Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 278684 (CVE-2009-2658)

Summary: <net-irc/znc-0.074 Path traversal bug in core (CVE-2009-2658)
Product: Gentoo Security Reporter: Brayan Arraes (YacK) <brayan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: Dessa, gentoo, net-irc, tais.hansen
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://thread.gmane.org/gmane.comp.security.oss.general/1924
Whiteboard: B1/2? [glsa]
Package list:
Runtime testing required: ---

Description Brayan Arraes (YacK) 2009-07-22 12:51:19 UTC
ALL ZNC versions prior to 0.072 have a path traversal bug in core. Users with a valid login are able to write files to all places to which ZNC has write access. This means they could upload and load new modules which do anything imaginabl

Reproducible: Didn't try
Comment 1 Robert Förster 2009-07-23 18:41:35 UTC
please note that 0.072 had a regression which broke webadmin skins with images
0.072 shouldn't be considered being a stable version but 0.074 should be which got released today
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-23 19:11:23 UTC
Thanks. net-irc: Please bump to 0.074.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 19:34:27 UTC
CVE-2009-2658 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2658):
  Directory traversal vulnerability in ZNC before 0.072 allows remote
  attackers to overwrite arbitrary files via a crafted DCC SEND request.

Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-12 10:05:57 UTC
+*znc-0.074 (12 Aug 2009)
+
+  12 Aug 2009; Alex Legler <a3li@gentoo.org> -znc-0.060.ebuild,
+  -znc-0.070.ebuild, +znc-0.074.ebuild, metadata.xml:
+  Non-maintainer commit: Version bump for security bug 278684. Removing
+  unneded vulnerable versions. Adding local "ares" USE flag for
+  newly-introduced support for c-ares in 0.074.
+
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-12 10:06:30 UTC
Arches, please test and mark stable:
=net-irc/znc-0.074
Target keywords : "amd64 x86"
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-13 16:53:27 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2009-08-14 17:51:01 UTC
amd64 stable, all arches done.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-14 18:19:23 UTC
GLSA request filed.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-18 20:02:49 UTC
GLSA 200909-17, thanks everyone.