Summary: | <net-irc/znc-1.7.1_rc1: multiple vulnerabilities (CVE-2018-{14055,14056}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Schuhmacher <mynt1aa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | sbraz |
Priority: | High | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: |
net-irc/znc-1.7.1_rc1
|
Runtime testing required: | --- |
Description
Florian Schuhmacher
2018-07-15 10:56:20 UTC
I should be able to push this tonight. I'm just asking upstream (DarthGandalf) to re-review a custom patch that they added to run integration tests. ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories. CVE-2018-14056 (https://nvd.nist.gov/vuln/detail/CVE-2018-14056): ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin name to access files outside of the intended skins directories. CVE-2018-14055 (https://nvd.nist.gov/vuln/detail/CVE-2018-14055): ZNC before 1.7.1-rc1 does not properly validate untrusted lines coming from the network, allowing a non-admin user to escalate his privilege and inject rogue values into znc.conf. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25ec114c14413ef58d51274f8f1ac800b19c650c commit 25ec114c14413ef58d51274f8f1ac800b19c650c Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-15 22:11:56 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-15 22:40:41 +0000 net-irc/znc: bump to 1.7.1_rc1, fixes multiple vulnerabilities Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.42, Repoman-2.3.9 net-irc/znc/Manifest | 1 + net-irc/znc/files/znc-1.7.1-inttest-dir.patch | 64 +++++++++ net-irc/znc/znc-1.7.1_rc1.ebuild | 182 ++++++++++++++++++++++++++ 3 files changed, 247 insertions(+) I've CC'ed the amd64, arm and x86 teams. Can you please stabilise the new version? x86 stable amd64 stable An automated check of this bug failed - repoman reported dependency errors (24 lines truncated):
> dependency.bad net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0) ['dev-qt/qtnetwork:5']
> dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4) ['dev-qt/qtnetwork:5']
> dependency.badindev net-irc/znc/znc-1.7.1_rc1.ebuild: DEPEND: arm(default/linux/arm/13.0/armv4/desktop) ['dev-qt/qtnetwork:5']
arm stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3b663adafd6756f5fd136e71e078fe31083eac8 commit e3b663adafd6756f5fd136e71e078fe31083eac8 Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-16 07:02:08 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-16 07:03:45 +0000 net-irc/znc: remove the last vulnerable version Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.42, Repoman-2.3.9 net-irc/znc/Manifest | 2 - net-irc/znc/files/README.gentoo | 22 --- .../znc-1.6.1-create-pidfile-per-default.patch | 23 --- net-irc/znc/files/znc-1.6.1-systemwideconfig.patch | 215 --------------------- net-irc/znc/files/znc.initd-r1 | 39 ---- net-irc/znc/metadata.xml | 1 - net-irc/znc/znc-1.6.6.ebuild | 129 ------------- 7 files changed, 431 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b16146c0145d5b8729e9bceb45dc412370c88f9 commit 4b16146c0145d5b8729e9bceb45dc412370c88f9 Author: Louis Sautier <sbraz@gentoo.org> AuthorDate: 2018-07-17 22:49:39 +0000 Commit: Louis Sautier <sbraz@gentoo.org> CommitDate: 2018-07-17 22:53:04 +0000 net-irc/znc: bump to 1.7.1, only the version string changes See the following link for a comparison of both releases: https://github.com/znc/znc/compare/znc-1.7.1-rc1...znc-1.7.1 Bug: https://bugs.gentoo.org/661228 Package-Manager: Portage-2.3.43, Repoman-2.3.10 net-irc/znc/Manifest | 2 +- net-irc/znc/{znc-1.7.1_rc1.ebuild => znc-1.7.1.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) This issue was resolved and addressed in GLSA 201807-03 at https://security.gentoo.org/glsa/201807-03 by GLSA coordinator Christopher Diaz Riveros (chrisadr). |