It was reported [1] that IRC bots that do not take care of removing carriage returns and line feeds from parameters that they send to the IRC component are vulnerable to potential arbitrary IRC command execution. An example would be passing an argument of 'foo bar\rQUIT' to the 'privmsg' handler to cause the client to disconnect from the server. This has been corrected [2] upstream in version 6.32. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581194 [2] https://github.com/bingos/poe-component-irc/compare/d2ead04...675f55cd
Created perl-POE-Component-IRC tracking bugs for this issue Affects: fedora-all [bug 663803]
This was already fixed in bug #591215. *** This bug has been marked as a duplicate of bug 591215 ***
Oh, sad. I even filed the other bug. Sorry about that. I'll add the CVE alias to the other bug then. Thanks!