Bug#930523: unblock: znc/1.7.2-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#930523: unblock: znc/1.7.2-3
From: Patrick Matthäi <pmatthaei@debian.org>
Date: Fri, 14 Jun 2019 16:06:45 +0200
Message-id: <[🔎] 156052120594.24400.18319051027029008059.reportbug@srv1.linux-dev.org>
Reply-to: Patrick Matthäi <pmatthaei@debian.org>, 930523@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package znc

It fixes a critical security bug. Fix is also accepted for stable + testing
by the security team.
diff:

diff -Naur '--exclude=.svn' 1.7.2-2/debian/changelog 1.7.2-3/debian/changelog
--- 1.7.2-2/debian/changelog    2019-03-26 12:58:06.264919659 +0100
+++ 1.7.2-3/debian/changelog    2019-06-14 13:06:35.239889318 +0200
@@ -1,3 +1,10 @@
+znc (1.7.2-3) unstable; urgency=high
+
+  * Add upstream patch CVE-2019-12816 to fix a remote code execution by
+    elevating privileges as described in CVE-2019-12816.
+
+ -- Patrick Matthäi <pmatthaei@debian.org>  Fri, 14 Jun 2019 11:14:11 +0200
+
 znc (1.7.2-2) unstable; urgency=high

   * Add upstream patch 01-CVE-2019-9917 to fix a crash on invalid encoding,
diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/02-CVE-2019-12816.diff 1.7.2-3/debian/patches/02-CVE-2019-12816.diff
--- 1.7.2-2/debian/patches/02-CVE-2019-12816.diff       1970-01-01 01:00:00.000000000 +0100
+++ 1.7.2-3/debian/patches/02-CVE-2019-12816.diff       2019-06-14 13:06:35.251889255 +0200
@@ -0,0 +1,88 @@
+# Fix security issue which causes elevating privileges by existing remote
+# non-admin user, and remote code execution.
+
+diff -Naur znc-1.7.2.orig/include/znc/Modules.h znc-1.7.2/include/znc/Modules.h
+--- znc-1.7.2.orig/include/znc/Modules.h       2019-06-13 11:13:33.035495175 +0200
++++ znc-1.7.2/include/znc/Modules.h    2019-06-13 11:16:33.966506967 +0200
+@@ -1600,6 +1600,7 @@
+   private:
+     static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+                                 CModInfo& Info, CString& sRetMsg);
++    static bool VerifyModuleName(const CString& sModule, CString& sRetMsg);
+
+   protected:
+     CUser* m_pUser;
+diff -Naur znc-1.7.2.orig/src/Modules.cpp znc-1.7.2/src/Modules.cpp
+--- znc-1.7.2.orig/src/Modules.cpp     2019-06-13 11:13:32.979495481 +0200
++++ znc-1.7.2/src/Modules.cpp  2019-06-13 11:16:33.970506945 +0200
+@@ -1624,11 +1624,30 @@
+     return nullptr;
+ }
+
++bool CModules::VerifyModuleName(const CString& sModule, CString& sRetMsg) {
++    for (unsigned int a = 0; a < sModule.length(); a++) {
++        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++            sRetMsg =
++                t_f("Module names can only contain letters, numbers and "
++                    "underscores, [{1}] is invalid")(sModule);
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+                           CModInfo::EModuleType eType, CUser* pUser,
+                           CIRCNetwork* pNetwork, CString& sRetMsg) {
+     sRetMsg = "";
+
++    if (!VerifyModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     if (FindModule(sModule) != nullptr) {
+         sRetMsg = t_f("Module {1} already loaded.")(sModule);
+         return false;
+@@ -1781,6 +1800,10 @@
+
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+                           CString& sRetMsg) {
++    if (!VerifyModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     CString sModPath, sTmp;
+
+     bool bSuccess;
+@@ -1799,6 +1822,10 @@
+
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+                               const CString& sModPath, CString& sRetMsg) {
++    if (!VerifyModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     ModInfo.SetName(sModule);
+     ModInfo.SetPath(sModPath);
+
+@@ -1911,15 +1938,8 @@
+     // Some sane defaults in case anything errors out below
+     sRetMsg.clear();
+
+-    for (unsigned int a = 0; a < sModule.length(); a++) {
+-        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+-            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+-            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+-            sRetMsg =
+-                t_f("Module names can only contain letters, numbers and "
+-                    "underscores, [{1}] is invalid")(sModule);
+-            return nullptr;
+-        }
++    if (!VerifyModuleName(sModule, sRetMsg)) {
++        return nullptr;
+     }
+
+     // The second argument to dlopen() has a long history. It seems clear
diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/series 1.7.2-3/debian/patches/series
--- 1.7.2-2/debian/patches/series       2019-03-26 12:58:06.280919560 +0100
+++ 1.7.2-3/debian/patches/series       2019-06-14 13:06:35.251889255 +0200
@@ -1 +1,2 @@
 01-CVE-2019-9917.diff
+02-CVE-2019-12816.diff




unblock znc/1.7.2-3

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#930523: marked as done (unblock: znc/1.7.2-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#930324: marked as done (unblock: nageru/1.8.4-2)
Next by Date: Bug#930528: unblock: grml-debootstrap/0.89
Previous by thread: Processed: tags 930238 - moreinfo
Next by thread: Bug#930523: marked as done (unblock: znc/1.7.2-3)
Index(es):
- Date
- Thread