znc: backport CVE fixes to 1.6

Backport fixes for CVEs CVE-2018-14055 and CVE-2018-14056. Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2019-04-01 11:19:15 +02:00 · 2019-04-01 11:19:15 +02:00 · b7bcf24a00
commit b7bcf24a00
parent f91539e92f
4 changed files with 110 additions and 1 deletions
--- a/net/znc/Makefile
+++ b/net/znc/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=znc
 PKG_VERSION:=1.6.6
-PKG_RELEASE:=1
+PKG_RELEASE:=2

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://znc.in/releases \
--- a/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch
+++ b/net/znc/patches/001-Don-t-let-attackers-inject-rogue-values-into-znc.con.patch
@ -0,0 +1,42 @@
+From cd20be68a544e7a9bde941f93710561b9d9327db Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 23:26:44 +0100
+Subject: [PATCH 1/6] Don't let attackers inject rogue values into znc.conf
+
+Because of this vulnerability, existing ZNC users could get Admin
+permissions.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Config.cpp | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/src/Config.cpp
+++ b/src/Config.cpp
+@@ -183,9 +183,13 @@ bool CConfig::Parse(CFile& file, CString
+ void CConfig::Write(CFile& File, unsigned int iIndentation) {
+ 	CString sIndentation = CString(iIndentation, '\t');
+ 
+	auto SingleLine = [](const CString& s) {
+		return s.Replace_n("\r", "").Replace_n("\n", "");
+	};
+
+ 	for (EntryMapIterator it = m_ConfigEntries.begin(); it != m_ConfigEntries.end(); ++it) {
+ 		for (VCString::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+-			File.Write(sIndentation + it->first + " = " + *it2 + "\n");
+			File.Write(SingleLine(sIndentation + it->first + " = " + *it2) + "\n");
+ 		}
+ 	}
+ 
+@@ -193,9 +197,9 @@ void CConfig::Write(CFile& File, unsigne
+ 		for (SubConfig::const_iterator it2 = it->second.begin(); it2 != it->second.end(); ++it2) {
+ 			File.Write("\n");
+ 
+-			File.Write(sIndentation + "<" + it->first + " " + it2->first + ">\n");
+			File.Write(SingleLine(sIndentation + "<" + it->first + " " + it2->first + ">") + "\n");
+ 			it2->second.m_pSubConfig->Write(File, iIndentation + 1);
+-			File.Write(sIndentation + "</" + it->first + ">\n");
+			File.Write(SingleLine(sIndentation + "</" + it->first + ">") + "\n");
+ 		}
+ 	}
+ }
--- a/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch
+++ b/net/znc/patches/002-Better-cleanup-lines-coming-from-network.patch
@ -0,0 +1,35 @@
+From ff15cb3288b96e16c2cf01d511cc082d65272699 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Fri, 13 Jul 2018 22:50:47 +0100
+Subject: [PATCH 2/6] Better cleanup lines coming from network.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/Client.cpp  | 3 ++-
+ src/IRCSock.cpp | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/src/Client.cpp
+++ b/src/Client.cpp
+@@ -97,7 +97,8 @@ void CClient::SendRequiredPasswordNotice
+ void CClient::ReadLine(const CString& sData) {
+ 	CString sLine = sData;
+ 
+-	sLine.TrimRight("\n\r");
+	sLine.Replace("\n", "");
+	sLine.Replace("\r", "");
+ 
+ 	DEBUG("(" << GetFullName() << ") CLI -> ZNC [" << sLine << "]");
+ 
+--- a/src/IRCSock.cpp
+++ b/src/IRCSock.cpp
+@@ -132,7 +132,8 @@ void CIRCSock::Quit(const CString& sQuit
+ void CIRCSock::ReadLine(const CString& sData) {
+ 	CString sLine = sData;
+ 
+-	sLine.TrimRight("\n\r");
+	sLine.Replace("\n", "");
+	sLine.Replace("\r", "");
+ 
+ 	DEBUG("(" << m_pNetwork->GetUser()->GetUserName() << "/" << m_pNetwork->GetName() << ") IRC -> ZNC [" << sLine << "]");
+ 
--- a/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch
+++ b/net/znc/patches/003-Don-t-let-web-skin-name-.-.-.-.-access-files-outside.patch
@ -0,0 +1,32 @@
+From 5be22795dc7bc6362d67467b5e25c53dffba4df9 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Sat, 14 Jul 2018 00:12:28 +0100
+Subject: [PATCH 3/6] Don't let web skin name ../../../../ access files outside
+ of usual skins directories.
+
+Thanks for Jeriko One <jeriko.one@gmx.us> for finding and reporting this.
+---
+ src/WebModules.cpp | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/src/WebModules.cpp
+++ b/src/WebModules.cpp
+@@ -521,13 +521,15 @@ CWebSock::EPageReqResult CWebSock::Print
+ }
+ 
+ CString CWebSock::GetSkinPath(const CString& sSkinName) {
+-	CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkinName;
+	const CString sSkin = sSkinName.Replace_n("/", "_").Replace_n(".", "_");
+
+	CString sRet = CZNC::Get().GetZNCPath() + "/webskins/" + sSkin;
+ 
+ 	if (!CFile::IsDir(sRet)) {
+-		sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkinName;
+		sRet = CZNC::Get().GetCurPath() + "/webskins/" + sSkin;
+ 
+ 		if (!CFile::IsDir(sRet)) {
+-			sRet = CString(_SKINDIR_) + "/" + sSkinName;
+			sRet = CString(_SKINDIR_) + "/" + sSkin;
+ 		}
+ 	}
+