Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 688152 (CVE-2019-12816) - <net-irc/znc-1.7.4_rc1: remote code execution by existing non-admin users
Summary: <net-irc/znc-1.7.4_rc1: remote code execution by existing non-admin users
Status: RESOLVED FIXED
Alias: CVE-2019-12816
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://wiki.znc.in/ChangeLog/1.7.4
Whiteboard: B1 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-06-16 13:52 UTC by Louis Sautier (sbraz)
Modified: 2019-08-15 15:56 UTC (History)
1 user (show)

See Also:
Package list:
net-irc/znc-1.7.4
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Louis Sautier (sbraz) gentoo-dev 2019-06-16 13:52:45 UTC
I'm currently testing this and will add the ebuild to the tree ASAP.
Comment 1 Larry the Git Cow gentoo-dev 2019-06-16 14:03:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f70923983bf75ea5175942f34d9825a2193dc846

commit f70923983bf75ea5175942f34d9825a2193dc846
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2019-06-16 14:01:53 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2019-06-16 14:03:24 +0000

    net-irc/znc: bump 1.7.4_rc1, fixes authenticated RCE CVE-2019-12816
    
    Bug: https://bugs.gentoo.org/688152
    Package-Manager: Portage-2.3.67, Repoman-2.3.14
    Signed-off-by: Louis Sautier <sbraz@gentoo.org>

 net-irc/znc/Manifest             |   1 +
 net-irc/znc/znc-1.7.4_rc1.ebuild | 182 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 183 insertions(+)
Comment 2 Louis Sautier (sbraz) gentoo-dev 2019-06-16 14:27:56 UTC
Arches, can you please stabilize?
Comment 3 Thomas Deutschmann gentoo-dev Security 2019-06-18 18:26:42 UTC
x86 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-06-20 09:26:35 UTC
amd64 stable
Comment 5 Larry the Git Cow gentoo-dev 2019-06-25 22:05:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5117fe83797d162c186cd4e04385949eb9a55da8

commit 5117fe83797d162c186cd4e04385949eb9a55da8
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2019-06-25 21:42:58 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2019-06-25 21:56:24 +0000

    net-irc/znc: bump to 1.7.4
    
    There are no differences compared to rc1 except for the version change:
    https://github.com/znc/znc/compare/znc-1.7.4-rc1...znc-1.7.4
    
    Bug: https://bugs.gentoo.org/688152
    Package-Manager: Portage-2.3.67, Repoman-2.3.14
    Signed-off-by: Louis Sautier <sbraz@gentoo.org>

 net-irc/znc/Manifest                                   | 2 +-
 net-irc/znc/{znc-1.7.4_rc1.ebuild => znc-1.7.4.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 6 Louis Sautier (sbraz) gentoo-dev 2019-06-25 22:09:25 UTC
I've bumped to the final release which is the same except for the the version number. Now we only need arm to mark 1.7.4 as stable.
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2019-07-28 20:18:23 UTC
arm stable
Comment 8 Larry the Git Cow gentoo-dev 2019-07-28 23:05:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1df133a9e287eccda10b2d280a6aaeb28ea0c0b

commit b1df133a9e287eccda10b2d280a6aaeb28ea0c0b
Author:     Louis Sautier <sbraz@gentoo.org>
AuthorDate: 2019-07-28 23:04:46 +0000
Commit:     Louis Sautier <sbraz@gentoo.org>
CommitDate: 2019-07-28 23:05:19 +0000

    net-irc/znc: remove vulnerable version 1.7.3
    
    Bug: https://bugs.gentoo.org/688152
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Louis Sautier <sbraz@gentoo.org>

 net-irc/znc/Manifest         |   1 -
 net-irc/znc/znc-1.7.3.ebuild | 182 -------------------------------------------
 2 files changed, 183 deletions(-)
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2019-08-15 15:56:56 UTC
This issue was resolved and addressed in
 GLSA 201908-15 at https://security.gentoo.org/glsa/201908-15
by GLSA coordinator Aaron Bauman (b-man).