pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/chat/znc znc: Fix CVE-2019-12816
details: https://anonhg.NetBSD.org/pkgsrc/rev/ca3578c02df9
branches: trunk
changeset: 397196:ca3578c02df9
user: nia <nia%pkgsrc.org@localhost>
date: Tue Jun 18 10:21:37 2019 +0000
description:
znc: Fix CVE-2019-12816
This is an remote code execution and privilege escalation vulnerability.
It requires an already-existing unprivileged ZNC user.
This is znc-1.7.3nb2.
diffstat:
chat/znc/Makefile | 4 +-
chat/znc/distinfo | 4 +-
chat/znc/patches/patch-include_znc_Modules.h | 16 +++++
chat/znc/patches/patch-src_Modules.cpp | 79 ++++++++++++++++++++++++++++
4 files changed, 100 insertions(+), 3 deletions(-)
diffs (129 lines):
diff -r 462a1ae4be60 -r ca3578c02df9 chat/znc/Makefile
--- a/chat/znc/Makefile Tue Jun 18 08:45:10 2019 +0000
+++ b/chat/znc/Makefile Tue Jun 18 10:21:37 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.6 2019/04/03 00:32:28 ryoon Exp $
+# $NetBSD: Makefile,v 1.7 2019/06/18 10:21:37 nia Exp $
DISTNAME= znc-1.7.3
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= net
MASTER_SITES= https://znc.in/releases/archive/
diff -r 462a1ae4be60 -r ca3578c02df9 chat/znc/distinfo
--- a/chat/znc/distinfo Tue Jun 18 08:45:10 2019 +0000
+++ b/chat/znc/distinfo Tue Jun 18 10:21:37 2019 +0000
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.3 2019/03/31 15:20:42 nia Exp $
+$NetBSD: distinfo,v 1.4 2019/06/18 10:21:37 nia Exp $
SHA1 (znc-1.7.3.tar.gz) = 76c1c32d3ec6fc052b0c3854dbbb8896aecafee5
RMD160 (znc-1.7.3.tar.gz) = a52f7f8500dc3156dd3387f9450e8558132013d6
SHA512 (znc-1.7.3.tar.gz) = 4cd63be2cb3bc1e3950f38984b128c6511bd1b9fc01a00d51cfcdc46826c2dedad120d6ed8e30d9c400909e33d39b2b14579fb40ee1e3508b7f3a07eff3a15d8
Size (znc-1.7.3.tar.gz) = 2084575 bytes
+SHA1 (patch-include_znc_Modules.h) = 57f5d2dcb0021c3c7c0162ccd06ad8698e68022e
+SHA1 (patch-src_Modules.cpp) = adb6f87f4c441cd438110aa58fdb31b481212eff
diff -r 462a1ae4be60 -r ca3578c02df9 chat/znc/patches/patch-include_znc_Modules.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/chat/znc/patches/patch-include_znc_Modules.h Tue Jun 18 10:21:37 2019 +0000
@@ -0,0 +1,16 @@
+$NetBSD: patch-include_znc_Modules.h,v 1.1 2019/06/18 10:21:37 nia Exp $
+
+Fix CVE-2019-12816
+
+https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311
+
+--- include/znc/Modules.h.orig 2019-03-30 14:37:00.000000000 +0000
++++ include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CMod
+ private:
+ static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+ CModInfo& Info, CString& sRetMsg);
++ static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+
+ protected:
+ CUser* m_pUser;
diff -r 462a1ae4be60 -r ca3578c02df9 chat/znc/patches/patch-src_Modules.cpp
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/chat/znc/patches/patch-src_Modules.cpp Tue Jun 18 10:21:37 2019 +0000
@@ -0,0 +1,79 @@
+$NetBSD: patch-src_Modules.cpp,v 1.1 2019/06/18 10:21:37 nia Exp $
+
+Fix CVE-2019-12816
+
+https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311
+
+--- src/Modules.cpp.orig 2019-03-30 14:37:00.000000000 +0000
++++ src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CStr
+ return nullptr;
+ }
+
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++ for (unsigned int a = 0; a < sModule.length(); a++) {
++ if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++ ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++ ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++ sRetMsg =
++ t_f("Module names can only contain letters, numbers and "
++ "underscores, [{1}] is invalid")(sModule);
++ return false;
++ }
++ }
++
++ return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+ CModInfo::EModuleType eType, CUser* pUser,
+ CIRCNetwork* pNetwork, CString& sRetMsg) {
+ sRetMsg = "";
+
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ if (FindModule(sModule) != nullptr) {
+ sRetMsg = t_f("Module {1} already loaded.")(sModule);
+ return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CStrin
+
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+ CString& sRetMsg) {
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ CString sModPath, sTmp;
+
+ bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModI
+
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+ const CString& sModPath, CString& sRetMsg) {
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return false;
++ }
++
+ ModInfo.SetName(sModule);
+ ModInfo.SetPath(sModPath);
+
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CSt
+ // Some sane defaults in case anything errors out below
+ sRetMsg.clear();
+
+- for (unsigned int a = 0; a < sModule.length(); a++) {
+- if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+- ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+- ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+- sRetMsg =
+- t_f("Module names can only contain letters, numbers and "
+- "underscores, [{1}] is invalid")(sModule);
+- return nullptr;
+- }
++ if (!ValidateModuleName(sModule, sRetMsg)) {
++ return nullptr;
+ }
+
+ // The second argument to dlopen() has a long history. It seems clear
Home |
Main Index |
Thread Index |
Old Index