Insufficient stripping of CR/LF allows arbitrary IRC command execution

Bug #609239 reported by Ansgar Burchardt on 2010-07-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpoe-component-irc-perl (Debian)
Fix Released
libpoe-component-irc-perl (Ubuntu)

Bug Description

Binary package hint: libpoe-component-irc-perl

POE::Component::IRC did not validate the arguments of commands to send
to the IRC server. If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands. This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.

I prepared a patch for Lenny (5.84+dfsg-1) that should also apply for later versions. See

visibility: private → public
Changed in libpoe-component-irc-perl (Debian):
status: Unknown → Fix Released
Changed in libpoe-component-irc-perl (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.