znc: backport CVE fixes to 1.6

Backport fixes for CVEs CVE-2018-14055 and CVE-2018-14056.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>

diff --git a/net/znc/Makefile b/net/znc/Makefile
index 21b9c955953446d4b3b01c4b4e52f323c60a057b..fe95b0e7457744b5b96a2f0ffa101e44e6d04026 100644 (file)
--- a/net/znc/Makefile
+++ b/net/znc/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=znc
 PKG_VERSION:=1.6.6
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://znc.in/releases \

diff --git a/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch b/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch
new file mode 100644 (file)
index 0000000..dfb5320
--- /dev/null
+++ b/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch
@@ -0,0 +1,42 @@
+From cd20be68a544e7a9bde941f93710561b9d9327db Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 23:26:44 +0100
+Subject: [PATCH 1/6] Don't let attackers inject rogue values into znc.conf
+
+Because of this vulnerability, existing ZNC users could get Admin
+permissions.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Config.cpp | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/src/Config.cpp
++++ b/src/Config.cpp
+@@ -183,9 +183,13 @@ bool CConfig::Parse(CFile& file, CString
+ void CConfig::Write(CFile& File, unsigned int iIndentation) {
+       CString sIndentation = CString(iIndentation, '\t');
+ 
++      auto SingleLine = [](const CString& s) {
++              return s.Replace_n("\r", "").Replace_n("\n", "");
++      };
++
+       for (EntryMapIterator it = m_ConfigEntries.begin(); it != m_ConfigEntries.end(); ++it) {
+               for (VCString::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+-                      File.Write(sIndentation + it->first + " = " + *it2 + "\n");
++                      File.Write(SingleLine(sIndentation + it->first + " = " + *it2) + "\n");
+               }
+       }
+ 
+@@ -193,9 +197,9 @@ void CConfig::Write(CFile& File, unsigne
+               for (SubConfig::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+                       File.Write("\n");
+ 
+-                      File.Write(sIndentation + "<" + it->first + " " + it2->first + ">\n");
++                      File.Write(SingleLine(sIndentation + "<" + it->first + " " + it2->first + ">") + "\n");
+                       it2->second.m_pSubConfig->Write(File, iIndentation + 1);
+-                      File.Write(sIndentation + "</" + it->first + ">\n");
++                      File.Write(SingleLine(sIndentation + "</" + it->first + ">") + "\n");
+               }
+       }
+ }

diff --git a/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch b/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch
new file mode 100644 (file)
index 0000000..6e5fec0
--- /dev/null
+++ b/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch
@@ -0,0 +1,35 @@
+From ff15cb3288b96e16c2cf01d511cc082d65272699 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 22:50:47 +0100
+Subject: [PATCH 2/6] Better cleanup lines coming from network.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Client.cpp  | 3 ++-
+ src/IRCSock.cpp | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/Client.cpp
++++ b/src/Client.cpp
+@@ -97,7 +97,8 @@ void CClient::SendRequiredPasswordNotice
+ void CClient::ReadLine(const CString& sData) {
+       CString sLine = sData;
+ 
+-      sLine.TrimRight("\n\r");
++      sLine.Replace("\n", "");
++      sLine.Replace("\r", "");
+ 
+       DEBUG("(" << GetFullName() << ") CLI -> ZNC [" << sLine << "]");
+ 
+--- a/src/IRCSock.cpp
++++ b/src/IRCSock.cpp
+@@ -132,7 +132,8 @@ void CIRCSock::Quit(const CString& sQuit
+ void CIRCSock::ReadLine(const CString& sData) {
+       CString sLine = sData;
+ 
+-      sLine.TrimRight("\n\r");
++      sLine.Replace("\n", "");
++      sLine.Replace("\r", "");
+ 
+       DEBUG("(" << m_pNetwork->GetUser()->GetUserName() << "/" << m_pNetwork->GetName() << ") IRC -> ZNC [" << sLine << "]");
+ 

diff --git a/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch b/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch
new file mode 100644 (file)
index 0000000..4a5ef65
--- /dev/null
+++ b/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch
@@ -0,0 +1,32 @@
+From 5be22795dc7bc6362d67467b5e25c53dffba4df9 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Sat, 14 Jul 2018 00:12:28 +0100
+Subject: [PATCH 3/6] Don't let web skin name ../../../../ access files outside
+ of usual skins directories.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/WebModules.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/src/WebModules.cpp
++++ b/src/WebModules.cpp
+@@ -521,13 +521,15 @@ CWebSock::EPageReqResult CWebSock::Print
+ }
+ 
+ CString CWebSock::GetSkinPath(const CString& sSkinName) {
+-      CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName;
++      const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_");
++
++      CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin;
+ 
+       if (!CFile::IsDir(sRet)) {
+-              sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName;
++              sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin;
+ 
+               if (!CFile::IsDir(sRet)) {
+-                      sRet = CString(_SKINDIR_) + "/" + sSkinName;
++                      sRet = CString(_SKINDIR_) + "/" + sSkin;
+               }
+       }
+