community/znc: add patch to fix CVE-2019-12816

ref #10732

2 files changed, 109 insertions, 2 deletions

diff --git a/community/znc/APKBUILD b/community/znc/APKBUILD
index 7f8d2b413b..d7dc8b7f1e 100644
--- a/community/znc/APKBUILD
+++ b/community/znc/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=znc
 pkgver=1.7.1
-pkgrel=3
+pkgrel=4
 pkgdesc="Advanced IRC bouncer"
 url="http://znc.in"
 arch="all"
@@ -14,13 +14,16 @@ pkggroups="$pkgusers"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl
 	$pkgname-modperl $pkgname-modpython"
-source="http://znc.in/releases/znc-$pkgver.tar.gz
+source="http://znc.in/releases/archive/znc-$pkgver.tar.gz
 	CVE-2019-9917.patch
+	CVE-2019-12816.patch
 	$pkgname.initd
 	$pkgname.confd"
 builddir="$srcdir/znc-$pkgver"
 
 # secfixes:
+#   1.7.1-r4:
+#   - CVE-2019-12816
 #   1.7.1-r3:
 #   - CVE-2019-9917
 #   1.7.1-r0:
@@ -114,5 +117,6 @@ _mv_to_sub() {
 
 sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902  znc-1.7.1.tar.gz
 0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8  CVE-2019-9917.patch
+187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d  CVE-2019-12816.patch
 47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc  znc.initd
 00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29  znc.confd"
diff --git a/community/znc/CVE-2019-12816.patch b/community/znc/CVE-2019-12816.patch
new file mode 100644
index 0000000000..6d4d8b199d
--- /dev/null
+++ b/community/znc/CVE-2019-12816.patch
@@ -0,0 +1,103 @@
+From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Wed, 12 Jun 2019 08:57:29 +0100
+Subject: [PATCH] Fix remote code execution and privilege escalation
+ vulnerability.
+
+To trigger this, need to have a user already.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+
+CVE-2019-12816
+---
+ include/znc/Modules.h |  1 +
+ src/Modules.cpp       | 38 +++++++++++++++++++++++++++++---------
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/include/znc/Modules.h b/include/znc/Modules.h
+index 28fdd3a62..db8f87b81 100644
+--- a/include/znc/Modules.h
++++ b/include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
+   private:
+     static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+                                 CModInfo& Info, CString& sRetMsg);
++    static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+ 
+   protected:
+     CUser* m_pUser;
+diff --git a/src/Modules.cpp b/src/Modules.cpp
+index 5aec7805a..d41951a8d 100644
+--- a/src/Modules.cpp
++++ b/src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
+     return nullptr;
+ }
+ 
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++    for (unsigned int a = 0; a < sModule.length(); a++) {
++        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++            sRetMsg =
++                t_f("Module names can only contain letters, numbers and "
++                    "underscores, [{1}] is invalid")(sModule);
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+                           CModInfo::EModuleType eType, CUser* pUser,
+                           CIRCNetwork* pNetwork, CString& sRetMsg) {
+     sRetMsg = "";
+ 
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     if (FindModule(sModule) != nullptr) {
+         sRetMsg = t_f("Module {1} already loaded.")(sModule);
+         return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
+ 
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+                           CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     CString sModPath, sTmp;
+ 
+     bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ 
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+                               const CString& sModPath, CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     ModInfo.SetName(sModule);
+     ModInfo.SetPath(sModPath);
+ 
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
+     // Some sane defaults in case anything errors out below
+     sRetMsg.clear();
+ 
+-    for (unsigned int a = 0; a < sModule.length(); a++) {
+-        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+-            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+-            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+-            sRetMsg =
+-                t_f("Module names can only contain letters, numbers and "
+-                    "underscores, [{1}] is invalid")(sModule);
+-            return nullptr;
+-        }
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return nullptr;
+     }
+ 
+     // The second argument to dlopen() has a long history. It seems clear