Headline
CVE-2023-38690: Release 1.0.1 (2023-07-31) · matrix-org/matrix-appservice-irc
matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to version 1.0.1, it is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. Versions 1.0.1 and above are patched. There are no robust workarounds to the bug. One may disable dynamic channels in the config to disable the most common execution method but others may exist.
It is strongly reccomended you upgrade your bridge, as this release contains security fixes.
🔒 Security
- Fixes for GHSA-vc7j-h8xg-fv5x.
- Fixes for GHSA-3pmj-jqqp-2mj3.
- Fixes for GHSA-c7hh-3v6c-fj4q
Bugfixes
- Improve processing speed of commands sent to and from the proxy when the bridge is configured in pooling mode. (#1751)
- Ensure QUIT messages are always sent. (#1752)
- Ensure we don’t bloat irc supported state. (#1753)
- Fix a case where the bridge would not listen for and apply bans for legacy/unspec’d m.room.rule.* types in use by Mjolnir. (#1755, #1759)
- Refactor the command parser for admin and room commands, ensuring we correctly trim the command. (#1756)
Internal Changes
- Update matrix-appservice-bridge to 9.0.1. (#1760)
Related news
### Impact It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. ### Patches Versions 1.0.1 and above are patched. ### Workarounds There are no robust workarounds to the bug. You can disable dynamic channels in the config to disable the most common execution method but others may exist. It is highly recommended to upgrade the bridge. ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [[email protected]](mailto:[email protected]).