Bug 663801

Summary: perl-POE-Component-IRC: arbitrary IRC command execution due to insufficient stripping of CR/LF
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cweyl, iarnell, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-17 06:10:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 663803    
Bug Blocks:    

Description Vincent Danen 2010-12-16 21:17:49 UTC 
It was reported [1] that IRC bots that do not take care of removing carriage returns and line feeds from parameters that they send to the IRC component are vulnerable to potential arbitrary IRC command execution.  An example would be passing an argument of 'foo bar\rQUIT' to the 'privmsg' handler to cause the client to disconnect from the server.

This has been corrected [2] upstream in version 6.32.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194
[2] https://github.com/bingos/poe-component-irc/compare/d2ead04...675f55cd
Comment 1 Vincent Danen 2010-12-16 21:19:19 UTC 
Created perl-POE-Component-IRC tracking bugs for this issue

Affects: fedora-all [bug 663803]
Comment 2 Iain Arnell 2010-12-17 06:10:07 UTC 
This was already fixed in bug #591215.

*** This bug has been marked as a duplicate of bug 591215 ***
Comment 3 Vincent Danen 2010-12-17 15:35:42 UTC 
Oh, sad.  I even filed the other bug.  Sorry about that.  I'll add the CVE alias to the other bug then.  Thanks!