Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
- To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Cc: 591511@bugs.debian.org
- Subject: Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
- From: Ansgar Burchardt <ansgar@43-1.org>
- Date: Wed, 04 Aug 2010 03:45:36 +0900
- Message-id: <[🔎] 8762zrbkmn.fsf@marvin.43-1.org>
- Reply-to: Ansgar Burchardt <ansgar@43-1.org>, 591511@bugs.debian.org
- In-reply-to: <9f2a072dd1e6ca0a2b48a40c1f635e01.squirrel__30538.2165745415$1280860410$gmane$org@adsl.funkybadger.org> (Adam D. Barratt's message of "Tue, 3 Aug 2010 14:32:17 -0400")
- References: <87eieurubh.fsf@marvin.43-1.org> <87zkx4cf46.fsf@marvin.43-1.org> <201008031359.07457.luciano@debian.org> <[🔎] 87r5ifbnz1.fsf@marvin.43-1.org> <9f2a072dd1e6ca0a2b48a40c1f635e01.squirrel__30538.2165745415$1280860410$gmane$org@adsl.funkybadger.org>
Hi,
"Adam D. Barratt" <adam@adam-barratt.org.uk> writes:
> On Tue, August 3, 2010 13:33, Ansgar Burchardt wrote:
>> libpoe-component-irc-perl has a bug allowing injection of IRC commands
>> in scripts not stripping \r and \n [1]. I prepared the attached patch to
>> fix this problem for Lenny.
>>
>> The security team says this issue should be fixed in the next point
>> release and not via an upload to stable-security (see below). Should we
>> go ahead and upload the proposed patch to stable?
>
> The upstream commits referenced in the bug report contain two changes -
> the one you've included in your patch, and 4f46c293, which applies
> (assuming the function name is accurate) to privmsgs and notices. Does
> the later patch render the earlier one unnecessary, or should both be
> included? The commit message for 4f46c293 implies that it was intended as
> a security fix.
I think you refer to this part of the upstream patch [1]:
- my @messages = split /\n/, $message;
+ my @messages = split /[\n\r]/, $message;
This is not needed for Debian: the split statement was introduced in [2]
in a first attempt to fix the injection problem and later updated to
include \r as well. But upstream has reverted to the old behavior
already [3]: messages are no longer split; only everything after \r and
\n is stripped from messages before sending.
I contacted upstream on IRC before preparing the package because I was a
bit unsure about this part as well and they confirmed that including
only
+ # if we find a newline in the message, take that to be the end of it
+ $msg =~ s/[\015\012].*//s;
should be enough to fix the issue.
Regards,
Ansgar
[1] <http://github.com/bingos/poe-component-irc/commit/4f46c29376359b3d7c5b5cd400115103fdef9ca8>
[2] <http://github.com/bingos/poe-component-irc/commit/76966466f5e05ff6ba851b3029b318e2f4c2f216>
[3] <http://github.com/bingos/poe-component-irc/commit/9e2a01af6a908f9c1c97431bcbc5f483a7a99e2f>
Reply to: