Bug#930523: unblock: znc/1.7.2-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package znc
It fixes a critical security bug. Fix is also accepted for stable + testing
by the security team.
diff:
diff -Naur '--exclude=.svn' 1.7.2-2/debian/changelog 1.7.2-3/debian/changelog
--- 1.7.2-2/debian/changelog 2019-03-26 12:58:06.264919659 +0100
+++ 1.7.2-3/debian/changelog 2019-06-14 13:06:35.239889318 +0200
@@ -1,3 +1,10 @@
+znc (1.7.2-3) unstable; urgency=high
+
+ * Add upstream patch CVE-2019-12816 to fix a remote code execution by
+ elevating privileges as described in CVE-2019-12816.
+
+ -- Patrick Matthäi <pmatthaei@debian.org> Fri, 14 Jun 2019 11:14:11 +0200
+
znc (1.7.2-2) unstable; urgency=high
* Add upstream patch 01-CVE-2019-9917 to fix a crash on invalid encoding,
diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/02-CVE-2019-12816.diff 1.7.2-3/debian/patches/02-CVE-2019-12816.diff
--- 1.7.2-2/debian/patches/02-CVE-2019-12816.diff 1970-01-01 01:00:00.000000000 +0100
+++ 1.7.2-3/debian/patches/02-CVE-2019-12816.diff 2019-06-14 13:06:35.251889255 +0200
@@ -0,0 +1,88 @@
+# Fix security issue which causes elevating privileges by existing remote
+# non-admin user, and remote code execution.
+
+diff -Naur znc-1.7.2.orig/include/znc/Modules.h znc-1.7.2/include/znc/Modules.h
+--- znc-1.7.2.orig/include/znc/Modules.h 2019-06-13 11:13:33.035495175 +0200
++++ znc-1.7.2/include/znc/Modules.h 2019-06-13 11:16:33.966506967 +0200
+@@ -1600,6 +1600,7 @@
+ private:
+ static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+ CModInfo& Info, CString& sRetMsg);
++ static bool VerifyModuleName(const CString& sModule, CString& sRetMsg);
+
+ protected:
+ CUser* m_pUser;
+diff -Naur znc-1.7.2.orig/src/Modules.cpp znc-1.7.2/src/Modules.cpp
+--- znc-1.7.2.orig/src/Modules.cpp 2019-06-13 11:13:32.979495481 +0200
++++ znc-1.7.2/src/Modules.cpp 2019-06-13 11:16:33.970506945 +0200
+@@ -1624,11 +1624,30 @@
+ return nullptr;
+ }
+
++bool CModules::VerifyModuleName(const CString& sModule, CString& sRetMsg) {
++ for (unsigned int a = 0; a < sModule.length(); a++) {
++ if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++ ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++ sRetMsg =
++ t_f("Module names can only contain letters, numbers and "
++ "underscores, [{1}] is invalid")(sModule);
++ return false;
++ }
++ }
++
++ return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+ CModInfo::EModuleType eType, CUser* pUser,
+ CIRCNetwork* pNetwork, CString& sRetMsg) {
+ sRetMsg = "";
+
++ if (!VerifyModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ if (FindModule(sModule) != nullptr) {
+ sRetMsg = t_f("Module {1} already loaded.")(sModule);
+ return false;
+@@ -1781,6 +1800,10 @@
+
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ CString& sRetMsg) {
++ if (!VerifyModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ CString sModPath, sTmp;
+
+ bool bSuccess;
+@@ -1799,6 +1822,10 @@
+
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+ const CString& sModPath, CString& sRetMsg) {
++ if (!VerifyModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ ModInfo.SetName(sModule);
+ ModInfo.SetPath(sModPath);
+
+@@ -1911,15 +1938,8 @@
+ // Some sane defaults in case anything errors out below
+ sRetMsg.clear();
+
+- for (unsigned int a = 0; a < sModule.length(); a++) {
+- if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+- ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+- sRetMsg =
+- t_f("Module names can only contain letters, numbers and "
+- "underscores, [{1}] is invalid")(sModule);
+- return nullptr;
+- }
++ if (!VerifyModuleName(sModule, sRetMsg)) {
++ return nullptr;
+ }
+
+ // The second argument to dlopen() has a long history. It seems clear
diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/series 1.7.2-3/debian/patches/series
--- 1.7.2-2/debian/patches/series 2019-03-26 12:58:06.280919560 +0100
+++ 1.7.2-3/debian/patches/series 2019-06-14 13:06:35.251889255 +0200
@@ -1 +1,2 @@
01-CVE-2019-9917.diff
+02-CVE-2019-12816.diff
unblock znc/1.7.2-3
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: