ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. Gentoo Security Scout Florian Schuhmacher
I should be able to push this tonight. I'm just asking upstream (DarthGandalf) to re-review a custom patch that they added to run integration tests.
ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories.
CVE-2018-14056 (https://nvd.nist.gov/vuln/detail/CVE-2018-14056): ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories. CVE-2018-14055 (https://nvd.nist.gov/vuln/detail/CVE-2018-14055): ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25ec114c14413ef58d51274f8f1ac800b19c650c commit 25ec114c14413ef58d51274f8f1ac800b19c650c Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-15 22:11:56 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-15 22:40:41 +0000 net-irc/znc: bump to 1.7.1_rc1, fixes multiple vulnerabilities Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.42, Repoman-2.3.9 net-irc/znc/Manifest | 1 + net-irc/znc/files/znc-1.7.1-inttest-dir.patch | 64 +++++++++ net-irc/znc/znc-1.7.1_rc1.ebuild | 182 ++++++++++++++++++++++++++ 3 files changed, 247 insertions(+)
I've CC'ed the amd64, arm and x86 teams. Can you please stabilise the new version?
x86 stable
amd64 stable
An automated check of this bug failed - repoman reported dependency errors (24 lines truncated): > dependency.bad net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-qt/qtnetwork:5'] > dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['dev-qt/qtnetwork:5'] > dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4/desktop) ['dev-qt/qtnetwork:5']
arm stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3b663adafd6756f5fd136e71e078fe31083eac8 commit e3b663adafd6756f5fd136e71e078fe31083eac8 Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-16 07:02:08 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-16 07:03:45 +0000 net-irc/znc: remove the last vulnerable version Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.42, Repoman-2.3.9 net-irc/znc/Manifest | 2 - net-irc/znc/files/README.gentoo | 22 --- .../znc-1.6.1-create-pidfile-per-default.patch | 23 --- net-irc/znc/files/znc-1.6.1-systemwideconfig.patch | 215 --------------------- net-irc/znc/files/znc.initd-r1 | 39 ---- net-irc/znc/metadata.xml | 1 - net-irc/znc/znc-1.6.6.ebuild | 129 ------------- 7 files changed, 431 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b16146c0145d5b8729e9bceb45dc412370c88f9 commit 4b16146c0145d5b8729e9bceb45dc412370c88f9 Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-17 22:49:39 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-17 22:53:04 +0000 net-irc/znc: bump to 1.7.1, only the version string changes See the following link for a comparison of both releases: https://github.com/znc/znc/compare/znc-1.7.1-rc1...znc-1.7.1 Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.43, Repoman-2.3.10 net-irc/znc/Manifest | 2 +- net-irc/znc/{znc-1.7.1_rc1.ebuild => znc-1.7.1.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
This issue was resolved and addressed in GLSA 201807-03 at https://security.gentoo.org/glsa/201807-03 by GLSA coordinator Christopher Diaz Riveros (chrisadr).