Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Ansgar Burchardt ansgar at 43-1.org
Fri Jul 23 17:17:54 UTC 2010


POE::Component::IRC did not validate the arguments of commands to send
to the IRC server.  If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands.  This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.

Lenny is also affected from this problem.  It can be reproduced using
the attached minimalistic IRC bot in 581194.pl: using
libpoe-component-perl from Lenny the bot will exit from IRC after
seeing a message in #test-1234 and replying to it.

I prepared a patch using the same fix as upstream introduced in 6.32:
stripping \r and \n and any following characters from commands being
send.  Upstream confirmed in IRC that this should be enough to fix the

Security Team: Should we upload the proposed fix to stable-security or
should this rather be fixed in the next point release of Lenny?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 581194.diff
Type: text/x-diff
Size: 2127 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100724/21cbcd89/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 581194.pl
Type: text/x-perl
Size: 998 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20100724/21cbcd89/attachment.pl>

More information about the pkg-perl-maintainers mailing list