Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278684 (CVE-2009-2658) - <net-irc/znc-0.074 Path traversal bug in core (CVE-2009-2658)
Summary: <net-irc/znc-0.074 Path traversal bug in core (CVE-2009-2658)
Alias: CVE-2009-2658
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B1/2? [glsa]
Depends on:
Reported: 2009-07-22 12:51 UTC by Brayan Arraes (YacK)
Modified: 2009-09-18 20:02 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Brayan Arraes (YacK) 2009-07-22 12:51:19 UTC
ALL ZNC versions prior to 0.072 have a path traversal bug in core. Users with a valid login are able to write files to all places to which ZNC has write access. This means they could upload and load new modules which do anything imaginabl

Reproducible: Didn't try
Comment 1 Robert Förster 2009-07-23 18:41:35 UTC
please note that 0.072 had a regression which broke webadmin skins with images
0.072 shouldn't be considered being a stable version but 0.074 should be which got released today
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-23 19:11:23 UTC
Thanks. net-irc: Please bump to 0.074.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 19:34:27 UTC
CVE-2009-2658 (
  Directory traversal vulnerability in ZNC before 0.072 allows remote
  attackers to overwrite arbitrary files via a crafted DCC SEND request.

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-12 10:05:57 UTC
+*znc-0.074 (12 Aug 2009)
+  12 Aug 2009; Alex Legler <> -znc-0.060.ebuild,
+  -znc-0.070.ebuild, +znc-0.074.ebuild, metadata.xml:
+  Non-maintainer commit: Version bump for security bug 278684. Removing
+  unneded vulnerable versions. Adding local "ares" USE flag for
+  newly-introduced support for c-ares in 0.074.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-12 10:06:30 UTC
Arches, please test and mark stable:
Target keywords : "amd64 x86"
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-13 16:53:27 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2009-08-14 17:51:01 UTC
amd64 stable, all arches done.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-14 18:19:23 UTC
GLSA request filed.
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-18 20:02:49 UTC
GLSA 200909-17, thanks everyone.