On Tue, 03 Aug 2010 15:45:22 -0400, Adam D. Barratt wrote:
> > I contacted upstream on IRC before preparing the package because I was a
> > bit unsure about this part as well and they confirmed that including
> > only
> >
> > +# if we find a newline in the message, take that to be the end of i
On Tue, August 3, 2010 14:45, Ansgar Burchardt wrote:
> "Adam D. Barratt" writes:
>> The upstream commits referenced in the bug report contain two changes -
>> the one you've included in your patch, and 4f46c293, which applies
>> (assuming the function name is accurate) to privmsgs and notices. D
Hi,
"Adam D. Barratt" writes:
> On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote:
>> libpoe-component-irc-perl has a bug allowing injection of IRC commands
>> in scripts not stripping \r and \n [1]. I prepared the attached patch to
>> fix this problem for Lenny.
>>
>> The security team says
On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote:
> libpoe-component-irc-perl has a bug allowing injection of IRC commands
> in scripts not stripping \r and \n [1]. I prepared the attached patch to
> fix this problem for Lenny.
>
> The security team says this issue should be fixed in the next
clone 581194 -1
reassign -1 release.debian.org
retitle -1 pu: libpoe-component-irc-perl/5.84+dfsg-1+lenny1
severity -1 normal
tags -1 =
user release.debian@packages.debian.org
usertags -1 + pu
thanks
Hi,
libpoe-component-irc-perl has a bug allowing injection of IRC commands
in script
Hi Ansgar,
Thanks for getting in touch with us and sorry for the delay in the
answer.
El Mar 03 Ago 2010, Ansgar Burchardt escribió:
> > Security Team: Should we upload the proposed fix to stable-security or
> > should this rather be fixed in the next point release of Lenny?
Since the pr
Hi,
I did not get an answer from the security team for longer than a week
now. Maybe the mail did get lost somewhere?
Regards,
Ansgar
Ansgar Burchardt writes:
> POE::Component::IRC did not validate the arguments of commands to send
> to the IRC server. If a user could trick a bot into sendin
Hi,
POE::Component::IRC did not validate the arguments of commands to send
to the IRC server. If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands. This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.
L
Package: libpoe-component-irc-perl
Severity: important
Tags: patch
IRC bots which do not take care of removing carriage returns and line
feeds from parameters they send to the IRC component are vulnerable to
this security hole. For example, passing an argument of "foo bar\rQUIT"
to the 'privmsg
9 matches
Mail list logo