Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution

To: "Ansgar Burchardt" <ansgar@43-1.org>, 591511@bugs.debian.org
Subject: Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Tue, 3 Aug 2010 15:45:22 -0400
Message-id: <[🔎] 56111d31c490230f81ed56da7765906d.squirrel@adsl.funkybadger.org>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 591511@bugs.debian.org
In-reply-to: <[🔎] 8762zrbkmn.fsf@marvin.43-1.org>
References: <87eieurubh.fsf@marvin.43-1.org> <87zkx4cf46.fsf@marvin.43-1.org> <201008031359.07457.luciano@debian.org> <[🔎] 87r5ifbnz1.fsf@marvin.43-1.org> <9f2a072dd1e6ca0a2b48a40c1f635e01.squirrel__30538.2165745415$1280860410$gmane$org@adsl.funkybadger.org> <[🔎] 8762zrbkmn.fsf@marvin.43-1.org>

On Tue, August 3, 2010 14:45, Ansgar Burchardt wrote:
> "Adam D. Barratt" <adam@adam-barratt.org.uk> writes:
>> The upstream commits referenced in the bug report contain two changes -
>> the one you've included in your patch, and 4f46c293, which applies
>> (assuming the function name is accurate) to privmsgs and notices.  Does
>> the later patch render the earlier one unnecessary, or should both be
>> included?  The commit message for 4f46c293 implies that it was intended
>> as a security fix.
>
> I think you refer to this part of the upstream patch [1]:
>
> -    my @messages = split /\n/, $message;
> +    my @messages = split /[\n\r]/, $message;
>
> This is not needed for Debian: the split statement was introduced in [2]
> in a first attempt to fix the injection problem and later updated to
> include \r as well.  But upstream has reverted to the old behavior
> already [3]: messages are no longer split; only everything after \r and
> \n is stripped from messages before sending.
>
> I contacted upstream on IRC before preparing the package because I was a
> bit unsure about this part as well and they confirmed that including
> only
>
> +    # if we find a newline in the message, take that to be the end of it
> +    $msg =~ s/[\015\012].*//s;
>
> should be enough to fix the issue.

Thanks for the explanation; please go ahead with the upload.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
  - From: gregor herrmann <gregoa@debian.org>

References:
- Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
  - From: Ansgar Burchardt <ansgar@43-1.org>
- Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
  - From: Ansgar Burchardt <ansgar@43-1.org>

Prev by Date: Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
Next by Date: Bug#589689: Bug#590948: Bug#589689: transition to libjack-jackd2-0 breaks many packages
Previous by thread: Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
Next by thread: Bug#591511: Bug#581194: libpoe-component-irc-perl: Insufficient stripping of CR/LF allows arbitrary IRC command execution
Index(es):
- Date
- Thread