last week a shell injection bug was found in the ping.py plugin. this plugin is not part of the basic gozerbot distribution but can be installed from a remote plugin server with the !install-plug command. this plugin is also provided with the following gozerplug distributions:
- gozerplugs-BETA1.tar.gz
- gozerplugs-BETA2.tar.gz
- gozerplugs-BETA3.tar.gz
all gozerbot maintainers are asked to remove the ping.py plugin from the myplugs (0.8) or gozerplugs (0.9) directory and restart the bot.
because this is a serious bug the gozerbot core is rewritten to remove usage of popen as much as possible and not to allow remote execution of popen calls to the user. therefor the install plugin and upgrade plugins have been removed from core and a seperate program gozerbot-install has been made to allow bot maintainers to install remote plugins while not exposing the installation of plugins to bot users.
this is all done in the new 0.9 release of gozerbot which i will anounce soon.
Bart
