From ${URL} : Description A vulnerability has been reported in znc, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error in the "CWebAdminMod::ChanPage()" function (modules/webadmin.cpp), which can be exploited to cause a crash. The vulnerability is reported in version 1.2. Other versions may also be affected. Solution: Fixed in the source cod repository. Further details available to Secunia VIM customers Provided and/or discovered by: Russell Bradford in a bug report. Original Advisory: https://github.com/znc/znc/issues/528 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Fixed in =net-irc/znc-1.2-r1 Please proceed with stabilization.
Arches, please test and mark stable: =net-irc/znc-1.2-r1 Target keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Old ebuilds removed.
Maintainer(s), Thank you for cleanup! GLSA Vote: Yes
YES too, added to existing request.
Marking this as pendingcve just so I don't accidentally send it before it's ready :P
This issue was resolved and addressed in GLSA 201412-31 at http://security.gentoo.org/glsa/glsa-201412-31.xml by GLSA coordinator Sean Amoss (ackle).
CVE-2014-9403 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9403): The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error.