0x62d33a in irc_parse_incoming_line /root/irssi-1.0.2/src/irc/core/irc.c:362:3
#10 0x6f499b in signal_emit_real /root/irssi-1.0.2/src/core/signals.c:242:3
#11 0x6f59b6 in signal_emit_id /root/irssi-1.0.2/src/core/signals.c:304:3
#12 0x62d6ba in irc_parse_incoming /root/irssi-1.0.2/src/irc/core/irc.c:383:3
#13 0x6bb9b2 in irssi_io_invoke /root/irssi-1.0.2/src/core/misc.c:55:3
#14 0x7f4506cc6229 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a229)
#15 0x7f4506cc65df (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a5df)
#16 0x7f4506cc668b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a68b)
#17 0x57e4a7 in main /root/irssi-1.0.2/src/fe-text/irssi.c:326:3
#18 0x7f45054b53f0 in __libc_start_main /build/glibc-cxyGtm/glibc-2.24/csu/../csu/libc-start.c:291
#19 0x42e979 in _start (/root/irssi-1.0.2/src/fe-text/irssi+0x42e979)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-cxyGtm/glibc-2.24/string/../sysdeps/x86_64/strlen.S:76 in strlen
==23308==ABORTING