Bug#516950: marked as done (znc < 0.066 privilege escalation when using webadmin)

[Debian Bug Tracking System]

Your message dated Sat, 11 Apr 2009 16:47:48 +0000
with message-id <e1lsgmu-0001zh...@ries.debian.org>
and subject line Bug#516950: fixed in znc 0.058-2+lenny1
has caused the Debian Bug report #516950,
regarding znc < 0.066 privilege escalation when using webadmin
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
516950: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516950
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: znc
Version: 0.045-3+etch1
Tags: Security
Severity: critical

All ZNC versions which have webadmin contain a privilege escalation bug in
webadmin. This bug was fixed with znc 0.066.

A quote from the changelog[1]:

Webadmin doesn't properly validate user input. If you send a manipulated POST
request to webadmin's edit user page which includes newlines in e.g. the
QuitMessage field, this field will be written unmodified to the config. This way
you can add new lines to znc.conf. The new lines will not be parsed until the
next rehash or restart.
This can be done with nearly all input fields in webadmin. Because every user
can modify himself via webadmin, every user can exploit this bug.

[1] http://en.znc.in/wiki/ChangeLog/0.066
- --
"Do you know that books smell like nutmeg or some spice from a foreign land?"
                                                  -- Faber in Fahrenheit 451
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmkLHQACgkQABixOSrV998/+gCePRf5EmG7t1+lztdsr+tE3m+3
jJsAoJwhjz7YdyvoLGjRyRSfCdNSClSh
=Hoee
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: znc
Source-Version: 0.058-2+lenny1

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive:

znc_0.058-2+lenny1.diff.gz
  to pool/main/z/znc/znc_0.058-2+lenny1.diff.gz
znc_0.058-2+lenny1.dsc
  to pool/main/z/znc/znc_0.058-2+lenny1.dsc
znc_0.058-2+lenny1_amd64.deb
  to pool/main/z/znc/znc_0.058-2+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <patrick.matth...@web.de> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed,  4 Mar 2009 11:55:21 +0200
Source: znc
Binary: znc
Architecture: source amd64
Version: 0.058-2+lenny1
Distribution: stable-security
Urgency: low
Maintainer: Patrick Matthäi <patrick.matth...@web.de>
Changed-By: Patrick Matthäi <patrick.matth...@web.de>
Description: 
 znc        - advanced modular IRC bouncer
Closes: 516950
Changes: 
 znc (0.058-2+lenny1) stable-security; urgency=low
 .
   * Add 02-webmin-priv-escalation.dpatch which properly handle newlines in
     CHTTPSock::GetParam() and strip them out. This patch fixes an important
     privilege escalation.
     Closes: #516950
Checksums-Sha1: 
 d597305b023c8c62c19625444d8244b3ed0cab14 1332 znc_0.058-2+lenny1.dsc
 1f20fa91db80b3ac870e3cc4e77b9e66c9113f49 340741 znc_0.058.orig.tar.gz
 ea2c81d35ca48c3fb1b783761589906d33b52299 8253 znc_0.058-2+lenny1.diff.gz
 93cc4723bf02740ebdff79b8863f2b5de4500782 1028438 znc_0.058-2+lenny1_amd64.deb
Checksums-Sha256: 
 78ce1b631c7f7b03a1b4b7fbb7835cec37ff89235532b97cc8cc0a61d76716eb 1332 
znc_0.058-2+lenny1.dsc
 f25a13e28f40546bf15c50f5a45e81206b8667329540af0a0d427afbef450714 340741 
znc_0.058.orig.tar.gz
 b7b808eccdb679cda8ed02823199ca3fa7fd0a0760b2bc1f2a460d751379c0cb 8253 
znc_0.058-2+lenny1.diff.gz
 c5b160d2b43d6e3eb4546bf4a5a6ed69656a3165bfc689829b15d4619c3147c1 1028438 
znc_0.058-2+lenny1_amd64.deb
Files: 
 c657b80b61750fc072ce257c1d682b21 1332 net optional znc_0.058-2+lenny1.dsc
 c02fd740c55d5b3a7912f7584344103e 340741 net optional znc_0.058.orig.tar.gz
 04053487dbf0b49da04ded749d1c384e 8253 net optional znc_0.058-2+lenny1.diff.gz
 f2058b3d07a9233cef8f9ca0dfec6673 1028438 net optional 
znc_0.058-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJtCbAAAoJEL97/wQC1SS+8H0IAKwtGwr/gMLmtXHRcezeeY7C
1Wy2YQqEVnkLXolI86Mp/5w5MOhtdqN5nSWobgQwimfohV5FXaKsPvxiWI7A1FdH
t4BWO8+Xx8hG3zZYeHX2fsgHubT+5U5n7xX5Q5REFosbfNjNZBrS5J/9Aupk+TIm
3MC8rs2nkrRN1tZkkexr3i4eZJPZy+o1T6hO2TaHqe7/WIdl+es8sQGHTFAPm20O
UG9LG4BLkFHNhZGkcP1yN4BzX0FAP5wvOHEz5K9cXdqXwoOZczA1HyaLu56JtDQV
qdOZ44xlQVjneb57PDybpvm6FyONlq4xtdnIds/t7pAh+mgszR2pF03S+i+cnfw=
=LNB3
-----END PGP SIGNATURE-----

--- End Message ---