Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 935422 (CVE-2024-39844)

Summary: <net-irc/znc-1.9.1: Remote code execution vulnerability in modtcl
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, satmd, sbraz
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 935428    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-07-03 18:10:16 UTC 
See https://wiki.znc.in/ChangeLog/1.9.1.

"""
    This is a security release to fix CVE-2024-39844: remote code execution vulnerability in modtcl.
        To mitigate this for existing installations, simply unload the modtcl module for every user, if it's loaded. Note that only users with admin rights can load modtcl at all.
        Thanks to Johannes Kuhn (DasBrain) for reporting, to glguy for the patch, and to multiple IRC network operators for help with mitigating this on server side before disclosure.
"""
Comment 1 satmd 2024-07-03 19:26:29 UTC 
I've read through the git diff for znc-1.9.0..znc-1.9.1 and compared with the ebuild.

It should be safe to just version bump the ebuild to 1.9.1 as-is.
Comment 2 Larry the Git Cow gentoo-dev 2024-07-03 19:31:24 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45b50f01229e0996103e007f68beed45194e6239

commit 45b50f01229e0996103e007f68beed45194e6239
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-07-03 19:30:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-07-03 19:30:17 +0000

    net-irc/znc: add 1.9.1
    
    Bug: https://bugs.gentoo.org/935422
    Signed-off-by: Sam James <sam@gentoo.org>

 net-irc/znc/Manifest         |   1 +
 net-irc/znc/znc-1.9.1.ebuild | 197 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 198 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-09-24 05:16:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=c26479fb378aedb5634d1fae755c460a1b2da823

commit c26479fb378aedb5634d1fae755c460a1b2da823
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-24 05:14:03 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-24 05:16:48 +0000

    [ GLSA 202409-23 ] ZNC: Remote Code Execution
    
    Bug: https://bugs.gentoo.org/935422
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-23.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)