From: Ankur Tyagi <[email protected]> Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844
Backport commit[1] from https://github.com/znc/znc/releases/tag/znc-1.9.1 [1] https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e Signed-off-by: Ankur Tyagi <[email protected]> --- .../recipes-irc/znc/znc/CVE-2024-39844.patch | 62 +++++++++++++++++++ meta-networking/recipes-irc/znc/znc_1.8.2.bb | 1 + 2 files changed, 63 insertions(+) create mode 100644 meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch diff --git a/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch new file mode 100644 index 0000000000..cf9486791c --- /dev/null +++ b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch @@ -0,0 +1,62 @@ +From d3867e667ec813a448a0845087a8d87bad58402d Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov <[email protected]> +Date: Mon, 1 Jul 2024 09:59:16 +0100 +Subject: [PATCH] Fix RCE vulnerability in modtcl + +Remote attacker could execute arbitrary code embedded into the kick +reason while kicking someone on a channel. + +To mitigate this for existing installations, simply unload the modtcl +module for every user, if it's loaded. +Note that only users with admin rights can load modtcl at all. + +While at it, also escape the channel name. + +Discovered by Johannes Kuhn (DasBrain) + +Patch by https://github.com/glguy + +CVE-2024-39844 + +CVE: CVE-2024-39844 +Upstream-Status: Backport [https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e] +(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e) +Signed-off-by: Ankur Tyagi <[email protected]> +--- + modules/modtcl.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp +index c64bc43f..58e68f51 100644 +--- a/modules/modtcl.cpp ++++ b/modules/modtcl.cpp +@@ -248,8 +248,9 @@ class CModTcl : public CModule { + // chan specific + unsigned int nLength = vChans.size(); + for (unsigned int n = 0; n < nLength; n++) { ++ CString sChannel = TclEscape(CString(vChans[n]->GetName())); + sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost + +- "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp + ++ "} - {" + sChannel + "} {" + sNewNickTmp + + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { +@@ -260,14 +261,16 @@ class CModTcl : public CModule { + + void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel, + const CString& sMessage) override { ++ CString sMes = TclEscape(sMessage); + CString sOpNick = TclEscape(CString(OpNick.GetNick())); + CString sNick = TclEscape(sKickedNick); + CString sOpHost = + TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost())); ++ CString sChannel = TclEscape(Channel.GetName()); + + CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost + +- "} - {" + Channel.GetName() + "} {" + sNick + "} {" + +- sMessage + "}"; ++ "} - {" + sChannel + "} {" + sNick + "} {" + ++ sMes + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { + PutModule(Tcl_GetStringResult(interp)); diff --git a/meta-networking/recipes-irc/znc/znc_1.8.2.bb b/meta-networking/recipes-irc/znc/znc_1.8.2.bb index 68dd0702f7..9901344601 100644 --- a/meta-networking/recipes-irc/znc/znc_1.8.2.bb +++ b/meta-networking/recipes-irc/znc/znc_1.8.2.bb @@ -7,6 +7,7 @@ DEPENDS = "openssl zlib icu" SRC_URI = "git://github.com/znc/znc.git;name=znc;branch=master;protocol=https \ git://github.com/jimloco/Csocket.git;destsuffix=git/third_party/Csocket;name=Csocket;branch=master;protocol=https \ + file://CVE-2024-39844.patch \ " SRCREV_znc = "bf253640d33d03331310778e001fb6f5aba2989e" SRCREV_Csocket = "e8d9e0bb248c521c2c7fa01e1c6a116d929c41b4"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123287): https://lists.openembedded.org/g/openembedded-devel/message/123287 Mute This Topic: https://lists.openembedded.org/mt/117172372/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
