registry team mailing list archive

[Ansgar Burchardt <ansgar@xxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: libpoe-component-irc-perl

POE::Component::IRC did not validate the arguments of commands to send
to the IRC server.  If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands.  This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.

I prepared a patch for Lenny (5.84+dfsg-1) that should also apply for
later versions. See http://bugs.debian.org/581194.

** Affects: libpoe-component-irc-perl (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: libpoe-component-irc-perl (Debian)
     Importance: Unknown
         Status: Unknown

** Visibility changed to: Public

** Bug watch added: Debian Bug tracker #581194
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194

** Also affects: libpoe-component-irc-perl (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194
   Importance: Unknown
       Status: Unknown

-- 
Insufficient stripping of CR/LF allows arbitrary IRC command execution
https://bugs.launchpad.net/bugs/609239
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for Debian.