Hi, "Adam D. Barratt" <[email protected]> writes:
> On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote: >> libpoe-component-irc-perl has a bug allowing injection of IRC commands >> in scripts not stripping \r and \n [1]. I prepared the attached patch to >> fix this problem for Lenny. >> >> The security team says this issue should be fixed in the next point >> release and not via an upload to stable-security (see below). Should we >> go ahead and upload the proposed patch to stable? > > The upstream commits referenced in the bug report contain two changes - > the one you've included in your patch, and 4f46c293, which applies > (assuming the function name is accurate) to privmsgs and notices. Does > the later patch render the earlier one unnecessary, or should both be > included? The commit message for 4f46c293 implies that it was intended as > a security fix. I think you refer to this part of the upstream patch [1]: - my @messages = split /\n/, $message; + my @messages = split /[\n\r]/, $message; This is not needed for Debian: the split statement was introduced in [2] in a first attempt to fix the injection problem and later updated to include \r as well. But upstream has reverted to the old behavior already [3]: messages are no longer split; only everything after \r and \n is stripped from messages before sending. I contacted upstream on IRC before preparing the package because I was a bit unsure about this part as well and they confirmed that including only + # if we find a newline in the message, take that to be the end of it + $msg =~ s/[\015\012].*//s; should be enough to fix the issue. Regards, Ansgar [1] <http://github.com/bingos/poe-component-irc/commit/4f46c29376359b3d7c5b5cd400115103fdef9ca8> [2] <http://github.com/bingos/poe-component-irc/commit/76966466f5e05ff6ba851b3029b318e2f4c2f216> [3] <http://github.com/bingos/poe-component-irc/commit/9e2a01af6a908f9c1c97431bcbc5f483a7a99e2f> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
