Bug 935422 (CVE-2024-39844)

Summary:	<net-irc/znc-1.9.1: Remote code execution vulnerability in modtcl
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	ajak, satmd, sbraz
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	935428
Bug Blocks:

Description Sam James archtester

2024-07-03 18:10:16 UTC

See https://wiki.znc.in/ChangeLog/1.9.1.

"""
    This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl.
        To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all.
        Thanks to Johannes Kuhn (DasBrain) for reporting, to glguy for the patch, and to multiple IRC network operators for help with mitigating this on server side before disclosure.
"""

Comment 1 satmd 2024-07-03 19:26:29 UTC

I've read through the git diff for znc-1.9.0..znc-1.9.1 and compared with the ebuild.

It should be safe to just version bump the ebuild to 1.9.1 as-is.

Comment 2 Larry the Git Cow gentoo-dev

2024-07-03 19:31:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45b50f01229e0996103e007f68beed45194e6239

commit 45b50f01229e0996103e007f68beed45194e6239
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-03 19:30:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-03 19:30:17 +0000

    net-irc/znc: add 1.9.1
    
    Bug: https://bugs.gentoo.org/935422
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/znc/Manifest         |   1 +
 net-irc/znc/znc-1.9.1.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-09-24 05:16:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c26479fb378aedb5634d1fae755c460a1b2da823

commit c26479fb378aedb5634d1fae755c460a1b2da823
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-24 05:14:03 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-24 05:16:48 +0000

    [ GLSA 202409-23 ] ZNC: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/935422
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 4 Larry the Git Cow gentoo-dev

2024-12-02 06:03:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=48c391750022adf7604e8ea1cac2188bd8028b13

commit 48c391750022adf7604e8ea1cac2188bd8028b13
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2024-12-02 06:00:28 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-12-02 06:03:41 +0000

    net-irc/znc: drop 1.8.2-r2, 1.9.0
    
    Bug: https://bugs.gentoo.org/935422
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-irc/znc/Manifest                               |   3 -
 net-irc/znc/files/znc-1.8.2-add-libera.patch       |  55 -----
 .../znc/files/znc-1.8.2-fix-odr-violation.patch    |  56 -----
 net-irc/znc/files/znc-1.8.2-fix-python-3.10.patch  |  31 ---
 net-irc/znc/files/znc-1.8.2-fix-swig-2.patch       | 123 ----------
 net-irc/znc/files/znc-1.8.2-fix-swig.patch         |  43 ----
 .../znc/files/znc-1.8.2-fix-systemd-datadir.patch  |  23 --
 ....9.0-skip-modperl-modpython-tests-cleaner.patch | 248 ---------------------
 net-irc/znc/znc-1.8.2-r2.ebuild                    | 197 ----------------
 net-irc/znc/znc-1.9.0.ebuild                       | 199 -----------------
 10 files changed, 978 deletions(-)