Control: tags 1075729 + patch Control: tags 1075729 + pending
Dear maintainer, I've prepared an NMU for znc (versioned as 1.9.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru znc-1.9.0/debian/changelog znc-1.9.0/debian/changelog --- znc-1.9.0/debian/changelog 2024-03-04 11:09:56.000000000 +0100 +++ znc-1.9.0/debian/changelog 2024-07-06 21:50:10.000000000 +0200 @@ -1,3 +1,10 @@ +znc (1.9.0-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix RCE vulnerability in modtcl (CVE-2024-39844) (Closes: #1075729) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 06 Jul 2024 21:50:10 +0200 + znc (1.9.0-2) unstable; urgency=medium * Use argon2 for password hashing. diff -Nru znc-1.9.0/debian/patches/Fix-RCE-vulnerability-in-modtcl.patch znc-1.9.0/debian/patches/Fix-RCE-vulnerability-in-modtcl.patch --- znc-1.9.0/debian/patches/Fix-RCE-vulnerability-in-modtcl.patch 1970-01-01 01:00:00.000000000 +0100 +++ znc-1.9.0/debian/patches/Fix-RCE-vulnerability-in-modtcl.patch 2024-07-06 21:50:10.000000000 +0200 @@ -0,0 +1,62 @@ +From: Alexey Sokolov <alexey+...@asokolov.org> +Date: Mon, 1 Jul 2024 09:59:16 +0100 +Subject: Fix RCE vulnerability in modtcl +Origin: https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e +Bug-Debian: https://bugs.debian.org/1075729 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-39844 + +Remote attacker could execute arbitrary code embedded into the kick +reason while kicking someone on a channel. + +To mitigate this for existing installations, simply unload the modtcl +module for every user, if it's loaded. +Note that only users with admin rights can load modtcl at all. + +While at it, also escape the channel name. + +Discovered by Johannes Kuhn (DasBrain) + +Patch by https://github.com/glguy + +CVE-2024-39844 +--- + modules/modtcl.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp +index df7f92f4d504..365da2e735ca 100644 +--- a/modules/modtcl.cpp ++++ b/modules/modtcl.cpp +@@ -248,8 +248,9 @@ class CModTcl : public CModule { + // chan specific + unsigned int nLength = vChans.size(); + for (unsigned int n = 0; n < nLength; n++) { ++ CString sChannel = TclEscape(CString(vChans[n]->GetName())); + sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost + +- "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp + ++ "} - {" + sChannel + "} {" + sNewNickTmp + + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { +@@ -260,14 +261,16 @@ class CModTcl : public CModule { + + void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel, + const CString& sMessage) override { ++ CString sMes = TclEscape(sMessage); + CString sOpNick = TclEscape(CString(OpNick.GetNick())); + CString sNick = TclEscape(sKickedNick); + CString sOpHost = + TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost())); ++ CString sChannel = TclEscape(Channel.GetName()); + + CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost + +- "} - {" + Channel.GetName() + "} {" + sNick + "} {" + +- sMessage + "}"; ++ "} - {" + sChannel + "} {" + sNick + "} {" + ++ sMes + "}"; + int i = Tcl_Eval(interp, sCommand.c_str()); + if (i != TCL_OK) { + PutModule(Tcl_GetStringResult(interp)); +-- +2.45.2 + diff -Nru znc-1.9.0/debian/patches/series znc-1.9.0/debian/patches/series --- znc-1.9.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ znc-1.9.0/debian/patches/series 2024-07-06 21:50:10.000000000 +0200 @@ -0,0 +1 @@ +Fix-RCE-vulnerability-in-modtcl.patch
