Bug#439839: CVE-2007-4398: Multiple CRLF injection vulnerabilities

[Nico Golde]

Hi,
I intend to 0-day NMU this bug since it is open for quite 
some time now and easy to fix.
The attached patch fixes the issue for weechat-scipts.
The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/weechat-scripts_20070425_20070425-0.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -Nru /tmp/U4i0fpKPcg/weechat-scripts-20070425/debian/changelog /tmp/DDT29B7B0g/weechat-scripts-20070425/debian/changelog
--- /tmp/U4i0fpKPcg/weechat-scripts-20070425/debian/changelog	2007-04-25 16:52:13.000000000 +0200
+++ /tmp/DDT29B7B0g/weechat-scripts-20070425/debian/changelog	2007-09-15 16:04:18.000000000 +0200
@@ -1,3 +1,11 @@
+weechat-scripts (20070425-0.1) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Fixed CRLF injection vulnerabilities in xmms.pl and
+    now-playing.rb (CVE-2007-4398) (Closes: #439839).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sat, 15 Sep 2007 16:02:38 +0200
+
 weechat-scripts (20070425) unstable; urgency=low
 
   * New upstream CVS snapshot
diff -Nru /tmp/U4i0fpKPcg/weechat-scripts-20070425/perl/xmms.pl /tmp/DDT29B7B0g/weechat-scripts-20070425/perl/xmms.pl
--- /tmp/U4i0fpKPcg/weechat-scripts-20070425/perl/xmms.pl	2007-03-18 09:10:55.000000000 +0100
+++ /tmp/DDT29B7B0g/weechat-scripts-20070425/perl/xmms.pl	2007-09-15 16:01:34.000000000 +0200
@@ -49,12 +49,14 @@
             push @db,$tmp;
         }
     }
+    $db[12] =~ s/[\n\r]/ /g;
     if (($db[7]!=-1) && ($db[7]!=0)) 
     {
         weechat::command("/me np: $db[12]");
     }
     else
     {
+        $db[13] =~ s/[\n\r]/ /g;
         weechat::command("/me np: $db[12] ($db[13])");
     }
     @db = ();
diff -Nru /tmp/U4i0fpKPcg/weechat-scripts-20070425/ruby/now-playing.rb /tmp/DDT29B7B0g/weechat-scripts-20070425/ruby/now-playing.rb
--- /tmp/U4i0fpKPcg/weechat-scripts-20070425/ruby/now-playing.rb	2007-03-18 09:10:55.000000000 +0100
+++ /tmp/DDT29B7B0g/weechat-scripts-20070425/ruby/now-playing.rb	2007-09-15 16:02:32.000000000 +0200
@@ -40,6 +40,12 @@
       end
     end
   end
+
+  # Fix vulnerability where names with \n or \r can execute IRC commands:
+  # See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4398
+  artist.gsub!(/[\n\r]/, ' ')
+  title.gsub!(/[\n\r]/, ' ')
+
   if !artist.empty? && !title.empty?
     "#{artist} - #{title}"
   else

pgpm6XX5u0BCP.pgp
Description: PGP signature