Commit bbe0e7a4 authored by Rasmus Thomsen's avatar Rasmus Thomsen Committed by Natanael Copa

main/znc: add patches fo CVE-2019-9917 and CVE-2019-12816

ref #10732
parent 6ffa77ed
......@@ -2,7 +2,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=znc
pkgver=1.7.1
pkgrel=0
pkgrel=1
pkgdesc="Advanced IRC bouncer"
url="http://znc.in"
arch="all"
......@@ -14,12 +14,18 @@ pkggroups="$pkgusers"
install="$pkgname.pre-install"
subpackages="$pkgname-dev $pkgname-doc $pkgname-extra $pkgname-modtcl
$pkgname-modperl $pkgname-modpython"
source="http://znc.in/releases/znc-$pkgver.tar.gz
source="http://znc.in/releases/archive/znc-$pkgver.tar.gz
$pkgname.initd
$pkgname.confd"
$pkgname.confd
CVE-2019-9917.patch
CVE-2019-12816.patch
"
builddir="$srcdir/znc-$pkgver"
# secfixes:
# 1.7.1-r1:
# - CVE-2019-9917
# - CVE-2019-12816
# 1.7.1-r0:
# - CVE-2018-14055
# - CVE-2018-14056
......@@ -111,4 +117,6 @@ _mv_to_sub() {
sha512sums="907068fb0828091026d440145b70ca76109302f13c18d94f772660192434287f209a06a52da1dd39726b9a38735b3cea9afbd062eb6def4cd428bb73c562a902 znc-1.7.1.tar.gz
47f9bd00f07861e195333d2cda5b1c7386e2324a1842b890837a7936a94b65b7a269f7fee656a522ec86b58a94bd451a2a3629bd6465578681b8d0733c2c77dc znc.initd
00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd"
00360f9b487ed5a9d50c85ce597e65c89cf869cabb893c294d0bc7fcd88f9610ecb63ba6df7af1ba1dd977b6d5b05da625a3ee799a46d381f17ac04b976a1f29 znc.confd
0c1bdb08ce5ca4b0ff8efedff9e711ffceba460594caf14aa1bfd04ca81ec2d3e2b10ed6e34960b8251f2d9d1e95ad1e9093db1aefd36beb35ff92c2e58e84f8 CVE-2019-9917.patch
187dad0bbe90b354b746ca8dc13bcaf5781cdc86b8c94670ecfbbf2b6e99b3182b588873ec58a475ece06021265f6e7f60a73bae18b28e284387b550dc3ca65d CVE-2019-12816.patch"
From 8de9e376ce531fe7f3c8b0aa4876d15b479b7311 Mon Sep 17 00:00:00 2001
From: Alexey Sokolov <alexey+znc@asokolov.org>
Date: Wed, 12 Jun 2019 08:57:29 +0100
Subject: [PATCH] Fix remote code execution and privilege escalation
vulnerability.
To trigger this, need to have a user already.
Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
CVE-2019-12816
---
include/znc/Modules.h | 1 +
src/Modules.cpp | 38 +++++++++++++++++++++++++++++---------
2 files changed, 30 insertions(+), 9 deletions(-)
diff --git a/include/znc/Modules.h b/include/znc/Modules.h
index 28fdd3a62..db8f87b81 100644
--- a/include/znc/Modules.h
+++ b/include/znc/Modules.h
@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CModule*>, private CCoreTranslationMixin {
private:
static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
CModInfo& Info, CString& sRetMsg);
+ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
protected:
CUser* m_pUser;
diff --git a/src/Modules.cpp b/src/Modules.cpp
index 5aec7805a..d41951a8d 100644
--- a/src/Modules.cpp
+++ b/src/Modules.cpp
@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CString& sModule) const {
return nullptr;
}
+bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
+ for (unsigned int a = 0; a < sModule.length(); a++) {
+ if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+ ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+ sRetMsg =
+ t_f("Module names can only contain letters, numbers and "
+ "underscores, [{1}] is invalid")(sModule);
+ return false;
+ }
+ }
+
+ return true;
+}
+
bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
CModInfo::EModuleType eType, CUser* pUser,
CIRCNetwork* pNetwork, CString& sRetMsg) {
sRetMsg = "";
+ if (!ValidateModuleName(sModule, sRetMsg)) {
+ return false;
+ }
+
if (FindModule(sModule) != nullptr) {
sRetMsg = t_f("Module {1} already loaded.")(sModule);
return false;
@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CString& sModule, const CString& sArgs,
bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
CString& sRetMsg) {
+ if (!ValidateModuleName(sModule, sRetMsg)) {
+ return false;
+ }
+
CString sModPath, sTmp;
bool bSuccess;
@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
const CString& sModPath, CString& sRetMsg) {
+ if (!ValidateModuleName(sModule, sRetMsg)) {
+ return false;
+ }
+
ModInfo.SetName(sModule);
ModInfo.SetPath(sModPath);
@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CString& sModule, const CString& sModPath,
// Some sane defaults in case anything errors out below
sRetMsg.clear();
- for (unsigned int a = 0; a < sModule.length(); a++) {
- if (((sModule[a] < '0') || (sModule[a] > '9')) &&
- ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
- sRetMsg =
- t_f("Module names can only contain letters, numbers and "
- "underscores, [{1}] is invalid")(sModule);
- return nullptr;
- }
+ if (!ValidateModuleName(sModule, sRetMsg)) {
+ return nullptr;
}
// The second argument to dlopen() has a long history. It seems clear
From 64613bc8b6b4adf1e32231f9844d99cd512b8973 Mon Sep 17 00:00:00 2001
From: Alexey Sokolov <alexey+znc@asokolov.org>
Date: Fri, 15 Mar 2019 20:34:10 +0000
Subject: [PATCH] Don't crash if user specified invalid encoding.
This is CVE-2019-9917
---
modules/controlpanel.cpp | 2 +-
src/IRCNetwork.cpp | 4 ++--
src/User.cpp | 4 ++--
src/znc.cpp | 26 ++++++++++++++++++++++----
test/integration/tests/scripting.cpp | 7 +++++++
5 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/modules/controlpanel.cpp b/modules/controlpanel.cpp
index 139c2aefa..109f8c6b0 100644
--- a/modules/controlpanel.cpp
+++ b/modules/controlpanel.cpp
@@ -495,7 +495,7 @@ class CAdminMod : public CModule {
#ifdef HAVE_ICU
else if (sVar == "clientencoding") {
pUser->SetClientEncoding(sValue);
- PutModule("ClientEncoding = " + sValue);
+ PutModule("ClientEncoding = " + pUser->GetClientEncoding());
}
#endif
else
diff --git a/src/IRCNetwork.cpp b/src/IRCNetwork.cpp
index 0284dc53e..0e1d6e2a3 100644
--- a/src/IRCNetwork.cpp
+++ b/src/IRCNetwork.cpp
@@ -1482,9 +1482,9 @@ void CIRCNetwork::SetBindHost(const CString& s) {
}
void CIRCNetwork::SetEncoding(const CString& s) {
- m_sEncoding = s;
+ m_sEncoding = CZNC::Get().FixupEncoding(s);
if (GetIRCSock()) {
- GetIRCSock()->SetEncoding(s);
+ GetIRCSock()->SetEncoding(m_sEncoding);
}
}
diff --git a/src/User.cpp b/src/User.cpp
index 3fd532a7c..c44cf6070 100644
--- a/src/User.cpp
+++ b/src/User.cpp
@@ -1253,9 +1253,9 @@ void CUser::SetAdmin(bool b) { m_bAdmin = b; }
void CUser::SetDenySetBindHost(bool b) { m_bDenySetBindHost = b; }
void CUser::SetDefaultChanModes(const CString& s) { m_sDefaultChanModes = s; }
void CUser::SetClientEncoding(const CString& s) {
- m_sClientEncoding = s;
+ m_sClientEncoding = CZNC::Get().FixupEncoding(s);
for (CClient* pClient : GetAllClients()) {
- pClient->SetEncoding(s);
+ pClient->SetEncoding(m_sClientEncoding);
}
}
void CUser::SetQuitMsg(const CString& s) { m_sQuitMsg = s; }
diff --git a/src/znc.cpp b/src/znc.cpp
index 4e7216ee1..3f4dd2e07 100644
--- a/src/znc.cpp
+++ b/src/znc.cpp
@@ -2092,18 +2092,36 @@ void CZNC::ForceEncoding() {
m_uiForceEncoding++;
#ifdef HAVE_ICU
for (Csock* pSock : GetManager()) {
- if (pSock->GetEncoding().empty()) {
- pSock->SetEncoding("UTF-8");
- }
+ pSock->SetEncoding(FixupEncoding(pSock->GetEncoding()));
}
#endif
}
void CZNC::UnforceEncoding() { m_uiForceEncoding--; }
bool CZNC::IsForcingEncoding() const { return m_uiForceEncoding; }
CString CZNC::FixupEncoding(const CString& sEncoding) const {
- if (sEncoding.empty() && m_uiForceEncoding) {
+ if (!m_uiForceEncoding) {
+ return sEncoding;
+ }
+ if (sEncoding.empty()) {
+ return "UTF-8";
+ }
+ const char* sRealEncoding = sEncoding.c_str();
+ if (sEncoding[0] == '*' || sEncoding[0] == '^') {
+ sRealEncoding++;
+ }
+ if (!*sRealEncoding) {
return "UTF-8";
}
+#ifdef HAVE_ICU
+ UErrorCode e = U_ZERO_ERROR;
+ UConverter* cnv = ucnv_open(sRealEncoding, &e);
+ if (cnv) {
+ ucnv_close(cnv);
+ }
+ if (U_FAILURE(e)) {
+ return "UTF-8";
+ }
+#endif
return sEncoding;
}
diff --git a/test/integration/tests/scripting.cpp b/test/integration/tests/scripting.cpp
index 9dd68d8fa..8f809f50c 100644
--- a/test/integration/tests/scripting.cpp
+++ b/test/integration/tests/scripting.cpp
@@ -55,6 +55,13 @@ TEST_F(ZNCTest, Modpython) {
ircd.Write(":n!u@h PRIVMSG nick :Hi\xF0, github issue #1229");
// "replacement character"
client.ReadUntil("Hi\xEF\xBF\xBD, github issue");
+
+ // Non-existing encoding
+ client.Write("PRIVMSG *controlpanel :Set ClientEncoding $me Western");
+ client.Write("JOIN #a\342");
+ client.ReadUntil(
+ ":*controlpanel!znc@znc.in PRIVMSG nick :ClientEncoding = UTF-8");
+ ircd.ReadUntil("JOIN #a\xEF\xBF\xBD");
}
TEST_F(ZNCTest, ModpythonSocket) {
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment