From b7bcf24a00153f0c99ff2e01fa33876680c6128d Mon Sep 17 00:00:00 2001 From: Jonas Gorski Date: Mon, 1 Apr 2019 11:19:15 +0200 Subject: [PATCH] znc: backport CVE fixes to 1.6 Backport fixes for CVEs CVE-2018-14055 and CVE-2018-14056. Signed-off-by: Jonas Gorski --- net/znc/Makefile | 2 +- ...ers-inject-rogue-values-into-znc.con.patch | 42 +++++++++++++++++++ ...er-cleanup-lines-coming-from-network.patch | 35 ++++++++++++++++ ...in-name-.-.-.-.-access-files-outside.patch | 32 ++++++++++++++ 4 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch create mode 100644 net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch create mode 100644 net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch diff --git a/net/znc/Makefile b/net/znc/Makefile index 21b9c95595..fe95b0e745 100644 --- a/net/znc/Makefile +++ b/net/znc/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=znc PKG_VERSION:=1.6.6 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://znc.in/releases \ diff --git a/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch b/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch new file mode 100644 index 0000000000..dfb5320fea --- /dev/null +++ b/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch @@ -0,0 +1,42 @@ +From cd20be68a544e7a9bde941f93710561b9d9327db Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov +Date: Fri, 13 Jul 2018 23:26:44 +0100 +Subject: [PATCH 1/6] Don't let attackers inject rogue values into znc.conf + +Because of this vulnerability, existing ZNC users could get Admin +permissions. + +Thanks for Jeriko One for finding and reporting this. +--- + src/Config.cpp | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/src/Config.cpp ++++ b/src/Config.cpp +@@ -183,9 +183,13 @@ bool CConfig::Parse(CFile& file, CString + void CConfig::Write(CFile& File, unsigned int iIndentation) { + CString sIndentation = CString(iIndentation, '\t'); + ++ auto SingleLine = [](const CString& s) { ++ return s.Replace_n("\r", "").Replace_n("\n", ""); ++ }; ++ + for (EntryMapIterator it = m_ConfigEntries.begin(); it != m_ConfigEntries.end(); ++it) { + for (VCString::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) { +- File.Write(sIndentation + it->first + " = " + *it2 + "\n"); ++ File.Write(SingleLine(sIndentation + it->first + " = " + *it2) + "\n"); + } + } + +@@ -193,9 +197,9 @@ void CConfig::Write(CFile& File, unsigne + for (SubConfig::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) { + File.Write("\n"); + +- File.Write(sIndentation + "<" + it->first + " " + it2->first + ">\n"); ++ File.Write(SingleLine(sIndentation + "<" + it->first + " " + it2->first + ">") + "\n"); + it2->second.m_pSubConfig->Write(File, iIndentation + 1); +- File.Write(sIndentation + "first + ">\n"); ++ File.Write(SingleLine(sIndentation + "first + ">") + "\n"); + } + } + } diff --git a/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch b/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch new file mode 100644 index 0000000000..6e5fec0e9c --- /dev/null +++ b/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch @@ -0,0 +1,35 @@ +From ff15cb3288b96e16c2cf01d511cc082d65272699 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov +Date: Fri, 13 Jul 2018 22:50:47 +0100 +Subject: [PATCH 2/6] Better cleanup lines coming from network. + +Thanks for Jeriko One for finding and reporting this. +--- + src/Client.cpp | 3 ++- + src/IRCSock.cpp | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/src/Client.cpp ++++ b/src/Client.cpp +@@ -97,7 +97,8 @@ void CClient::SendRequiredPasswordNotice + void CClient::ReadLine(const CString& sData) { + CString sLine = sData; + +- sLine.TrimRight("\n\r"); ++ sLine.Replace("\n", ""); ++ sLine.Replace("\r", ""); + + DEBUG("(" << GetFullName() << ") CLI -> ZNC [" << sLine << "]"); + +--- a/src/IRCSock.cpp ++++ b/src/IRCSock.cpp +@@ -132,7 +132,8 @@ void CIRCSock::Quit(const CString& sQuit + void CIRCSock::ReadLine(const CString& sData) { + CString sLine = sData; + +- sLine.TrimRight("\n\r"); ++ sLine.Replace("\n", ""); ++ sLine.Replace("\r", ""); + + DEBUG("(" << m_pNetwork->GetUser()->GetUserName() << "/" << m_pNetwork->GetName() << ") IRC -> ZNC [" << sLine << "]"); + diff --git a/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch b/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch new file mode 100644 index 0000000000..4a5ef650db --- /dev/null +++ b/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch @@ -0,0 +1,32 @@ +From 5be22795dc7bc6362d67467b5e25c53dffba4df9 Mon Sep 17 00:00:00 2001 +From: Alexey Sokolov +Date: Sat, 14 Jul 2018 00:12:28 +0100 +Subject: [PATCH 3/6] Don't let web skin name ../../../../ access files outside + of usual skins directories. + +Thanks for Jeriko One for finding and reporting this. +--- + src/WebModules.cpp | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/src/WebModules.cpp ++++ b/src/WebModules.cpp +@@ -521,13 +521,15 @@ CWebSock::EPageReqResult CWebSock::Print + } + + CString CWebSock::GetSkinPath(const CString& sSkinName) { +- CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName; ++ const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_"); ++ ++ CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin; + + if (!CFile::IsDir(sRet)) { +- sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName; ++ sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin; + + if (!CFile::IsDir(sRet)) { +- sRet = CString(_SKINDIR_) + "/" + sSkinName; ++ sRet = CString(_SKINDIR_) + "/" + sSkin; + } + } + -- 2.30.2