math eval vulnerability
CVE-2019-19010
Since the earliest versions of Supybot, the Math plugin ("FunCommands" until 2003) ships three commands named "calc", "icalc", and "rpn", that compute math expressions.
As a fork of Supybot, Limnoria inherited these commands.
These three commands are based on the eval() function of Python, and heavily sanitize their input to try to prevent abuse. Everyone knows this is a bad idea, but it seemed good-enough so no one noticed.
On 2019-11-09, @b1tninja finally found a trick to bypass this sanitization, and I (@progval) have confirmed it can be used to read internal data and to cause a denial of service (bot gets stuck in an eval loop for a long time). It might also be possible to use it to execute arbitrary code, but I did not find a way to do it.
Package maintainers are already notified.
On 2019-11-09, I reimplemented these commands with a proper hand-written evaluator, implemented as a Visitor on the result of ast.parse.
Therefore, the vulnerability is now fixed in Limnoria by 3848ae78de45b35c029cc333963d436b9d2f0a35, released in version 2019.11.09 (published on 2019-11-09).
As Supybot is no longer updated, it will not receive a security fix.
If for some reason you are currently unable to update your Limnoria, you can use one of these solutions:
- Unload the Math plugin (command:
@unload Math) - Disable these commands for all users (commands:
@defaultcapability add -Math.calc@defaultcapability add -Math.icalc@defaultcapability add -Math.rpn)