*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: libpoe-component-irc-perl POE::Component::IRC did not validate the arguments of commands to send to the IRC server. If a user could trick a bot into sending a string containing \r or \n, this would allow injection or arbitrary IRC commands. This was fixed upstream in versions 6.14, 6.30 and finally solved in 6.32. I prepared a patch for Lenny (5.84+dfsg-1) that should also apply for later versions. See http://bugs.debian.org/581194. ** Affects: libpoe-component-irc-perl (Ubuntu) Importance: Undecided Status: New ** Affects: libpoe-component-irc-perl (Debian) Importance: Unknown Status: Unknown ** Visibility changed to: Public ** Bug watch added: Debian Bug tracker #581194 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194 ** Also affects: libpoe-component-irc-perl (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194 Importance: Unknown Status: Unknown -- Insufficient stripping of CR/LF allows arbitrary IRC command execution https://bugs.launchpad.net/bugs/609239 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
