Ubuntu
libpoe-component-irc-perl package

Insufficient stripping of CR/LF allows arbitrary IRC command execution

Bug #609239 reported by Ansgar Burchardt on 2010-07-23

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	libpoe-component-irc-perl (Debian)	Fix Released	Unknown	debbugs #581194
	libpoe-component-irc-perl (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

Binary package hint: libpoe-component-irc-perl

POE::Component::IRC did not validate the arguments of commands to send
to the IRC server. If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands. This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.

I prepared a patch for Lenny (5.84+dfsg-1) that should also apply for later versions. See http://bugs.debian.org/581194.

Ansgar Burchardt (aburch) on 2010-07-23

visibility:

private → public

Bug Watch Updater (bug-watch-updater) on 2010-07-23

Changed in libpoe-component-irc-perl (Debian):
status:	Unknown → Fix Released

Marc Deslauriers (mdeslaur) on 2010-08-09

Changed in libpoe-component-irc-perl (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #581194
[done grave upstream security fixed-upstream patch] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulibpoe-component-irc-perl package

Insufficient stripping of CR/LF allows arbitrary IRC command execution

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
libpoe-component-irc-perl package