Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
Ansgar Burchardt
ansgar at 43-1.org
Tue Aug 3 07:47:05 UTC 2010
Hi,
I did not get an answer from the security team for longer than a week
now. Maybe the mail did get lost somewhere?
Regards,
Ansgar
Ansgar Burchardt <ansgar at 43-1.org> writes:
> POE::Component::IRC did not validate the arguments of commands to send
> to the IRC server. If a user could trick a bot into sending a string
> containing \r or \n, this would allow injection or arbitrary IRC
> commands. This was fixed upstream in versions 6.14, 6.30 and finally
> solved in 6.32.
>
> Lenny is also affected from this problem. It can be reproduced using
> the attached minimalistic IRC bot in 581194.pl: using
> libpoe-component-perl from Lenny the bot will exit from IRC after
> seeing a message in #test-1234 and replying to it.
>
> I prepared a patch using the same fix as upstream introduced in 6.32:
> stripping \r and \n and any following characters from commands being
> send. Upstream confirmed in IRC that this should be enough to fix the
> bug.
>
> Security Team: Should we upload the proposed fix to stable-security or
> should this rather be fixed in the next point release of Lenny?
More information about the pkg-perl-maintainers
mailing list