Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
- To: 581194@bugs.debian.org
- Subject: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
- From: Ansgar Burchardt <ansgar@43-1.org>
- Date: Wed, 04 Aug 2010 02:33:22 +0900
- Message-id: <[🔎] 87r5ifbnz1.fsf@marvin.43-1.org>
- Reply-to: Ansgar Burchardt <ansgar@43-1.org>, 581194@bugs.debian.org
- In-reply-to: <201008031359.07457.luciano@debian.org> (Luciano Bello's message of "Tue, 3 Aug 2010 13:59:06 -0300")
- References: <87eieurubh.fsf@marvin.43-1.org> <87zkx4cf46.fsf@marvin.43-1.org> <201008031359.07457.luciano@debian.org>
clone 581194 -1
reassign -1 release.debian.org
retitle -1 pu: libpoe-component-irc-perl/5.84+dfsg-1+lenny1
severity -1 normal
tags -1 =
user release.debian.org@packages.debian.org
usertags -1 + pu
thanks
Hi,
libpoe-component-irc-perl has a bug allowing injection of IRC commands
in scripts not stripping \r and \n [1]. I prepared the attached patch to
fix this problem for Lenny.
The security team says this issue should be fixed in the next point
release and not via an upload to stable-security (see below). Should we
go ahead and upload the proposed patch to stable?
Regards,
Ansgar
[1] <http://bugs.debian.org/581194>
Luciano Bello <luciano@debian.org> writes:
> Since the problem affects only IRC commands in script that doesn't remove CR/LF
> from parameters they send to the IRC component, the problem should be fixed via
> an stable-proposed-update. Can you (or somebody else in the perl group) please
> make this upload? Remember to contact debian-release@lists.d.o attaching the
> debdiff.
diff -u libpoe-component-irc-perl-5.84+dfsg/debian/changelog libpoe-component-irc-perl-5.84+dfsg/debian/changelog
--- libpoe-component-irc-perl-5.84+dfsg/debian/changelog
+++ libpoe-component-irc-perl-5.84+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+libpoe-component-irc-perl (5.84+dfsg-1+lenny1) UNRELEASED; urgency=high
+
+ * Filter out \r and \n in commands to prevent command injection.
+ (Closes: #581194)
+
+ -- Ansgar Burchardt <ansgar@43-1.org> Sat, 24 Jul 2010 00:42:34 +0900
+
libpoe-component-irc-perl (5.84+dfsg-1) unstable; urgency=low
* New upstream release(s).
diff -u libpoe-component-irc-perl-5.84+dfsg/debian/patches/series libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
--- libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
+++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
@@ -1,0 +2 @@
+filter-out-newline-in-arguments.patch
only in patch2:
unchanged:
--- libpoe-component-irc-perl-5.84+dfsg.orig/debian/patches/filter-out-newline-in-arguments.patch
+++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/filter-out-newline-in-arguments.patch
@@ -0,0 +1,23 @@
+From: Ansgar Burchardt <ansgar@43-1.org>
+Date: Sat, 24 Jul 2010 00:54:55 +0900
+Subject: Filter out newlines in arguments
+Bug-Debian: http://bugs.debian.org/581194
+Origin: backport, http://github.com/bingos/poe-component-irc/commit/675f55cd40ceebbc1bd2f309311a066bed41d869
+
+Filter out \n and \r passed as arguments to commands as this would allow the
+user to submit raw IRC commands.
+
+[ upstream patch by Hinrik Örn Sigurðsson <hinrik.sig@gmail.com> ]
+
+--- libpoe-component-irc-perl.orig/lib/POE/Component/IRC.pm
++++ libpoe-component-irc-perl/lib/POE/Component/IRC.pm
+@@ -1203,6 +1203,9 @@
+ my $now = time();
+ $self->{send_time} = $now if $self->{send_time} < $now;
+
++ # if we find a newline in the message, take that to be the end of it
++ $msg =~ s/[\015\012].*//s;
++
+ if (bytes::length($msg) > $self->{msg_length} - bytes::length($self->nick_name())) {
+ $msg = bytes::substr($msg, 0, $self->{msg_length} - bytes::length($self->nick_name()));
+ }
Reply to: