Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package znc It fixes a critical security bug. Fix is also accepted for stable + testing by the security team. diff: diff -Naur '--exclude=.svn' 1.7.2-2/debian/changelog 1.7.2-3/debian/changelog --- 1.7.2-2/debian/changelog 2019-03-26 12:58:06.264919659 +0100 +++ 1.7.2-3/debian/changelog 2019-06-14 13:06:35.239889318 +0200 @@ -1,3 +1,10 @@ +znc (1.7.2-3) unstable; urgency=high + + * Add upstream patch CVE-2019-12816 to fix a remote code execution by + elevating privileges as described in CVE-2019-12816. + + -- Patrick Matthäi <pmatth...@debian.org> Fri, 14 Jun 2019 11:14:11 +0200 + znc (1.7.2-2) unstable; urgency=high * Add upstream patch 01-CVE-2019-9917 to fix a crash on invalid encoding, diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/02-CVE-2019-12816.diff 1.7.2-3/debian/patches/02-CVE-2019-12816.diff --- 1.7.2-2/debian/patches/02-CVE-2019-12816.diff 1970-01-01 01:00:00.000000000 +0100 +++ 1.7.2-3/debian/patches/02-CVE-2019-12816.diff 2019-06-14 13:06:35.251889255 +0200 @@ -0,0 +1,88 @@ +# Fix security issue which causes elevating privileges by existing remote +# non-admin user, and remote code execution. + +diff -Naur znc-1.7.2.orig/include/znc/Modules.h znc-1.7.2/include/znc/Modules.h +--- znc-1.7.2.orig/include/znc/Modules.h 2019-06-13 11:13:33.035495175 +0200 ++++ znc-1.7.2/include/znc/Modules.h 2019-06-13 11:16:33.966506967 +0200 +@@ -1600,6 +1600,7 @@ + private: + static ModHandle OpenModule(const CString& sModule, const CString& sModPath, + CModInfo& Info, CString& sRetMsg); ++ static bool VerifyModuleName(const CString& sModule, CString& sRetMsg); + + protected: + CUser* m_pUser; +diff -Naur znc-1.7.2.orig/src/Modules.cpp znc-1.7.2/src/Modules.cpp +--- znc-1.7.2.orig/src/Modules.cpp 2019-06-13 11:13:32.979495481 +0200 ++++ znc-1.7.2/src/Modules.cpp 2019-06-13 11:16:33.970506945 +0200 +@@ -1624,11 +1624,30 @@ + return nullptr; + } + ++bool CModules::VerifyModuleName(const CString& sModule, CString& sRetMsg) { ++ for (unsigned int a = 0; a < sModule.length(); a++) { ++ if (((sModule[a] < '0') || (sModule[a] > '9')) && ++ ((sModule[a] < 'a') || (sModule[a] > 'z')) && ++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { ++ sRetMsg = ++ t_f("Module names can only contain letters, numbers and " ++ "underscores, [{1}] is invalid")(sModule); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + bool CModules::LoadModule(const CString& sModule, const CString& sArgs, + CModInfo::EModuleType eType, CUser* pUser, + CIRCNetwork* pNetwork, CString& sRetMsg) { + sRetMsg = ""; + ++ if (!VerifyModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + if (FindModule(sModule) != nullptr) { + sRetMsg = t_f("Module {1} already loaded.")(sModule); + return false; +@@ -1781,6 +1800,10 @@ + + bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, + CString& sRetMsg) { ++ if (!VerifyModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + CString sModPath, sTmp; + + bool bSuccess; +@@ -1799,6 +1822,10 @@ + + bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, + const CString& sModPath, CString& sRetMsg) { ++ if (!VerifyModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + ModInfo.SetName(sModule); + ModInfo.SetPath(sModPath); + +@@ -1911,15 +1938,8 @@ + // Some sane defaults in case anything errors out below + sRetMsg.clear(); + +- for (unsigned int a = 0; a < sModule.length(); a++) { +- if (((sModule[a] < '0') || (sModule[a] > '9')) && +- ((sModule[a] < 'a') || (sModule[a] > 'z')) && +- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { +- sRetMsg = +- t_f("Module names can only contain letters, numbers and " +- "underscores, [{1}] is invalid")(sModule); +- return nullptr; +- } ++ if (!VerifyModuleName(sModule, sRetMsg)) { ++ return nullptr; + } + + // The second argument to dlopen() has a long history. It seems clear diff -Naur '--exclude=.svn' 1.7.2-2/debian/patches/series 1.7.2-3/debian/patches/series --- 1.7.2-2/debian/patches/series 2019-03-26 12:58:06.280919560 +0100 +++ 1.7.2-3/debian/patches/series 2019-06-14 13:06:35.251889255 +0200 @@ -1 +1,2 @@ 01-CVE-2019-9917.diff +02-CVE-2019-12816.diff unblock znc/1.7.2-3 -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled