Your message dated Tue, 11 May 2010 21:43:33 +0000
with message-id <e1obxej-00009f...@ries.debian.org>
and subject line Bug#581194: fixed in libpoe-component-irc-perl 6.32+dfsg-1
has caused the Debian Bug report #581194,
regarding libpoe-component-irc-perl: Insufficient stripping of CR/LF allows
arbitrary IRC command execution
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
581194: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpoe-component-irc-perl
Severity: important
Tags: patch
IRC bots which do not take care of removing carriage returns and line
feeds from parameters they send to the IRC component are vulnerable to
this security hole. For example, passing an argument of "foo bar\rQUIT"
to the 'privmsg' handler will cause the client to disconnect from the
server.
All versions of POE::Component::IRC are affected.
This has been patched upstream (relevent commits:
http://github.com/bingos/poe-component-irc/compare/d2ead04...675f55cd)
and included in the latest release (version 6.32).
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (700, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32.12-x86_64-linode12 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Source: libpoe-component-irc-perl
Source-Version: 6.32+dfsg-1
We believe that the bug you reported is fixed in the latest version of
libpoe-component-irc-perl, which is due to be installed in the Debian FTP
archive:
libpoe-component-irc-perl_6.32+dfsg-1.debian.tar.gz
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_6.32+dfsg-1.debian.tar.gz
libpoe-component-irc-perl_6.32+dfsg-1.dsc
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_6.32+dfsg-1.dsc
libpoe-component-irc-perl_6.32+dfsg-1_all.deb
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_6.32+dfsg-1_all.deb
libpoe-component-irc-perl_6.32+dfsg.orig.tar.gz
to
main/libp/libpoe-component-irc-perl/libpoe-component-irc-perl_6.32+dfsg.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 581...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gre...@debian.org> (supplier of updated
libpoe-component-irc-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 11 May 2010 22:10:30 +0200
Source: libpoe-component-irc-perl
Binary: libpoe-component-irc-perl
Architecture: source all
Version: 6.32+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintain...@lists.alioth.debian.org>
Changed-By: gregor herrmann <gre...@debian.org>
Description:
libpoe-component-irc-perl - POE Component for manipulating IRC sessions
Closes: 581194
Changes:
libpoe-component-irc-perl (6.32+dfsg-1) unstable; urgency=high
.
* New upstream release: doesn't allow arbitrary IRC command
execution anymore:
- IRC.pm: Split long messages on \r as well as \n. Plugs a security hole.
- IRC.pm: Filter out \r in arguments to non-PRIVMSG commands too
Closes: #581194
* Set urgency to high.
Checksums-Sha1:
875b2e933c6c9d73620e16926f6f2b729033a12e 2480
libpoe-component-irc-perl_6.32+dfsg-1.dsc
51ed429dfa2a60cb5565957497676ebf4fbbdb3b 225332
libpoe-component-irc-perl_6.32+dfsg.orig.tar.gz
312fb9f692fc9a088b126b18fbec44da8a1085fe 7035
libpoe-component-irc-perl_6.32+dfsg-1.debian.tar.gz
ab151970348bdbbfc2dc1dd87838ce86dd0add7c 265498
libpoe-component-irc-perl_6.32+dfsg-1_all.deb
Checksums-Sha256:
10f85cc8a68c51f536fbc5838a90ca208f0a1bc0af1815fb1d0ddd1660c18b07 2480
libpoe-component-irc-perl_6.32+dfsg-1.dsc
855a7bfdba5fbf67901975804bd7d0219c3b47f699b6ea2b29901c175fd71d22 225332
libpoe-component-irc-perl_6.32+dfsg.orig.tar.gz
1af80aeb26195839960e864c9579470da11a1049436059651518c439c7a462ba 7035
libpoe-component-irc-perl_6.32+dfsg-1.debian.tar.gz
4b27fe814c0771da26c2cee1b2be8361a5718c52c9cd23278920dea4abd8309b 265498
libpoe-component-irc-perl_6.32+dfsg-1_all.deb
Files:
ec1f8f9f6020016405e4a1c078aad4b1 2480 perl optional
libpoe-component-irc-perl_6.32+dfsg-1.dsc
16de5839e84b4d2f9da503398c6e5ffa 225332 perl optional
libpoe-component-irc-perl_6.32+dfsg.orig.tar.gz
1e3869b967b6bf46e90d9d4961667b0a 7035 perl optional
libpoe-component-irc-perl_6.32+dfsg-1.debian.tar.gz
aa185f0a6ae719544bb8d13332dd4f5a 265498 perl optional
libpoe-component-irc-perl_6.32+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJL6bojAAoJELs6aAGGSaoGH7cP/0zW/NISyqog++vVyRPXEE2c
3dz4evpFWHnpqWgmHsjWoK1RTWcksAlUZ2duf+6Q4n40PGnKq59qx60avA+dAMYM
8S+vEIojmAS1C5gZPX5Wq3KoBXnhwX0JCnneYhcmOoQ4uw8qU+LCnJRCKxmL8Uky
9svRYYoJJxo74ysCj3e7HyCyXyy5iyXQmKn9H7GK5YxlVvSLJxu/KQ4Ii3QQf4OZ
7pjC8XEmSgl20j3O9Hbf+KY+GZc0RI74EJehxVoOwF2PfxbvEyPTJ4zSnjTGiwlj
2kQtQdxLQAslwGxAaiI8W04ezpR0tTL5YLwXMl11lOZid8IPtYjY1XV3eZ+2fONV
MjvQ1p2nkLBsIphXwIXMGbO4MUJTqwrMa6Gaca3wk7Uuxug5Thv/ujjvEbQlD4Ef
R+A2MJJ3CXREKtXdqSSLGCBeT6gjcPTHUGfEM0cEraKnDYm/YRsk1wTX+tb/+9EP
L5y4jqXeKfMHPBY/nmUix7TPlkKM8z2wz+wxqa76v3mpcrhgMHuXtgn9ynjRyMah
zW4ph4DuKabN/xXVlhIYRDOnFTr0zt7dqe6HsOUmZzSEOoUnesuMVb9agQISnJwe
OItzc5n7UFEp9omYnoxvxhvA26tQoouB7Ek25p5CjhQr5z3+CuhUakHS0htQcJc8
e9Qr4xsMQAYr262U/mqD
=gHIb
-----END PGP SIGNATURE-----
--- End Message ---
