clone 581194 -1 reassign -1 release.debian.org retitle -1 pu: libpoe-component-irc-perl/5.84+dfsg-1+lenny1 severity -1 normal tags -1 = user release.debian....@packages.debian.org usertags -1 + pu thanks
Hi, libpoe-component-irc-perl has a bug allowing injection of IRC commands in scripts not stripping \r and \n [1]. I prepared the attached patch to fix this problem for Lenny. The security team says this issue should be fixed in the next point release and not via an upload to stable-security (see below). Should we go ahead and upload the proposed patch to stable? Regards, Ansgar [1] <http://bugs.debian.org/581194> Luciano Bello <luci...@debian.org> writes: > Since the problem affects only IRC commands in script that doesn't remove > CR/LF > from parameters they send to the IRC component, the problem should be fixed > via > an stable-proposed-update. Can you (or somebody else in the perl group) > please > make this upload? Remember to contact debian-rele...@lists.d.o attaching the > debdiff.
diff -u libpoe-component-irc-perl-5.84+dfsg/debian/changelog libpoe-component-irc-perl-5.84+dfsg/debian/changelog --- libpoe-component-irc-perl-5.84+dfsg/debian/changelog +++ libpoe-component-irc-perl-5.84+dfsg/debian/changelog @@ -1,3 +1,10 @@ +libpoe-component-irc-perl (5.84+dfsg-1+lenny1) UNRELEASED; urgency=high + + * Filter out \r and \n in commands to prevent command injection. + (Closes: #581194) + + -- Ansgar Burchardt <ans...@43-1.org> Sat, 24 Jul 2010 00:42:34 +0900 + libpoe-component-irc-perl (5.84+dfsg-1) unstable; urgency=low * New upstream release(s). diff -u libpoe-component-irc-perl-5.84+dfsg/debian/patches/series libpoe-component-irc-perl-5.84+dfsg/debian/patches/series --- libpoe-component-irc-perl-5.84+dfsg/debian/patches/series +++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/series @@ -1,0 +2 @@ +filter-out-newline-in-arguments.patch only in patch2: unchanged: --- libpoe-component-irc-perl-5.84+dfsg.orig/debian/patches/filter-out-newline-in-arguments.patch +++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/filter-out-newline-in-arguments.patch @@ -0,0 +1,23 @@ +From: Ansgar Burchardt <ans...@43-1.org> +Date: Sat, 24 Jul 2010 00:54:55 +0900 +Subject: Filter out newlines in arguments +Bug-Debian: http://bugs.debian.org/581194 +Origin: backport, http://github.com/bingos/poe-component-irc/commit/675f55cd40ceebbc1bd2f309311a066bed41d869 + +Filter out \n and \r passed as arguments to commands as this would allow the +user to submit raw IRC commands. + +[ upstream patch by Hinrik Örn Sigurðsson <hinrik....@gmail.com> ] + +--- libpoe-component-irc-perl.orig/lib/POE/Component/IRC.pm ++++ libpoe-component-irc-perl/lib/POE/Component/IRC.pm +@@ -1203,6 +1203,9 @@ + my $now = time(); + $self->{send_time} = $now if $self->{send_time} < $now; + ++ # if we find a newline in the message, take that to be the end of it ++ $msg =~ s/[\015\012].*//s; ++ + if (bytes::length($msg) > $self->{msg_length} - bytes::length($self->nick_name())) { + $msg = bytes::substr($msg, 0, $self->{msg_length} - bytes::length($self->nick_name())); + }
