Debian Bug report logs -
#439840
CVE-2007-4398, CVE-2007-4396: Multiple CRLF injection vulnerabilities
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 27 Aug 2007 20:33:05 UTC
Severity: minor
Tags: moreinfo, security
Found in version irssi-scripts/20061009
Fixed in version irssi-scripts/20070925
Done: Christoph Berg <myon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Julien Louis <ptitlouis@sysif.net>:
Bug#439839; Package weechat-scripts.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Julien Louis <ptitlouis@sysif.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: weechat-scripts
Version: 20060821
Severity: minor
Tags: security
A vulnerability has been found in some IRC scripts. From CVE-2007-4398:
"Multiple CRLF injection vulnerabilities in the (1) now-playing.rb and
(2) xmms.pl 1.1 scripts for weechat allow user-assisted remote
attackers to execute arbitrary IRC commands via CRLF sequences in the
name of the song in a .mp3 file."
Severity minor since the attack vector is rather obscure.
Please mention the CVE id in the changelog.
Bug 439839 cloned as bug 439840.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Mon, 27 Aug 2007 20:36:05 GMT) (full text, mbox, link).
Bug marked as found in version 20061009.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Mon, 27 Aug 2007 20:36:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#439840; Package irssi-scripts.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>.
(full text, mbox, link).
Message #16 received at 439840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
retitle 439840 CVE-2007-4398, CVE-2007-4396: Multiple CRLF injection vulnerabilities
thanks
Hi,
there is another CVE related to this problem.
CVE-2007-4396[0]:
Multiple CRLF injection vulnerabilities in (1) ixmmsa.pl
0.3, (2) l33tmusic.pl 2.00, (3) mpg123.pl 0.01, (4)
ogg123.pl 0.01, (5) xmms.pl 2.0, (6) xmms2.pl 1.1.3, and (7)
xmmsinfo.pl 1.1.1.1 scripts for irssi before 0.8.11 allow
user-assisted remote attackers to execute arbitrary IRC
commands via CRLF sequences in the name of the song in a
.mp3 file.
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4396
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Changed Bug title to `CVE-2007-4398, CVE-2007-4396: Multiple CRLF injection vulnerabilities' from `CVE-2007-4398: Multiple CRLF injection vulnerabilities'.
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Mon, 17 Sep 2007 12:24:02 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#439840; Package irssi-scripts.
(full text, mbox, link).
Message #21 received at 439840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
while everyone seems to claim that the scripts on irssi.org/scripts/
have been fixed, the web server there reports 2005 as last change
date, and randomly checking some scripts doesn't show any differences
to the versions we are shipping. It could be that we are already
shipping fixed versions, but I doubt it. Does anyone have more
information?
Christoph
--
cb@df7cb.de | http://www.df7cb.de/
[signature.asc (application/pgp-signature, inline)]
Tags added: moreinfo
Request was from Christoph Berg <myon@debian.org>
to control@bugs.debian.org.
(Sat, 22 Sep 2007 14:57:03 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#439840; Package irssi-scripts.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>.
(full text, mbox, link).
Message #28 received at 439840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Christoph Berg <myon@debian.org> [2007-09-22 17:58]:
> while everyone seems to claim that the scripts on irssi.org/scripts/
> have been fixed, the web server there reports 2005 as last change
> date, and randomly checking some scripts doesn't show any differences
> to the versions we are shipping. It could be that we are already
> shipping fixed versions, but I doubt it. Does anyone have more
> information?
I also wondered about the fixed versions since I didn't see
any fix like $song =~ s/[\n\r]//g; or something similar in
the source code. I now mailed the reporter of the problem
and will come back to you as soon as I get more information.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Christoph Berg <myon@debian.org>:
Bug#439840; Package irssi-scripts.
(full text, mbox, link).
Acknowledgement sent to Wouter Coekaerts <coekie@irssi.org>:
Extra info received and forwarded to list. Copy sent to Christoph Berg <myon@debian.org>.
(full text, mbox, link).
Message #33 received at 439840@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Oops, you're right. They are supposed to be patched, and unless I'm mistaken
they were, but the old versions are online again. Anyways, attached here are
the patches that are supposed to be applied.
Wouter.
[nowplayingpatches.tgz (application/x-tgz, attachment)]
Reply sent to Christoph Berg <myon@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #38 received at 439840-close@bugs.debian.org (full text, mbox, reply):
Source: irssi-scripts
Source-Version: 20070925
We believe that the bug you reported is fixed in the latest version of
irssi-scripts, which is due to be installed in the Debian FTP archive:
irssi-scripts_20070925.dsc
to pool/main/i/irssi-scripts/irssi-scripts_20070925.dsc
irssi-scripts_20070925.tar.gz
to pool/main/i/irssi-scripts/irssi-scripts_20070925.tar.gz
irssi-scripts_20070925_all.deb
to pool/main/i/irssi-scripts/irssi-scripts_20070925_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Berg <myon@debian.org> (supplier of updated irssi-scripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 25 Sep 2007 00:11:46 +0200
Source: irssi-scripts
Binary: irssi-scripts
Architecture: source all
Version: 20070925
Distribution: unstable
Urgency: medium
Maintainer: Christoph Berg <myon@debian.org>
Changed-By: Christoph Berg <myon@debian.org>
Description:
irssi-scripts - collection of scripts for irssi
Closes: 439840
Changes:
irssi-scripts (20070925) unstable; urgency=medium
.
* Fix multiple CRLF injection vulnerabilities in "now playing" scripts.
Thanks to Wouter Coekaerts for the patches.
(Closes: #439840, CVE-2007-4396, CVE-2007-4398).
Files:
9bb2091a00e52d5e4bf99326aee8f9d8 592 net optional irssi-scripts_20070925.dsc
779473665b499559464b11580ca40e9d 694738 net optional irssi-scripts_20070925.tar.gz
3e2f1e35af059c30497c5eea263c96be 686918 net optional irssi-scripts_20070925_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG+DhZxa93SlhRC1oRAoI6AJ9HP9VWo3pd4CknuAqwjVNNdPrj+QCg4qzK
F7u+nJn2Irqu1ySGJJW7dAY=
=ZkgL
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 29 Oct 2007 07:28:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:15:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon