Debian Bug report logs -
#439839
CVE-2007-4398: Multiple CRLF injection vulnerabilities
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 27 Aug 2007 20:33:05 UTC
Severity: minor
Tags: security
Found in version weechat-scripts/20060821
Fixed in version weechat-scripts/20070425-0.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Julien Louis <ptitlouis@sysif.net>:
Bug#439839; Package weechat-scripts.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Julien Louis <ptitlouis@sysif.net>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: weechat-scripts
Version: 20060821
Severity: minor
Tags: security
A vulnerability has been found in some IRC scripts. From CVE-2007-4398:
"Multiple CRLF injection vulnerabilities in the (1) now-playing.rb and
(2) xmms.pl 1.1 scripts for weechat allow user-assisted remote
attackers to execute arbitrary IRC commands via CRLF sequences in the
name of the song in a .mp3 file."
Severity minor since the attack vector is rather obscure.
Please mention the CVE id in the changelog.
Bug 439839 cloned as bug 439840.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org.
(Mon, 27 Aug 2007 20:36:05 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Julien Louis <ptitlouis@sysif.net>:
Bug#439839; Package weechat-scripts.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien Louis <ptitlouis@sysif.net>.
(full text, mbox, link).
Message #12 received at 439839@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I intend to 0-day NMU this bug since it is open for quite
some time now and easy to fix.
The attached patch fixes the issue for weechat-scipts.
The patch will be also archived on:
http://people.debian.org/~nion/nmu-diff/weechat-scripts_20070425_20070425-0.1.patch
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[weechat-scripts_20070425_20070425-0.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 439839-close@bugs.debian.org (full text, mbox, reply):
Source: weechat-scripts
Source-Version: 20070425-0.1
We believe that the bug you reported is fixed in the latest version of
weechat-scripts, which is due to be installed in the Debian FTP archive:
weechat-scripts_20070425-0.1.dsc
to pool/main/w/weechat-scripts/weechat-scripts_20070425-0.1.dsc
weechat-scripts_20070425-0.1.tar.gz
to pool/main/w/weechat-scripts/weechat-scripts_20070425-0.1.tar.gz
weechat-scripts_20070425-0.1_all.deb
to pool/main/w/weechat-scripts/weechat-scripts_20070425-0.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated weechat-scripts package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 15 Sep 2007 16:02:38 +0200
Source: weechat-scripts
Binary: weechat-scripts
Architecture: source all
Version: 20070425-0.1
Distribution: unstable
Urgency: high
Maintainer: Julien Louis <ptitlouis@sysif.net>
Changed-By: Nico Golde <nion@debian.org>
Description:
weechat-scripts - script collection for the WeeChat IRC client
Closes: 439839
Changes:
weechat-scripts (20070425-0.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Fixed CRLF injection vulnerabilities in xmms.pl and
now-playing.rb (CVE-2007-4398) (Closes: #439839).
Files:
80d07c04acf67f50da7795cea3a9ef6f 525 net extra weechat-scripts_20070425-0.1.dsc
a737c8201c2924aa404bd5e48f979bb2 70353 net extra weechat-scripts_20070425-0.1.tar.gz
664f715c8b074667fa4456d4c7717a0c 72042 net extra weechat-scripts_20070425-0.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG6+mwHYflSXNkfP8RAhZUAKCk3JzgYFbzD0rMk2rTjzbeIsOpMACfc6u3
81r2dSv64/heeM1U18LcI3M=
=TQrU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 17 Oct 2007 07:33:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:16:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon