Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 661228 (CVE-2018-14055, CVE-2018-14056) - <net-irc/znc-1.7.1_rc1: multiple vulnerabilities (CVE-2018-{14055,14056})
Summary: <net-irc/znc-1.7.1_rc1: multiple vulnerabilities (CVE-2018-{14055,14056})
Status: RESOLVED FIXED
Alias: CVE-2018-14055, CVE-2018-14056
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-15 10:56 UTC by Florian Schuhmacher
Modified: 2018-07-29 22:05 UTC (History)
1 user (show)

See Also:
Package list:
net-irc/znc-1.7.1_rc1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-07-15 10:56:20 UTC
ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. 


Gentoo Security Scout
Florian Schuhmacher
Comment 1 Louis Sautier (sbraz) gentoo-dev 2018-07-15 13:49:32 UTC
I should be able to push this tonight. I'm just asking upstream (DarthGandalf) to re-review a custom patch that they added to run integration tests.
Comment 2 Florian Schuhmacher 2018-07-15 16:16:24 UTC
ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2018-07-15 18:24:57 UTC
CVE-2018-14056 (https://nvd.nist.gov/vuln/detail/CVE-2018-14056):
  ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin
  name to access files outside of the intended skins directories.

CVE-2018-14055 (https://nvd.nist.gov/vuln/detail/CVE-2018-14055):
  ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from
  the network, allowing a non-admin user to escalate his privilege and inject
  rogue values into znc.conf.
Comment 4 Larry the Git Cow gentoo-dev 2018-07-15 22:40:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25ec114c14413ef58d51274f8f1ac800b19c650c

commit 25ec114c14413ef58d51274f8f1ac800b19c650c
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2018-07-15 22:11:56 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2018-07-15 22:40:41 +0000

    net-irc/znc: bump to 1.7.1_rc1, fixes multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/661228
    Package-Manager: Portage-2.3.42, Repoman-2.3.9

 net-irc/znc/Manifest                          |   1 +
 net-irc/znc/files/znc-1.7.1-inttest-dir.patch |  64 +++++++++
 net-irc/znc/znc-1.7.1_rc1.ebuild              | 182 ++++++++++++++++++++++++++
 3 files changed, 247 insertions(+)
Comment 5 Louis Sautier (sbraz) gentoo-dev 2018-07-15 22:57:41 UTC
I've CC'ed the amd64, arm and x86 teams. Can you please stabilise the new version?
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-15 23:31:16 UTC
x86 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-15 23:38:35 UTC
amd64 stable
Comment 8 Stabilization helper bot gentoo-dev 2018-07-16 00:03:42 UTC
An automated check of this bug failed - repoman reported dependency errors (24 lines truncated): 

> dependency.bad net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-qt/qtnetwork:5']
> dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['dev-qt/qtnetwork:5']
> dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4/desktop) ['dev-qt/qtnetwork:5']
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-16 01:11:52 UTC
arm stable
Comment 10 Larry the Git Cow gentoo-dev 2018-07-16 07:07:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3b663adafd6756f5fd136e71e078fe31083eac8

commit e3b663adafd6756f5fd136e71e078fe31083eac8
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2018-07-16 07:02:08 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2018-07-16 07:03:45 +0000

    net-irc/znc: remove the last vulnerable version
    
    Bug: https://bugs.gentoo.org/661228
    Package-Manager: Portage-2.3.42, Repoman-2.3.9

 net-irc/znc/Manifest                               |   2 -
 net-irc/znc/files/README.gentoo                    |  22 ---
 .../znc-1.6.1-create-pidfile-per-default.patch     |  23 ---
 net-irc/znc/files/znc-1.6.1-systemwideconfig.patch | 215 ---------------------
 net-irc/znc/files/znc.initd-r1                     |  39 ----
 net-irc/znc/metadata.xml                           |   1 -
 net-irc/znc/znc-1.6.6.ebuild                       | 129 -------------
 7 files changed, 431 deletions(-)
Comment 11 Larry the Git Cow gentoo-dev 2018-07-17 22:54:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b16146c0145d5b8729e9bceb45dc412370c88f9

commit 4b16146c0145d5b8729e9bceb45dc412370c88f9
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2018-07-17 22:49:39 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2018-07-17 22:53:04 +0000

    net-irc/znc: bump to 1.7.1, only the version string changes
    
    See the following link for a comparison of both releases:
    https://github.com/znc/znc/compare/znc-1.7.1-rc1...znc-1.7.1
    
    Bug: https://bugs.gentoo.org/661228
    Package-Manager: Portage-2.3.43, Repoman-2.3.10

 net-irc/znc/Manifest                                   | 2 +-
 net-irc/znc/{znc-1.7.1_rc1.ebuild => znc-1.7.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2018-07-29 22:04:18 UTC
This issue was resolved and addressed in
 GLSA 201807-03 at https://security.gentoo.org/glsa/201807-03
by GLSA coordinator Christopher Diaz Riveros (chrisadr).