main/znc: add patches fo CVE-2019-9917 and CVE-2019-12816

ref #10732
author: Rasmus Thomsen <oss@cogitri.dev> 2019-08-15 15:20:27 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2019-08-15 15:53:35 +0200
commit: bbe0e7a47c997626ab5531f35346431f28b947bd (patch)
tree: 9c28c2fb94a0484f4c8996c08c393e546a969466 /main
parent: 6ffa77ed276860186deb48a68d5690ef90fe54c9 (diff)
download: aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.bz2
aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.xz
3 files changed, 237 insertions, 4 deletions
diff --git a/main/znc/APKBUILD b/main/znc/APKBUILD
index 98f02ad922..eecf0435c8 100644
--- a/main/znc/APKBUILD
+++ b/main/znc/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=znc
 pkgver=1.7.1
-pkgrel=0
+pkgrel=1
 pkgdesc="Advanced IRC bouncer"
 url="http://znc.in"
 arch="all"
@@ -14,12 +14,18 @@ pkggroups="$pkgusers"
 install="$pkgname.pre-install"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl
 	$pkgname-modperl $pkgname-modpython"
-source="http://znc.in/releases/znc-$pkgver.tar.gz
+source="http://znc.in/releases/archive/znc-$pkgver.tar.gz
 	$pkgname.initd
-	$pkgname.confd"
+	$pkgname.confd
+	CVE-2019-9917.patch
+	CVE-2019-12816.patch
+	"
 builddir="$srcdir/znc-$pkgver"
 
 # secfixes:
+#   1.7.1-r1:
+#   - CVE-2019-9917
+#   - CVE-2019-12816
 #   1.7.1-r0:
 #   - CVE-2018-14055
 #   - CVE-2018-14056
@@ -111,4 +117,6 @@ _mv_to_sub() {
 
 sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902  znc-1.7.1.tar.gz
 47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc  znc.initd
-00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29  znc.confd"
+00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29  znc.confd
+0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8  CVE-2019-9917.patch
+187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d  CVE-2019-12816.patch"
diff --git a/main/znc/CVE-2019-12816.patch b/main/znc/CVE-2019-12816.patch
new file mode 100644
index 0000000000..6d4d8b199d
--- /dev/null
+++ b/main/znc/CVE-2019-12816.patch
@@ -0,0 +1,103 @@
+From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Wed, 12 Jun 2019 08:57:29 +0100
+Subject: [PATCH] Fix remote code execution and privilege escalation
+ vulnerability.
+
+To trigger this, need to have a user already.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+
+CVE-2019-12816
+---
+ include/znc/Modules.h |  1 +
+ src/Modules.cpp       | 38 +++++++++++++++++++++++++++++---------
+ 2 files changed, 30 insertions(+), 9 deletions(-)
+
+diff --git a/include/znc/Modules.h b/include/znc/Modules.h
+index 28fdd3a62..db8f87b81 100644
+--- a/include/znc/Modules.h
++++ b/include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
+   private:
+     static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+                                 CModInfo& Info, CString& sRetMsg);
++    static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+ 
+   protected:
+     CUser* m_pUser;
+diff --git a/src/Modules.cpp b/src/Modules.cpp
+index 5aec7805a..d41951a8d 100644
+--- a/src/Modules.cpp
++++ b/src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
+     return nullptr;
+ }
+ 
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++    for (unsigned int a = 0; a < sModule.length(); a++) {
++        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++            sRetMsg =
++                t_f("Module names can only contain letters, numbers and "
++                    "underscores, [{1}] is invalid")(sModule);
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+                           CModInfo::EModuleType eType, CUser* pUser,
+                           CIRCNetwork* pNetwork, CString& sRetMsg) {
+     sRetMsg = "";
+ 
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     if (FindModule(sModule) != nullptr) {
+         sRetMsg = t_f("Module {1} already loaded.")(sModule);
+         return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
+ 
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+                           CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     CString sModPath, sTmp;
+ 
+     bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ 
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+                               const CString& sModPath, CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     ModInfo.SetName(sModule);
+     ModInfo.SetPath(sModPath);
+ 
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
+     // Some sane defaults in case anything errors out below
+     sRetMsg.clear();
+ 
+-    for (unsigned int a = 0; a < sModule.length(); a++) {
+-        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+-            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+-            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+-            sRetMsg =
+-                t_f("Module names can only contain letters, numbers and "
+-                    "underscores, [{1}] is invalid")(sModule);
+-            return nullptr;
+-        }
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return nullptr;
+     }
+ 
+     // The second argument to dlopen() has a long history. It seems clear
diff --git a/main/znc/CVE-2019-9917.patch b/main/znc/CVE-2019-9917.patch
new file mode 100644
index 0000000000..595d95f553
--- /dev/null
+++ b/main/znc/CVE-2019-9917.patch
@@ -0,0 +1,122 @@
+From 64613bc8b6b4adf1e32231f9844d99cd512b8973 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 15 Mar 2019 20:34:10 +0000
+Subject: [PATCH] Don't crash if user specified invalid encoding.
+
+This is CVE-2019-9917
+---
+ modules/controlpanel.cpp             |  2 +-
+ src/IRCNetwork.cpp                   |  4 ++--
+ src/User.cpp                         |  4 ++--
+ src/znc.cpp                          | 26 ++++++++++++++++++++++----
+ test/integration/tests/scripting.cpp |  7 +++++++
+ 5 files changed, 34 insertions(+), 9 deletions(-)
+
+diff --git a/modules/controlpanel.cpp b/modules/controlpanel.cpp
+index 139c2aefa..109f8c6b0 100644
+--- a/modules/controlpanel.cpp
++++ b/modules/controlpanel.cpp
+@@ -495,7 +495,7 @@ class CAdminMod : public CModule {
+ #ifdef HAVE_ICU
+         else if (sVar == "clientencoding") {
+             pUser->SetClientEncoding(sValue);
+-            PutModule("ClientEncoding = " + sValue);
++            PutModule("ClientEncoding = " + pUser->GetClientEncoding());
+         }
+ #endif
+         else
+diff --git a/src/IRCNetwork.cpp b/src/IRCNetwork.cpp
+index 0284dc53e..0e1d6e2a3 100644
+--- a/src/IRCNetwork.cpp
++++ b/src/IRCNetwork.cpp
+@@ -1482,9 +1482,9 @@ void CIRCNetwork::SetBindHost(const CString& s) {
+ }
+ 
+ void CIRCNetwork::SetEncoding(const CString& s) {
+-    m_sEncoding = s;
++    m_sEncoding = CZNC::Get().FixupEncoding(s);
+     if (GetIRCSock()) {
+-        GetIRCSock()->SetEncoding(s);
++        GetIRCSock()->SetEncoding(m_sEncoding);
+     }
+ }
+ 
+diff --git a/src/User.cpp b/src/User.cpp
+index 3fd532a7c..c44cf6070 100644
+--- a/src/User.cpp
++++ b/src/User.cpp
+@@ -1253,9 +1253,9 @@ void CUser::SetAdmin(bool b) { m_bAdmin = b; }
+ void CUser::SetDenySetBindHost(bool b) { m_bDenySetBindHost = b; }
+ void CUser::SetDefaultChanModes(const CString& s) { m_sDefaultChanModes = s; }
+ void CUser::SetClientEncoding(const CString& s) {
+-    m_sClientEncoding = s;
++    m_sClientEncoding = CZNC::Get().FixupEncoding(s);
+     for (CClient* pClient : GetAllClients()) {
+-        pClient->SetEncoding(s);
++        pClient->SetEncoding(m_sClientEncoding);
+     }
+ }
+ void CUser::SetQuitMsg(const CString& s) { m_sQuitMsg = s; }
+diff --git a/src/znc.cpp b/src/znc.cpp
+index 4e7216ee1..3f4dd2e07 100644
+--- a/src/znc.cpp
++++ b/src/znc.cpp
+@@ -2092,18 +2092,36 @@ void CZNC::ForceEncoding() {
+     m_uiForceEncoding++;
+ #ifdef HAVE_ICU
+     for (Csock* pSock : GetManager()) {
+-        if (pSock->GetEncoding().empty()) {
+-            pSock->SetEncoding("UTF-8");
+-        }
++        pSock->SetEncoding(FixupEncoding(pSock->GetEncoding()));
+     }
+ #endif
+ }
+ void CZNC::UnforceEncoding() { m_uiForceEncoding--; }
+ bool CZNC::IsForcingEncoding() const { return m_uiForceEncoding; }
+ CString CZNC::FixupEncoding(const CString& sEncoding) const {
+-    if (sEncoding.empty() && m_uiForceEncoding) {
++    if (!m_uiForceEncoding) {
++        return sEncoding;
++    }
++    if (sEncoding.empty()) {
++        return "UTF-8";
++    }
++    const char* sRealEncoding = sEncoding.c_str();
++    if (sEncoding[0] == '*' || sEncoding[0] == '^') {
++        sRealEncoding++;
++    }
++    if (!*sRealEncoding) {
+         return "UTF-8";
+     }
++#ifdef HAVE_ICU
++    UErrorCode e = U_ZERO_ERROR;
++    UConverter* cnv = ucnv_open(sRealEncoding, &e);
++    if (cnv) {
++        ucnv_close(cnv);
++    }
++    if (U_FAILURE(e)) {
++        return "UTF-8";
++    }
++#endif
+     return sEncoding;
+ }
+ 
+diff --git a/test/integration/tests/scripting.cpp b/test/integration/tests/scripting.cpp
+index 9dd68d8fa..8f809f50c 100644
+--- a/test/integration/tests/scripting.cpp
++++ b/test/integration/tests/scripting.cpp
+@@ -55,6 +55,13 @@ TEST_F(ZNCTest, Modpython) {
+     ircd.Write(":n!u@h PRIVMSG nick :Hi\xF0, github issue #1229");
+     // "replacement character"
+     client.ReadUntil("Hi\xEF\xBF\xBD, github issue");
++
++    // Non-existing encoding
++    client.Write("PRIVMSG *controlpanel :Set ClientEncoding $me Western");
++    client.Write("JOIN #a\342");
++    client.ReadUntil(
++        ":*controlpanel!znc@znc.in PRIVMSG nick :ClientEncoding = UTF-8");
++    ircd.ReadUntil("JOIN #a\xEF\xBF\xBD");
+ }
+ 
+ TEST_F(ZNCTest, ModpythonSocket) {
author	Rasmus Thomsen <oss@cogitri.dev>	2019-08-15 15:20:27 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2019-08-15 15:53:35 +0200
commit	bbe0e7a47c997626ab5531f35346431f28b947bd (patch)
tree	9c28c2fb94a0484f4c8996c08c393e546a969466 /main
parent	6ffa77ed276860186deb48a68d5690ef90fe54c9 (diff)
download	aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.bz2 aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.xz