Hi,
POE::Component::IRC did not validate the arguments of commands to send
to the IRC server. If a user could trick a bot into sending a string
containing \r or \n, this would allow injection or arbitrary IRC
commands. This was fixed upstream in versions 6.14, 6.30 and finally
solved in 6.32.
Lenny is also affected from this problem. It can be reproduced using
the attached minimalistic IRC bot in 581194.pl: using
libpoe-component-perl from Lenny the bot will exit from IRC after
seeing a message in #test-1234 and replying to it.
I prepared a patch using the same fix as upstream introduced in 6.32:
stripping \r and \n and any following characters from commands being
send. Upstream confirmed in IRC that this should be enough to fix the
bug.
Security Team: Should we upload the proposed fix to stable-security or
should this rather be fixed in the next point release of Lenny?
Regards,
Ansgar
diff -u libpoe-component-irc-perl-5.84+dfsg/debian/changelog libpoe-component-irc-perl-5.84+dfsg/debian/changelog
--- libpoe-component-irc-perl-5.84+dfsg/debian/changelog
+++ libpoe-component-irc-perl-5.84+dfsg/debian/changelog
@@ -1,3 +1,10 @@
+libpoe-component-irc-perl (5.84+dfsg-1+lenny1) UNRELEASED; urgency=high
+
+ * Filter out \r and \n in commands to prevent command injection.
+ (Closes: #581194)
+
+ -- Ansgar Burchardt <ans...@43-1.org> Sat, 24 Jul 2010 00:42:34 +0900
+
libpoe-component-irc-perl (5.84+dfsg-1) unstable; urgency=low
* New upstream release(s).
diff -u libpoe-component-irc-perl-5.84+dfsg/debian/patches/series libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
--- libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
+++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/series
@@ -1,0 +2 @@
+filter-out-newline-in-arguments.patch
only in patch2:
unchanged:
--- libpoe-component-irc-perl-5.84+dfsg.orig/debian/patches/filter-out-newline-in-arguments.patch
+++ libpoe-component-irc-perl-5.84+dfsg/debian/patches/filter-out-newline-in-arguments.patch
@@ -0,0 +1,23 @@
+From: Ansgar Burchardt <ans...@43-1.org>
+Date: Sat, 24 Jul 2010 00:54:55 +0900
+Subject: Filter out newlines in arguments
+Bug-Debian: http://bugs.debian.org/581194
+Origin: backport, http://github.com/bingos/poe-component-irc/commit/675f55cd40ceebbc1bd2f309311a066bed41d869
+
+Filter out \n and \r passed as arguments to commands as this would allow the
+user to submit raw IRC commands.
+
+[ upstream patch by Hinrik Örn Sigurðsson <hinrik....@gmail.com> ]
+
+--- libpoe-component-irc-perl.orig/lib/POE/Component/IRC.pm
++++ libpoe-component-irc-perl/lib/POE/Component/IRC.pm
+@@ -1203,6 +1203,9 @@
+ my $now = time();
+ $self->{send_time} = $now if $self->{send_time} < $now;
+
++ # if we find a newline in the message, take that to be the end of it
++ $msg =~ s/[\015\012].*//s;
++
+ if (bytes::length($msg) > $self->{msg_length} - bytes::length($self->nick_name())) {
+ $msg = bytes::substr($msg, 0, $self->{msg_length} - bytes::length($self->nick_name()));
+ }
#! /usr/bin/perl
use strict;
use warnings;
use POE qw(Component::IRC);
my $nick = "test-$$";
my $ircname = "Test";
my $server = "irc.example.com";
my @channels = ('#test-1234');
my $irc = POE::Component::IRC->spawn(
nick => $nick,
ircname => $ircname,
server => $server,
) or die "Could not spawn IRC: $!";
POE::Session->create(
package_states => [
main => [qw( _start irc_001 irc_public )],
],
heap => { irc => $irc, },
);
POE::Kernel->run();
exit;
sub _start {
my $heap = $_[HEAP];
my $irc = $heap->{irc};
$irc->yield(register => 'all');
$irc->yield(connect => {});
return;
}
sub irc_001 {
my $sender = $_[SENDER];
my $irc = $sender->get_heap();
print "Connected to ", $irc->server_name(), "\n";
$irc->yield(join => $_) for @channels;
return;
}
sub irc_public {
my ($sender, $who, $where, $what) = @_[SENDER, ARG0 .. ARG2];
my $channel = $where->[0];
$irc->yield(privmsg => $channel => "foo\nQUIT");
$irc->yield(privmsg => $channel => "bar");
return;
}
