Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

On Tue, 03 Aug 2010 15:45:22 -0400, Adam D. Barratt wrote: > > I contacted upstream on IRC before preparing the package because I was a > > bit unsure about this part as well and they confirmed that including > > only > > > > +# if we find a newline in the message, take that to be the end of i

Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

On Tue, August 3, 2010 14:45, Ansgar Burchardt wrote: > "Adam D. Barratt" writes: >> The upstream commits referenced in the bug report contain two changes - >> the one you've included in your patch, and 4f46c293, which applies >> (assuming the function name is accurate) to privmsgs and notices. D

Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Hi, "Adam D. Barratt" writes: > On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote: >> libpoe-component-irc-perl has a bug allowing injection of IRC commands >> in scripts not stripping \r and \n [1]. I prepared the attached patch to >> fix this problem for Lenny. >> >> The security team says

Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote: > libpoe-component-irc-perl has a bug allowing injection of IRC commands > in scripts not stripping \r and \n [1]. I prepared the attached patch to > fix this problem for Lenny. > > The security team says this issue should be fixed in the next

Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

clone 581194 -1 reassign -1 release.debian.org retitle -1 pu: libpoe-component-irc-perl/5.84+dfsg-1+lenny1 severity -1 normal tags -1 = user release.debian@packages.debian.org usertags -1 + pu thanks Hi, libpoe-component-irc-perl has a bug allowing injection of IRC commands in script

Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Hi Ansgar, Thanks for getting in touch with us and sorry for the delay in the answer. El Mar 03 Ago 2010, Ansgar Burchardt escribió: > > Security Team: Should we upload the proposed fix to stable-security or > > should this rather be fixed in the next point release of Lenny? Since the pr

Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Hi, I did not get an answer from the security team for longer than a week now. Maybe the mail did get lost somewhere? Regards, Ansgar Ansgar Burchardt writes: > POE::Component::IRC did not validate the arguments of commands to send > to the IRC server. If a user could trick a bot into sendin

Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Hi, POE::Component::IRC did not validate the arguments of commands to send to the IRC server. If a user could trick a bot into sending a string containing \r or \n, this would allow injection or arbitrary IRC commands. This was fixed upstream in versions 6.14, 6.30 and finally solved in 6.32. L

Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

Package: libpoe-component-irc-perl Severity: important Tags: patch IRC bots which do not take care of removing carriage returns and line feeds from parameters they send to the IRC component are vulnerable to this security hole. For example, passing an argument of "foo bar\rQUIT" to the 'privmsg