znc: CVE-2018-14055: privilege escalation to admin permission (injection of rogue values in znc.conf)

Debian Bug report logs - #903787
znc: CVE-2018-14055: privilege escalation to admin permission (injection of rogue values in znc.conf)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: znc: privilege escalation to admin permission (injection of rogue values in znc.conf)

Date: Sat, 14 Jul 2018 22:01:02 +0200

Source: znc
Version: 1.6.5-1
Severity: grave
Tags: patch security upstream
Justification: user security hole

Hi

See

https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

which would allow privilege escalation by a remote non-admin user.

Regards,
Salvatore

Message #10 received at 903787@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 903787@bugs.debian.org

Subject: Re: Bug#903787: znc: privilege escalation to admin permission (injection of rogue values in znc.conf)

Date: Sun, 15 Jul 2018 08:18:09 +0200

Control: retitle -1 znc: CVE-2018-14055: privilege escalation to admin permission (injection of rogue values in znc.conf)

On Sat, Jul 14, 2018 at 10:01:02PM +0200, Salvatore Bonaccorso wrote:
> Source: znc
> Version: 1.6.5-1
> Severity: grave
> Tags: patch security upstream
> Justification: user security hole
> 
> Hi
> 
> See
> 
> https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
> https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d
> 
> which would allow privilege escalation by a remote non-admin user.

This issue has been assigned CVE-2018-14055.

Regards,
Salvatore

Message #17 received at 903787-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: 903787-close@bugs.debian.org

Subject: Bug#903787: fixed in znc 1.7.1-1

Date: Wed, 18 Jul 2018 11:19:52 +0000

Source: znc
Source-Version: 1.7.1-1

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Jul 2018 10:01:05 +0200
Source: znc
Binary: znc znc-dev znc-perl znc-python znc-tcl
Architecture: source amd64
Version: 1.7.1-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 znc        - advanced modular IRC bouncer
 znc-dev    - advanced modular IRC bouncer (development headers)
 znc-perl   - advanced modular IRC bouncer (Perl extension)
 znc-python - advanced modular IRC bouncer (Python extension)
 znc-tcl    - advanced modular IRC bouncer (Tcl extension)
Closes: 898364 903787 903788
Changes:
 znc (1.7.1-1) unstable; urgency=high
 .
   * New upstream release.
     - Fixes privilege escalation by injecting rogue values in znc.conf as
       described in CVE-2018-14055.
       Closes: #903787
     - Fixes path traversal as described in CVE-2018-14056.
       Closes: #903788
   * Bump Standards-Version to 4.1.5.
   * Merge 1.6.5-1+deb9u1 changelog.
   * Apply patch from Unit193 to enable tests at build time.
     Closes: #898364
   * Adjust lintian overrides.
   * Move pkgconfig znc.pc file to multiarch directory.
Checksums-Sha1:
 c5615fc80c2b2b64fd2c65a39314fafd3d024a2b 2225 znc_1.7.1-1.dsc
 6ad5ace06eb99e8b37adc1a9994e48b98cf14262 2041669 znc_1.7.1.orig.tar.gz
 44908835dd5ea7086ec8d7ecaeaf20281b58f0fc 566 znc_1.7.1.orig.tar.gz.asc
 caf2bc2d53babbea888bede803908d2e8e74e56a 16936 znc_1.7.1-1.debian.tar.xz
 7bd929b9ea65cb92530efc00628987a2704e7bc9 20999400 znc-dbgsym_1.7.1-1_amd64.deb
 37539d6f6fb6cbc404d86f52e6d5cf6febec2ee6 113036 znc-dev_1.7.1-1_amd64.deb
 76ee78f4354a242e47bd7d6dc04d7285b4a35220 4599296 znc-perl-dbgsym_1.7.1-1_amd64.deb
 39f703225683ee937eb063a303d978387ba8bebe 733312 znc-perl_1.7.1-1_amd64.deb
 45ea53508d483c1aea15b6e570a7dc10bc8f7cbd 5547244 znc-python-dbgsym_1.7.1-1_amd64.deb
 1c5c031a2949ee6e3175ff94c094e64c7b51323a 730940 znc-python_1.7.1-1_amd64.deb
 cb71c9a5fa74b169a2aa1644678f560e9c7a2719 351108 znc-tcl-dbgsym_1.7.1-1_amd64.deb
 d4a404d86fe1db25666e4edca27e7c49c3c3430e 74420 znc-tcl_1.7.1-1_amd64.deb
 a8059ed72cd5a900659f88ce5f04dce5d1d976e4 9818 znc_1.7.1-1_amd64.buildinfo
 07a5c74e9b34b9eba27e692b1b00c4ac6389f683 1652620 znc_1.7.1-1_amd64.deb
Checksums-Sha256:
 3f07e74ccdb10eab454c3f5dd391761ef0cb6d1f8dd192c8f006abbb1799033c 2225 znc_1.7.1-1.dsc
 44cfea7158ea05dc2547c7c6bc22371e66c869def90351de0ab90a9c200d39c4 2041669 znc_1.7.1.orig.tar.gz
 032db4ce966dde2ce25acd4637cd2ea256149560b4d6e21696af860b6f72b38f 566 znc_1.7.1.orig.tar.gz.asc
 6ee2e99cb3308148801c46c80c5dd6c47ab059920dcae8480a1cde067d903b42 16936 znc_1.7.1-1.debian.tar.xz
 ce06497d36df8c230024859847ea0d33c278abad35efed853193c23f63a5ea8b 20999400 znc-dbgsym_1.7.1-1_amd64.deb
 b22911fe6534a8512ade30c6e940dd9c1fb027cfb6f6fe698b2069a5c194b97b 113036 znc-dev_1.7.1-1_amd64.deb
 5216ea02df6c40e8f73a5cbd8f9686524cc306ebe005f802d099f9c97c6d6f38 4599296 znc-perl-dbgsym_1.7.1-1_amd64.deb
 2dcaba409b31553adb745f0f79802d165cebb8bfa2193eeb42222f61203a2c52 733312 znc-perl_1.7.1-1_amd64.deb
 94742083cf7d674f3492fe1d712715877cd5f18e55966cd8b8f695493e60cdad 5547244 znc-python-dbgsym_1.7.1-1_amd64.deb
 bebe405b8286d60d63ddd9b49376f355a863328e8d63b8c5c4ca60e689e0eb80 730940 znc-python_1.7.1-1_amd64.deb
 ba3c9558fb24ebcd79ceef347545d6887e46a1dd1c77a8c20cc49a20d66e04a7 351108 znc-tcl-dbgsym_1.7.1-1_amd64.deb
 051880d3e0b406dccce95fcc7e3ade6fa37691e90ecf091c13c6ecc2ce2ce7cd 74420 znc-tcl_1.7.1-1_amd64.deb
 838d4e7bda111c9924b69ebff21df471b673270e63e674b3a319ad0fff8216a9 9818 znc_1.7.1-1_amd64.buildinfo
 6c90385a13c4408115a7bf77a852936ef174ebbf60733c3ee272d325950ccebc 1652620 znc_1.7.1-1_amd64.deb
Files:
 01d6b2a3c33b5da90a200f1f3c0e2050 2225 net optional znc_1.7.1-1.dsc
 1ca921308c5ba4f31c2d50b87d9fc71c 2041669 net optional znc_1.7.1.orig.tar.gz
 16028b4e6357189131c8381caaa1e0fa 566 net optional znc_1.7.1.orig.tar.gz.asc
 9f0773c0b1b8ff94df4dc34bf3492ca7 16936 net optional znc_1.7.1-1.debian.tar.xz
 135dea6f2f8c06d59e3ebc7e89cda2bf 20999400 debug optional znc-dbgsym_1.7.1-1_amd64.deb
 db2e1ff38c41dd9464874312d98079cc 113036 net optional znc-dev_1.7.1-1_amd64.deb
 5e0f6db02fb2a122bb52cc996e59e059 4599296 debug optional znc-perl-dbgsym_1.7.1-1_amd64.deb
 09011572cf3f35a6808aa4bbfb39ef9e 733312 net optional znc-perl_1.7.1-1_amd64.deb
 8d0b526f41591091aa679379a7ae981d 5547244 debug optional znc-python-dbgsym_1.7.1-1_amd64.deb
 b575c920a39310e60624db4bb5de3b29 730940 net optional znc-python_1.7.1-1_amd64.deb
 1da295f6cf73d430a5db9ea4a49b7707 351108 debug optional znc-tcl-dbgsym_1.7.1-1_amd64.deb
 ab9ab2e5440d6cf1b3dab073d598b482 74420 interpreters optional znc-tcl_1.7.1-1_amd64.deb
 efa6a2925249622401d18bb301f4b559 9818 net optional znc_1.7.1-1_amd64.buildinfo
 03f8d44ea6d92e6c8cc72dd8738570b6 1652620 net optional znc_1.7.1-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAltPHZcACgkQEtmwSpDL
2OTDBw//RB0YP0JNH8KBJKzbC28LxeXDsxx4wwin4Bn1wo9BE7fUL5+6ov/4Iybk
JBEbkm4MZmJm+DNfYCXaU9y3bqWDnttimhz+jU5JJ0SvXyP+SHwmNPOwLdg3nGHC
YqqR7HDyPucDmbTYBj+21gA2HQeu9Tp2Ocznj6mrmcbJrRVbgirOjPdde1o4XmxI
l5jnUHuO9pi6b0JIqOJeN51SDDrhQ19VL/A7cm01qlUwe1XkRr7UiFIiMhHufib3
x9IKm84DO16obgsZ8FDExGPZnsvPAVhnAjjy6BFOACkamCZJqYgoeZGR7tSCG8/X
YlEXsi6LEVKPKoGu9crqYt1Gd5Dat4DK+KtpGNOLDjKEwKw0iY5JiTJP6ikUdjTO
mhwqFTlXh9NounDjTazzS5DyBHHLKs+r3w2KQuIOL3sRD5YcM2fss+SlJLHI2gXD
QSbMoxBvCcXORX45wm5NYWtF4d6hfpEMhv24UCnHVImJjwSQwKO25KimuxGsaFjS
65VMWr/ntuDmJsjirXwUx256F+C7hF13hbJ9KTgPgFEfy6WBQZhE499ec4oMqDsH
L/vtWqi4LGGcbSFO2Z1Xpj+q5r2WNPLd5aikvnVmqqu7DcS4KQ3YYw6g6Y46Keqg
rojHUdd89CFbeIvw80jLQZXP+kjv50Yic9uZ+i+dcRbfgx2dbww=
=1m8u
-----END PGP SIGNATURE-----

Message #22 received at 903787-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>

To: 903787-close@bugs.debian.org

Subject: Bug#903787: fixed in znc 1.6.5-1+deb9u1

Date: Thu, 19 Jul 2018 19:17:42 +0000

Source: znc
Source-Version: 1.6.5-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 903787@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 17 Jul 2018 09:34:40 +0200
Source: znc
Binary: znc znc-dbg znc-dev znc-perl znc-python znc-tcl
Architecture: source amd64
Version: 1.6.5-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 znc        - advanced modular IRC bouncer
 znc-dbg    - advanced modular IRC bouncer (debugging symbols)
 znc-dev    - advanced modular IRC bouncer (development headers)
 znc-perl   - advanced modular IRC bouncer (Perl extension)
 znc-python - advanced modular IRC bouncer (Python extension)
 znc-tcl    - advanced modular IRC bouncer (Tcl extension)
Closes: 903787 903788
Changes:
 znc (1.6.5-1+deb9u1) stretch-security; urgency=high
 .
   * Add patch 01-CVE-2018-14056 to fix a path traversal flaw as described in
     CVE-2018-14056.
     Closes: #903788
   * Add patch 02-CVE-2018-14055 to fix a privilege escalation by injecting
     rogue values in znc.conf as described in CVE-2018-14055.
     Closes: #903787
Checksums-Sha1:
 f366a871736636f275d9069e0ef9255afedd4363 2028 znc_1.6.5-1+deb9u1.dsc
 4c2634a91695bbf20473cb01d53baf3d0638a663 1470681 znc_1.6.5.orig.tar.gz
 4a7349f7d1dd257ecbc2dfab1593f3d12eeda19b 17948 znc_1.6.5-1+deb9u1.debian.tar.xz
 e7ea1128a8bc5bc509c13351f88d137c7a1fb110 25071044 znc-dbg_1.6.5-1+deb9u1_amd64.deb
 a6b746b4779fa075c45c25d3c722c74bd78c7996 100490 znc-dev_1.6.5-1+deb9u1_amd64.deb
 28b2a9d47ad386fca17c7eeb731e3cddcb973ef7 611388 znc-perl_1.6.5-1+deb9u1_amd64.deb
 e4a9f4188e1e9560d0d5a2da0347edd5f19f7d92 640726 znc-python_1.6.5-1+deb9u1_amd64.deb
 695803f5a35e057688633a9edccc810687d2dd91 70970 znc-tcl_1.6.5-1+deb9u1_amd64.deb
 22e3e7d08f8f009024899694326258ff3c12f695 8130 znc_1.6.5-1+deb9u1_amd64.buildinfo
 de933a152eb56ad31388139af738358f9c31cfbf 1452456 znc_1.6.5-1+deb9u1_amd64.deb
Checksums-Sha256:
 847dea96bdc8dc77c20e0d50ec509c0489fba8b31b42b9f03b33d8f032779952 2028 znc_1.6.5-1+deb9u1.dsc
 2f0225d49c53a01f8d94feea4619a6fe92857792bb3401a4eb1edd65f0342aca 1470681 znc_1.6.5.orig.tar.gz
 d757565996f4e0cbd455e77caa67277f1dd45f05616d03d7d8917993f56684a3 17948 znc_1.6.5-1+deb9u1.debian.tar.xz
 8432b0e62f928446471d40b7957825f3d9e024e4b34e3ebbbe9df2bb3b5459a9 25071044 znc-dbg_1.6.5-1+deb9u1_amd64.deb
 4e7bf2eacfb15731d19b556d0dc076c6b8534a8e4ddcd142e5b9eb728943ecab 100490 znc-dev_1.6.5-1+deb9u1_amd64.deb
 9e3a86b4350caa278ee8895a680218a47b935c0d4deac3be0f33d0daadfc6d21 611388 znc-perl_1.6.5-1+deb9u1_amd64.deb
 6ef4b80c4b55093656f4742a4f89cdac33ca8632ee51becbb3500e051054505c 640726 znc-python_1.6.5-1+deb9u1_amd64.deb
 6851ca7cc7232c6f7b5001900029bab34522799be3d8d07965470cd40846af98 70970 znc-tcl_1.6.5-1+deb9u1_amd64.deb
 7961218b56101ee12ff033275381fc7ce0dd8cc96ba190cb6243f9e5e3dfb803 8130 znc_1.6.5-1+deb9u1_amd64.buildinfo
 d8e9dc3c085cf6d3514911714da32d24edc1f090294519fa3742800e90fc4b4b 1452456 znc_1.6.5-1+deb9u1_amd64.deb
Files:
 80a434e5820e1341401d4179a9165e47 2028 net optional znc_1.6.5-1+deb9u1.dsc
 ab22e4e94cdd04c5644c4d9213149af0 1470681 net optional znc_1.6.5.orig.tar.gz
 132d4772e9596031648e078b78345cb0 17948 net optional znc_1.6.5-1+deb9u1.debian.tar.xz
 daa79fc3930266984c927bb4df968f97 25071044 debug extra znc-dbg_1.6.5-1+deb9u1_amd64.deb
 e342f0d57cbf3319c7d48c45725bc6cf 100490 net optional znc-dev_1.6.5-1+deb9u1_amd64.deb
 cf2755c5f24588a843f704de2d96c1ce 611388 net optional znc-perl_1.6.5-1+deb9u1_amd64.deb
 bf8668434b4ad39ffb5a6899ef9603f6 640726 net optional znc-python_1.6.5-1+deb9u1_amd64.deb
 c6a3f6ba4d622daecb8c7420fd97faf7 70970 interpreters optional znc-tcl_1.6.5-1+deb9u1_amd64.deb
 7a7749a097c7e42de343c256d795951f 8130 net optional znc_1.6.5-1+deb9u1_amd64.buildinfo
 7d8088e2525ae25a67c46cafea275330 1452456 net optional znc_1.6.5-1+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAltO77AACgkQEtmwSpDL
2OSyeg//bdffR6HdAxbHkglhrLY8hL0InvQBewDVsLdsndjebNbDKZV+W76VrFdL
WAk0yMSoFKyDhQ0KRfjwsTvAcG2E1HdXp4lda3DgMScpvj7UcU0QPk6/DFzcTrT0
MrdkpNhIkAEhrs+Q8oeGd6pEElVWcVpR3tOEBZcTrcjoj9m5JLqL406CIOT2WHPJ
0V+D4gQPZzdzIDweuL9cq8MVQJnUZT0Di3rWGuvcVC3qCYntsrfj+2zEOBB1Kvt9
i51rc5SIVDq0sgM2C9dDX5EA4nIncuz36a8LRq113w5OMEH9SGz+O6n20+5whVGU
ge9rLBioORTDW4aAoT7ymQW3IsvFwlAqTUMpIhchqRQ3G0Q+o6QLM8FA1Htp99xl
0fFolybXqpDEvvaEIL5PId16C5JtUgQbdONH0O+xObbN29/SuNbCmAmf9BY8ztK7
LH1rljbnm/LiKXdNN9q9MJC2gWZX91lRfDKN7Tx+3nGu+rHqGglVF9JIO+pK8eEg
CnJVxPfnU7dPiVDUbjySCtNgOe2se+634t402aiIwS7a7w3BLdImGlQgg+AxtxvA
/gq+AC6HLHootPHK21s+eqY1VzcLuTEaAc7Vmi1sPanFOUp08NBfUlnI8Sq2VRSj
aNLLbgejkOTSx+fXTcxBfnPXRVDVvtaboq/FNWq4B32VG4qCKCo=
=mhby
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.