diff options
author | Rasmus Thomsen <oss@cogitri.dev> | 2019-08-15 15:20:27 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2019-08-15 15:53:35 +0200 |
commit | bbe0e7a47c997626ab5531f35346431f28b947bd (patch) | |
tree | 9c28c2fb94a0484f4c8996c08c393e546a969466 /main | |
parent | 6ffa77ed276860186deb48a68d5690ef90fe54c9 (diff) | |
download | aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.bz2 aports-bbe0e7a47c997626ab5531f35346431f28b947bd.tar.xz |
main/znc: add patches fo CVE-2019-9917 and CVE-2019-12816
ref #10732
Diffstat (limited to 'main')
-rw-r--r-- | main/znc/APKBUILD | 16 | ||||
-rw-r--r-- | main/znc/CVE-2019-12816.patch | 103 | ||||
-rw-r--r-- | main/znc/CVE-2019-9917.patch | 122 |
3 files changed, 237 insertions, 4 deletions
diff --git a/main/znc/APKBUILD b/main/znc/APKBUILD index 98f02ad922..eecf0435c8 100644 --- a/main/znc/APKBUILD +++ b/main/znc/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=znc pkgver=1.7.1 -pkgrel=0 +pkgrel=1 pkgdesc="Advanced IRC bouncer" url="http://znc.in" arch="all" @@ -14,12 +14,18 @@ pkggroups="$pkgusers" install="$pkgname.pre-install" subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl $pkgname-modperl $pkgname-modpython" -source="http://znc.in/releases/znc-$pkgver.tar.gz +source="http://znc.in/releases/archive/znc-$pkgver.tar.gz $pkgname.initd - $pkgname.confd" + $pkgname.confd + CVE-2019-9917.patch + CVE-2019-12816.patch + " builddir="$srcdir/znc-$pkgver" # secfixes: +# 1.7.1-r1: +# - CVE-2019-9917 +# - CVE-2019-12816 # 1.7.1-r0: # - CVE-2018-14055 # - CVE-2018-14056 @@ -111,4 +117,6 @@ _mv_to_sub() { sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902 znc-1.7.1.tar.gz 47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc znc.initd -00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd" +00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd +0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8 CVE-2019-9917.patch +187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d CVE-2019-12816.patch" diff --git a/main/znc/CVE-2019-12816.patch b/main/znc/CVE-2019-12816.patch new file mode 100644 index 0000000000..6d4d8b199d --- /dev/null +++ b/main/znc/CVE-2019-12816.patch @@ -0,0 +1,103 @@ +From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov <alexey+znc@asokolov.org> +Date: Wed, 12 Jun 2019 08:57:29 +0100 +Subject: [PATCH] Fix remote code execution and privilege escalation + vulnerability. + +To trigger this, need to have a user already. + +Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this. + +CVE-2019-12816 +--- + include/znc/Modules.h | 1 + + src/Modules.cpp | 38 +++++++++++++++++++++++++++++--------- + 2 files changed, 30 insertions(+), 9 deletions(-) + +diff --git a/include/znc/Modules.h b/include/znc/Modules.h +index 28fdd3a62..db8f87b81 100644 +--- a/include/znc/Modules.h ++++ b/include/znc/Modules.h +@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin { + private: + static ModHandle OpenModule(const CString& sModule, const CString& sModPath, + CModInfo& Info, CString& sRetMsg); ++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg); + + protected: + CUser* m_pUser; +diff --git a/src/Modules.cpp b/src/Modules.cpp +index 5aec7805a..d41951a8d 100644 +--- a/src/Modules.cpp ++++ b/src/Modules.cpp +@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const { + return nullptr; + } + ++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) { ++ for (unsigned int a = 0; a < sModule.length(); a++) { ++ if (((sModule[a] < '0') || (sModule[a] > '9')) && ++ ((sModule[a] < 'a') || (sModule[a] > 'z')) && ++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { ++ sRetMsg = ++ t_f("Module names can only contain letters, numbers and " ++ "underscores, [{1}] is invalid")(sModule); ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + bool CModules::LoadModule(const CString& sModule, const CString& sArgs, + CModInfo::EModuleType eType, CUser* pUser, + CIRCNetwork* pNetwork, CString& sRetMsg) { + sRetMsg = ""; + ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + if (FindModule(sModule) != nullptr) { + sRetMsg = t_f("Module {1} already loaded.")(sModule); + return false; +@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs, + + bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, + CString& sRetMsg) { ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + CString sModPath, sTmp; + + bool bSuccess; +@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, + + bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, + const CString& sModPath, CString& sRetMsg) { ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + ModInfo.SetName(sModule); + ModInfo.SetPath(sModPath); + +@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath, + // Some sane defaults in case anything errors out below + sRetMsg.clear(); + +- for (unsigned int a = 0; a < sModule.length(); a++) { +- if (((sModule[a] < '0') || (sModule[a] > '9')) && +- ((sModule[a] < 'a') || (sModule[a] > 'z')) && +- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { +- sRetMsg = +- t_f("Module names can only contain letters, numbers and " +- "underscores, [{1}] is invalid")(sModule); +- return nullptr; +- } ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return nullptr; + } + + // The second argument to dlopen() has a long history. It seems clear diff --git a/main/znc/CVE-2019-9917.patch b/main/znc/CVE-2019-9917.patch new file mode 100644 index 0000000000..595d95f553 --- /dev/null +++ b/main/znc/CVE-2019-9917.patch @@ -0,0 +1,122 @@ +From 64613bc8b6b4adf1e32231f9844d99cd512b8973 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov <alexey+znc@asokolov.org> +Date: Fri, 15 Mar 2019 20:34:10 +0000 +Subject: [PATCH] Don't crash if user specified invalid encoding. + +This is CVE-2019-9917 +--- + modules/controlpanel.cpp | 2 +- + src/IRCNetwork.cpp | 4 ++-- + src/User.cpp | 4 ++-- + src/znc.cpp | 26 ++++++++++++++++++++++---- + test/integration/tests/scripting.cpp | 7 +++++++ + 5 files changed, 34 insertions(+), 9 deletions(-) + +diff --git a/modules/controlpanel.cpp b/modules/controlpanel.cpp +index 139c2aefa..109f8c6b0 100644 +--- a/modules/controlpanel.cpp ++++ b/modules/controlpanel.cpp +@@ -495,7 +495,7 @@ class CAdminMod : public CModule { + #ifdef HAVE_ICU + else if (sVar == "clientencoding") { + pUser->SetClientEncoding(sValue); +- PutModule("ClientEncoding = " + sValue); ++ PutModule("ClientEncoding = " + pUser->GetClientEncoding()); + } + #endif + else +diff --git a/src/IRCNetwork.cpp b/src/IRCNetwork.cpp +index 0284dc53e..0e1d6e2a3 100644 +--- a/src/IRCNetwork.cpp ++++ b/src/IRCNetwork.cpp +@@ -1482,9 +1482,9 @@ void CIRCNetwork::SetBindHost(const CString& s) { + } + + void CIRCNetwork::SetEncoding(const CString& s) { +- m_sEncoding = s; ++ m_sEncoding = CZNC::Get().FixupEncoding(s); + if (GetIRCSock()) { +- GetIRCSock()->SetEncoding(s); ++ GetIRCSock()->SetEncoding(m_sEncoding); + } + } + +diff --git a/src/User.cpp b/src/User.cpp +index 3fd532a7c..c44cf6070 100644 +--- a/src/User.cpp ++++ b/src/User.cpp +@@ -1253,9 +1253,9 @@ void CUser::SetAdmin(bool b) { m_bAdmin = b; } + void CUser::SetDenySetBindHost(bool b) { m_bDenySetBindHost = b; } + void CUser::SetDefaultChanModes(const CString& s) { m_sDefaultChanModes = s; } + void CUser::SetClientEncoding(const CString& s) { +- m_sClientEncoding = s; ++ m_sClientEncoding = CZNC::Get().FixupEncoding(s); + for (CClient* pClient : GetAllClients()) { +- pClient->SetEncoding(s); ++ pClient->SetEncoding(m_sClientEncoding); + } + } + void CUser::SetQuitMsg(const CString& s) { m_sQuitMsg = s; } +diff --git a/src/znc.cpp b/src/znc.cpp +index 4e7216ee1..3f4dd2e07 100644 +--- a/src/znc.cpp ++++ b/src/znc.cpp +@@ -2092,18 +2092,36 @@ void CZNC::ForceEncoding() { + m_uiForceEncoding++; + #ifdef HAVE_ICU + for (Csock* pSock : GetManager()) { +- if (pSock->GetEncoding().empty()) { +- pSock->SetEncoding("UTF-8"); +- } ++ pSock->SetEncoding(FixupEncoding(pSock->GetEncoding())); + } + #endif + } + void CZNC::UnforceEncoding() { m_uiForceEncoding--; } + bool CZNC::IsForcingEncoding() const { return m_uiForceEncoding; } + CString CZNC::FixupEncoding(const CString& sEncoding) const { +- if (sEncoding.empty() && m_uiForceEncoding) { ++ if (!m_uiForceEncoding) { ++ return sEncoding; ++ } ++ if (sEncoding.empty()) { ++ return "UTF-8"; ++ } ++ const char* sRealEncoding = sEncoding.c_str(); ++ if (sEncoding[0] == '*' || sEncoding[0] == '^') { ++ sRealEncoding++; ++ } ++ if (!*sRealEncoding) { + return "UTF-8"; + } ++#ifdef HAVE_ICU ++ UErrorCode e = U_ZERO_ERROR; ++ UConverter* cnv = ucnv_open(sRealEncoding, &e); ++ if (cnv) { ++ ucnv_close(cnv); ++ } ++ if (U_FAILURE(e)) { ++ return "UTF-8"; ++ } ++#endif + return sEncoding; + } + +diff --git a/test/integration/tests/scripting.cpp b/test/integration/tests/scripting.cpp +index 9dd68d8fa..8f809f50c 100644 +--- a/test/integration/tests/scripting.cpp ++++ b/test/integration/tests/scripting.cpp +@@ -55,6 +55,13 @@ TEST_F(ZNCTest, Modpython) { + ircd.Write(":n!u@h PRIVMSG nick :Hi\xF0, github issue #1229"); + // "replacement character" + client.ReadUntil("Hi\xEF\xBF\xBD, github issue"); ++ ++ // Non-existing encoding ++ client.Write("PRIVMSG *controlpanel :Set ClientEncoding $me Western"); ++ client.Write("JOIN #a\342"); ++ client.ReadUntil( ++ ":*controlpanel!znc@znc.in PRIVMSG nick :ClientEncoding = UTF-8"); ++ ircd.ReadUntil("JOIN #a\xEF\xBF\xBD"); + } + + TEST_F(ZNCTest, ModpythonSocket) { |