From 5779614d267732fc382c1684202543fdbd924b4c Mon Sep 17 00:00:00 2001 From: Jonas Gorski Date: Mon, 24 Jun 2019 14:08:06 +0200 Subject: [PATCH] znc: backport fix for CVE-2019-12816 Backport the fix for CVE-2019-12816 from 1.7.4 to 1.6.x. Signed-off-by: Jonas Gorski --- net/znc/Makefile | 2 +- ...execution-and-privilege-escalation-v.patch | 92 +++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 net/znc/patches/004-Fix-remote-code-execution-and-privilege-escalation-v.patch diff --git a/net/znc/Makefile b/net/znc/Makefile index 546b43f79f..b04e1fc5f1 100644 --- a/net/znc/Makefile +++ b/net/znc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=znc PKG_VERSION:=1.6.6 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://znc.in/releases \ diff --git a/net/znc/patches/004-Fix-remote-code-execution-and-privilege-escalation-v.patch b/net/znc/patches/004-Fix-remote-code-execution-and-privilege-escalation-v.patch new file mode 100644 index 0000000000..f9648ab435 --- /dev/null +++ b/net/znc/patches/004-Fix-remote-code-execution-and-privilege-escalation-v.patch @@ -0,0 +1,92 @@ +From a06aa79a308585cc6048f725f2dc3c1d55ff9991 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov +Date: Wed, 12 Jun 2019 08:57:29 +0100 +Subject: [PATCH] Fix remote code execution and privilege escalation + vulnerability. + +To trigger this, need to have a user already. + +Thanks for Jeriko One for finding and reporting this. + +CVE-2019-12816 +--- + include/znc/Modules.h | 1 + + src/Modules.cpp | 33 ++++++++++++++++++++++++++++----- + 2 files changed, 29 insertions(+), 5 deletions(-) + +--- a/include/znc/Modules.h ++++ b/include/znc/Modules.h +@@ -1253,6 +1253,7 @@ public: + private: + static ModHandle OpenModule(const CString& sModule, const CString& sModPath, + bool &bVersionMismatch, CModInfo& Info, CString& sRetMsg); ++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg); + + protected: + CUser* m_pUser; +--- a/src/Modules.cpp ++++ b/src/Modules.cpp +@@ -1014,9 +1014,26 @@ CModule* CModules::FindModule(const CStr + return NULL; + } + ++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) { ++ for (unsigned int a = 0; a < sModule.length(); a++) { ++ if (((sModule[a] < '0') || (sModule[a] > '9')) && ++ ((sModule[a] < 'a') || (sModule[a] > 'z')) && ++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { ++ sRetMsg = "Module names can only contain letters, numbers and underscores, [" + sModule + "] is invalid."; ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + bool CModules::LoadModule(const CString& sModule, const CString& sArgs, CModInfo::EModuleType eType, CUser* pUser, CIRCNetwork *pNetwork, CString& sRetMsg) { + sRetMsg = ""; + ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + if (FindModule(sModule) != NULL) { + sRetMsg = "Module [" + sModule + "] already loaded."; + return false; +@@ -1167,6 +1184,10 @@ bool CModules::ReloadModule(const CStrin + bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule, CString& sRetMsg) { + CString sModPath, sTmp; + ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + bool bSuccess; + bool bHandled = false; + GLOBALMODULECALL(OnGetModInfo(ModInfo, sModule, bSuccess, sRetMsg), &bHandled); +@@ -1183,6 +1204,10 @@ bool CModules::GetModInfo(CModInfo& ModI + bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule, const CString& sModPath, CString& sRetMsg) { + bool bVersionMismatch; + ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return false; ++ } ++ + ModHandle p = OpenModule(sModule, sModPath, bVersionMismatch, ModInfo, sRetMsg); + + if (!p) +@@ -1302,11 +1327,9 @@ ModHandle CModules::OpenModule(const CSt + bVersionMismatch = false; + sRetMsg.clear(); + +- for (unsigned int a = 0; a < sModule.length(); a++) { +- if (((sModule[a] < '0') || (sModule[a] > '9')) && ((sModule[a] < 'a') || (sModule[a] > 'z')) && ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) { +- sRetMsg = "Module names can only contain letters, numbers and underscores, [" + sModule + "] is invalid."; +- return NULL; +- } ++ ++ if (!ValidateModuleName(sModule, sRetMsg)) { ++ return NULL; + } + + // The second argument to dlopen() has a long history. It seems clear