Hello community, here is the log from the commit of package znc for openSUSE:Factory checked in at 2019-07-11 13:08:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/znc (Old) and /work/SRC/openSUSE:Factory/.znc.new.4615 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "znc" Thu Jul 11 13:08:22 2019 rev:19 rq:712237 version:1.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/znc/znc.changes 2019-06-19 20:59:09.846022134 +0200 +++ /work/SRC/openSUSE:Factory/.znc.new.4615/znc.changes 2019-07-11 13:08:24.246997108 +0200 @@ -1,0 +2,7 @@ +Thu Jun 27 08:35:56 UTC 2019 - Martin Pluskal <[email protected]> + +- Update to version 1.7.4: + * This is a security release to fix CVE-2019-12816 boo#1138572 + * Send "Connected!" messages to client to the correct nick + +------------------------------------------------------------------- Old: ---- znc-1.7.3.tar.gz znc-1.7.3.tar.gz.sig New: ---- znc-1.7.4.tar.gz znc-1.7.4.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ znc.spec ++++++ --- /var/tmp/diff_new_pack.lNCrRU/_old 2019-07-11 13:08:26.970995986 +0200 +++ /var/tmp/diff_new_pack.lNCrRU/_new 2019-07-11 13:08:26.974995984 +0200 @@ -17,7 +17,7 @@ Name: znc -Version: 1.7.3 +Version: 1.7.4 Release: 0 Summary: Advanced IRC Bouncer License: Apache-2.0 @@ -32,6 +32,7 @@ BuildRequires: libboost_locale-devel BuildRequires: perl BuildRequires: pkgconfig +BuildRequires: swig BuildRequires: systemd-rpm-macros BuildRequires: pkgconfig(icu-uc) BuildRequires: pkgconfig(libsasl2) ++++++ znc-1.7.3.tar.gz -> znc-1.7.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/CMakeLists.txt new/znc-1.7.4/CMakeLists.txt --- old/znc-1.7.3/CMakeLists.txt 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/CMakeLists.txt 2019-06-21 22:31:41.000000000 +0200 @@ -15,8 +15,8 @@ # cmake_minimum_required(VERSION 3.1) -project(ZNC VERSION 1.7.3) -set(ZNC_VERSION 1.7.3) +project(ZNC VERSION 1.7.4) +set(ZNC_VERSION 1.7.4) set(append_git_version false) set(alpha_version "") # e.g. "-rc1" set(VERSION_EXTRA "" CACHE STRING diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/ChangeLog.md new/znc-1.7.4/ChangeLog.md --- old/znc-1.7.3/ChangeLog.md 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/ChangeLog.md 2019-06-21 22:31:41.000000000 +0200 @@ -1,3 +1,14 @@ +# ZNC 1.7.4 (2019-06-19) + +## Fixes +* This is a security release to fix CVE-2019-12816 (remote code execution by existing non-admin users). Thanks to Jeriko One for the bugreport. +* Send "Connected!" messages to client to the correct nick. + +# Internal +* Increase znc-buildmod timeout in the test. + + + # ZNC 1.7.3 (2019-03-30) ## Fixes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/configure new/znc-1.7.4/configure --- old/znc-1.7.3/configure 2019-03-30 15:37:24.000000000 +0100 +++ new/znc-1.7.4/configure 2019-06-21 22:32:07.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for znc 1.7.3. +# Generated by GNU Autoconf 2.69 for znc 1.7.4. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -577,8 +577,8 @@ # Identity of this package. PACKAGE_NAME='znc' PACKAGE_TARNAME='znc' -PACKAGE_VERSION='1.7.3' -PACKAGE_STRING='znc 1.7.3' +PACKAGE_VERSION='1.7.4' +PACKAGE_STRING='znc 1.7.4' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1269,7 +1269,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures znc 1.7.3 to adapt to many kinds of systems. +\`configure' configures znc 1.7.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1334,7 +1334,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of znc 1.7.3:";; + short | recursive ) echo "Configuration of znc 1.7.4:";; esac cat <<\_ACEOF @@ -1475,7 +1475,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -znc configure 1.7.3 +znc configure 1.7.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1643,7 +1643,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by znc $as_me 1.7.3, which was +It was created by znc $as_me 1.7.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -1991,7 +1991,7 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu -LIBZNC_VERSION=1.7.3 +LIBZNC_VERSION=1.7.4 ac_ext=cpp @@ -6290,7 +6290,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by znc $as_me 1.7.3, which was +This file was extended by znc $as_me 1.7.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6352,7 +6352,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -znc config.status 1.7.3 +znc config.status 1.7.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -7081,7 +7081,7 @@ fi echo -echo ZNC 1.7.3 configured +echo ZNC 1.7.4 configured echo echo "prefix: $prefix" echo "debug: $DEBUG" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/configure.ac new/znc-1.7.4/configure.ac --- old/znc-1.7.3/configure.ac 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/configure.ac 2019-06-21 22:31:41.000000000 +0200 @@ -7,8 +7,8 @@ dnl Needed for AC_PATH_PROGS_FEATURE_CHECK which was added in 2.62 AC_PREREQ([2.62]) dnl Keep the version number in sync with version.h! -AC_INIT([znc], [1.7.3]) -LIBZNC_VERSION=1.7.3 +AC_INIT([znc], [1.7.4]) +LIBZNC_VERSION=1.7.4 AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_SRCDIR([src/znc.cpp]) AC_LANG([C++]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/include/znc/Modules.h new/znc-1.7.4/include/znc/Modules.h --- old/znc-1.7.3/include/znc/Modules.h 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/include/znc/Modules.h 2019-06-21 22:31:41.000000000 +0200 @@ -1600,6 +1600,7 @@ private: static ModHandle OpenModule(const CString& sModule, const CString& sModPath, CModInfo& Info, CString& sRetMsg); + static bool ValidateModuleName(const CString& sModule, CString& sRetMsg); protected: CUser* m_pUser; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/include/znc/version.h new/znc-1.7.4/include/znc/version.h --- old/znc-1.7.3/include/znc/version.h 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/include/znc/version.h 2019-06-21 22:31:41.000000000 +0200 @@ -20,9 +20,9 @@ // The following defines are for #if comparison (preprocessor only likes ints) #define VERSION_MAJOR 1 #define VERSION_MINOR 7 -#define VERSION_PATCH 3 +#define VERSION_PATCH 4 // This one is for display purpose and to check ABI compatibility of modules -#define VERSION_STR "1.7.3" +#define VERSION_STR "1.7.4" #endif // Don't use this one Binary files old/znc-1.7.3/modules/modperl/generated.tar.gz and new/znc-1.7.4/modules/modperl/generated.tar.gz differ Binary files old/znc-1.7.3/modules/modpython/generated.tar.gz and new/znc-1.7.4/modules/modpython/generated.tar.gz differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/src/IRCSock.cpp new/znc-1.7.4/src/IRCSock.cpp --- old/znc-1.7.3/src/IRCSock.cpp 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/src/IRCSock.cpp 2019-06-21 22:31:41.000000000 +0200 @@ -700,7 +700,6 @@ PutIRC("WHO " + sNick); m_bAuthed = true; - m_pNetwork->PutStatus("Connected!"); const vector<CClient*>& vClients = m_pNetwork->GetClients(); @@ -718,6 +717,7 @@ SetNick(sNick); + m_pNetwork->PutStatus("Connected!"); IRCSOCKMODULECALL(OnIRCConnected(), NOTHING); m_pNetwork->ClearRawBuffer(); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/src/Modules.cpp new/znc-1.7.4/src/Modules.cpp --- old/znc-1.7.3/src/Modules.cpp 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/src/Modules.cpp 2019-06-21 22:31:41.000000000 +0200 @@ -1624,11 +1624,30 @@ return nullptr; } +bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) { + for (unsigned int a = 0; a < sModule.length(); a++) { + if (((sModule[a] < '0') || (sModule[a] > '9')) && + ((sModule[a] < 'a') || (sModule[a] > 'z')) && + ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { + sRetMsg = + t_f("Module names can only contain letters, numbers and " + "underscores, [{1}] is invalid")(sModule); + return false; + } + } + + return true; +} + bool CModules::LoadModule(const CString& sModule, const CString& sArgs, CModInfo::EModuleType eType, CUser* pUser, CIRCNetwork* pNetwork, CString& sRetMsg) { sRetMsg = ""; + if (!ValidateModuleName(sModule, sRetMsg)) { + return false; + } + if (FindModule(sModule) != nullptr) { sRetMsg = t_f("Module {1} already loaded.")(sModule); return false; @@ -1781,6 +1800,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, CString& sRetMsg) { + if (!ValidateModuleName(sModule, sRetMsg)) { + return false; + } + CString sModPath, sTmp; bool bSuccess; @@ -1799,6 +1822,10 @@ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, const CString& sModPath, CString& sRetMsg) { + if (!ValidateModuleName(sModule, sRetMsg)) { + return false; + } + ModInfo.SetName(sModule); ModInfo.SetPath(sModPath); @@ -1911,15 +1938,8 @@ // Some sane defaults in case anything errors out below sRetMsg.clear(); - for (unsigned int a = 0; a < sModule.length(); a++) { - if (((sModule[a] < '0') || (sModule[a] > '9')) && - ((sModule[a] < 'a') || (sModule[a] > 'z')) && - ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { - sRetMsg = - t_f("Module names can only contain letters, numbers and " - "underscores, [{1}] is invalid")(sModule); - return nullptr; - } + if (!ValidateModuleName(sModule, sRetMsg)) { + return nullptr; } // The second argument to dlopen() has a long history. It seems clear diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/test/integration/framework/base.cpp new/znc-1.7.4/test/integration/framework/base.cpp --- old/znc-1.7.3/test/integration/framework/base.cpp 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/test/integration/framework/base.cpp 2019-06-21 22:31:41.000000000 +0200 @@ -45,7 +45,7 @@ Process::~Process() { if (m_kill) m_proc.terminate(); - bool bFinished = m_proc.waitForFinished(); + bool bFinished = m_proc.waitForFinished(1000 * m_finishTimeoutSec); EXPECT_TRUE(bFinished); if (!bFinished) return; if (!m_allowDie) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/test/integration/framework/base.h new/znc-1.7.4/test/integration/framework/base.h --- old/znc-1.7.3/test/integration/framework/base.h 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/test/integration/framework/base.h 2019-06-21 22:31:41.000000000 +0200 @@ -70,6 +70,7 @@ m_exit = code; } void CanDie() { m_allowDie = true; } + void ShouldFinishInSec(int sec) { m_finishTimeoutSec = sec; } // I can't do much about SWIG... void CanLeak() { m_allowLeak = true; } @@ -80,6 +81,7 @@ bool m_allowDie = false; bool m_allowLeak = false; QProcess m_proc; + int m_finishTimeoutSec = 30; }; // Can't use QEventLoop without existing QCoreApplication diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/test/integration/framework/znctest.cpp new/znc-1.7.4/test/integration/framework/znctest.cpp --- old/znc-1.7.3/test/integration/framework/znctest.cpp 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/test/integration/framework/znctest.cpp 2019-06-21 22:31:41.000000000 +0200 @@ -57,9 +57,7 @@ } Socket ZNCTest::ConnectIRCd() { - [this] { - ASSERT_TRUE(m_server.waitForNewConnection(30000 /* msec */)); - }(); + [this] { ASSERT_TRUE(m_server.waitForNewConnection(30000 /* msec */)); }(); return WrapIO(m_server.nextPendingConnection()); } @@ -84,8 +82,9 @@ std::unique_ptr<Process> ZNCTest::Run() { return std::unique_ptr<Process>(new Process( - ZNC_BIN_DIR "/znc", QStringList() << "--debug" - << "--datadir" << m_dir.path(), + ZNC_BIN_DIR "/znc", + QStringList() << "--debug" + << "--datadir" << m_dir.path(), [](QProcess* proc) { proc->setProcessChannelMode(QProcess::ForwardedChannels); })); @@ -137,13 +136,13 @@ QTextStream out(&file); out << content; file.close(); - Process p( - ZNC_BIN_DIR "/znc-buildmod", QStringList() << file.fileName(), - [&](QProcess* proc) { - proc->setWorkingDirectory(dir.absolutePath()); - proc->setProcessChannelMode(QProcess::ForwardedChannels); - }); + Process p(ZNC_BIN_DIR "/znc-buildmod", QStringList() << file.fileName(), + [&](QProcess* proc) { + proc->setWorkingDirectory(dir.absolutePath()); + proc->setProcessChannelMode(QProcess::ForwardedChannels); + }); p.ShouldFinishItself(); + p.ShouldFinishInSec(300); } else if (name.endsWith(".py")) { // Dedent QStringList lines = content.split("\n"); @@ -151,8 +150,7 @@ for (const QString& line : lines) { int nonspace = line.indexOf(QRegExp("\\S")); if (nonspace == -1) continue; - if (nonspace < maxoffset || maxoffset == -1) - maxoffset = nonspace; + if (nonspace < maxoffset || maxoffset == -1) maxoffset = nonspace; } if (maxoffset == -1) maxoffset = 0; QFile file(dir.filePath(name)); @@ -173,5 +171,4 @@ } } - } // namespace znc_inttest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/znc-1.7.3/test/integration/tests/core.cpp new/znc-1.7.4/test/integration/tests/core.cpp --- old/znc-1.7.3/test/integration/tests/core.cpp 2019-03-30 15:37:00.000000000 +0100 +++ new/znc-1.7.4/test/integration/tests/core.cpp 2019-06-21 22:31:41.000000000 +0200 @@ -217,6 +217,7 @@ proc->setProcessChannelMode(QProcess::ForwardedChannels); }); p.ShouldFinishItself(1); + p.ShouldFinishInSec(300); } { Process p(ZNC_BIN_DIR "/znc-buildmod", @@ -226,6 +227,7 @@ proc->setProcessChannelMode(QProcess::ForwardedChannels); }); p.ShouldFinishItself(); + p.ShouldFinishInSec(300); } client.Write("znc loadmod testmod"); client.Write("PRIVMSG *testmod :hi");
