Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote:
> libpoe-component-irc-perl has a bug allowing injection of IRC commands
> in scripts not stripping \r and \n [1].  I prepared the attached patch to
> fix this problem for Lenny.
>
> The security team says this issue should be fixed in the next point
> release and not via an upload to stable-security (see below).  Should we
> go ahead and upload the proposed patch to stable?

The upstream commits referenced in the bug report contain two changes -
the one you've included in your patch, and 4f46c293, which applies
(assuming the function name is accurate) to privmsgs and notices.  Does
the later patch render the earlier one unnecessary, or should both be
included?  The commit message for 4f46c293 implies that it was intended as
a security fix.

Regards,

Adam