Your message dated Thu, 05 Aug 2010 08:09:43 +0000
with message-id <[email protected]>
and subject line Bug#581194: fixed in libpoe-component-irc-perl
5.84+dfsg-1+lenny1
has caused the Debian Bug report #581194,
regarding libpoe-component-irc-perl: Insufficient stripping of CR/LF allows
arbitrary IRC command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
581194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpoe-component-irc-perl
Severity: important
Tags: patch
IRC bots which do not take care of removing carriage returns and line
feeds from parameters they send to the IRC component are vulnerable to
this security hole. For example, passing an argument of "foo bar\rQUIT"
to the 'privmsg' handler will cause the client to disconnect from the
server.
All versions of POE::Component::IRC are affected.
This has been patched upstream (relevent commits:
http://github.com/bingos/poe-component-irc/compare/d2ead04...675f55cd)
and included in the latest release (version 6.32).
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (700, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32.12-x86_64-linode12 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libpoe-component-irc-perl
Source-Version: 5.84+dfsg-1+lenny1
We believe that the bug you reported is fixed in the latest version of
libpoe-component-irc-perl, which is due to be installed in the Debian FTP
archive:
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.diff.gz
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_5.84+dfsg-1+lenny1.diff.gz
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.dsc
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_5.84+dfsg-1+lenny1.dsc
libpoe-component-irc-perl_5.84+dfsg-1+lenny1_all.deb
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_5.84+dfsg-1+lenny1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ansgar Burchardt <[email protected]> (supplier of updated
libpoe-component-irc-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 04 Aug 2010 04:47:59 +0900
Source: libpoe-component-irc-perl
Binary: libpoe-component-irc-perl
Architecture: source all
Version: 5.84+dfsg-1+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Ansgar Burchardt <[email protected]>
Description:
libpoe-component-irc-perl - a fully event-driven IRC client module
Closes: 581194
Changes:
libpoe-component-irc-perl (5.84+dfsg-1+lenny1) stable; urgency=high
.
* Filter out \r and \n in commands to prevent command injection.
(Closes: #581194)
Checksums-Sha1:
8fa17df9a0ca9a9cf46fba7f9aad5c4864975f40 2326
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.dsc
2261bbeda616c5018ec918990f7d03515ad8b752 5994
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.diff.gz
a1c851aeafc459b55b77dd755765712977ae95c9 274150
libpoe-component-irc-perl_5.84+dfsg-1+lenny1_all.deb
Checksums-Sha256:
03067ffb41f95df1a1b6c3797b3597b7c1eb270cc1827ff58b8c1b227461d840 2326
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.dsc
279b105dffbf7ce2de350d4398850c5311e5860c3295af44ca8c59665cfa6b73 5994
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.diff.gz
3bf1ab03716dd7cc9262381d8fe7805745c9671f5f2dc2a13e0aab0b4325121f 274150
libpoe-component-irc-perl_5.84+dfsg-1+lenny1_all.deb
Files:
25a220de0cf1c55cc6d3846f473a8501 2326 perl optional
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.dsc
836df41d16d5ca0ce8694e042afd24ac 5994 perl optional
libpoe-component-irc-perl_5.84+dfsg-1+lenny1.diff.gz
d0f832553c46ae245eb154980dd70b7e 274150 perl optional
libpoe-component-irc-perl_5.84+dfsg-1+lenny1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJMWHyZAAoJELs6aAGGSaoGh6cP/Rj4CzsYfmIPTztXD+6apjDv
c1RDRGIyWFhBW14v/gAthCfjIaLdovuqWPmf2LtpdkqCAP+xM7poMkHv1PM9SiVm
UZh5NLyqzrCOr4H20YATrXcl6wG3npH3HMcTDgqCVbhfs68GdjMVOGt4anuy0N10
h2qv1Kzk5qh2gBzm0QCCq+LN+XiOZs5ox0rRd8kXpFNtzML2wD8g239HspPaR/N/
BN7CTj6LRVFfNUbzexY1R3oMCHg0Z5VZvFcl0LiXDBFs9UMatp5iw8d0tzuKvyvk
ydood+unByA2p1OVLxLAhB4L5LNzrOtPFcDGryaaD4B5o9qVRBrlBHn8SjzataD+
0k5LPLh2egv3r1TQWzaKqnmb9CGxYyx3U+8EaOv47L2lqzSKKEvkzGvKDZbFXr64
1J5AkaaYvBT84bS9VRcBaaEppOXkMQ6cH2wirlP8leK+AS5ZLcurkkg9tVdp/HeC
Fv9MLPJa/J7d4HMSsnQv2StCwmaRAFl08uOszedzk1sjD1LJhETI6zzHtcVJqUs8
g1mVuySKyiBj7Vj4uZjIa7czaMwJNVJ6jkm/RlTWYW55x+hSxvW7QmBtGsc0I42O
Otn4g7T+BP6a0TdFj4X7pVx5XfU5w7g9GB6u4unWIRHdP//9rqe1rM+KmG/CmBPb
Lq53CT4DqzMJKMkPLu1e
=Ix0a
-----END PGP SIGNATURE-----
--- End Message ---
