Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Ansgar Burchardt ansgar at 43-1.org
Tue Aug 3 17:33:22 UTC 2010


clone 581194 -1
reassign -1 release.debian.org
retitle  -1 pu: libpoe-component-irc-perl/5.84+dfsg-1+lenny1
severity -1 normal
tags     -1 =
user     release.debian.org at packages.debian.org
usertags -1 + pu
thanks

Hi,

libpoe-component-irc-perl has a bug allowing injection of IRC commands
in scripts not stripping \r and \n [1].  I prepared the attached patch to
fix this problem for Lenny.

The security team says this issue should be fixed in the next point
release and not via an upload to stable-security (see below).  Should we
go ahead and upload the proposed patch to stable?

Regards,
Ansgar

[1] <http://bugs.debian.org/581194>

Luciano Bello <luciano at debian.org> writes:
> Since the problem affects only IRC commands in script that doesn't remove CR/LF 
> from parameters they send to the IRC component, the problem should be fixed via 
> an stable-proposed-update. Can you (or somebody else in the perl group) please 
> make this upload? Remember to contact debian-release at lists.d.o attaching the 
> debdiff.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 581194.diff
Type: text/x-diff
Size: 2127 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100804/a4fe1a0e/attachment-0001.diff>


More information about the pkg-perl-maintainers mailing list