Debian Bug report logs -
#925285
znc: CVE-2019-9917: crash on invalid encoding
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Mar 2019 13:18:02 UTC
Severity: important
Tags: security, upstream
Found in versions znc/1.7.2-1, znc/1.6.5-1+deb9u1
Fixed in version znc/1.7.2-2
Done: Patrick Matthäi <pmatthaei@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#925285; Package src:znc.
(Fri, 22 Mar 2019 13:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Patrick Matthäi <pmatthaei@debian.org>.
(Fri, 22 Mar 2019 13:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: znc
Version: 1.7.2-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for znc.
CVE-2019-9917[0]:
crash on invalid encoding
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9917
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917
[1] https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility.
(Tue, 26 Mar 2019 12:24:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Mar 2019 12:24:04 GMT) (full text, mbox, link).
Message #10 received at 925285-close@bugs.debian.org (full text, mbox, reply):
Source: znc
Source-Version: 1.7.2-2
We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 925285@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 26 Mar 2019 12:46:42 +0100
Source: znc
Binary: znc znc-dbgsym znc-dev znc-perl znc-perl-dbgsym znc-python znc-python-dbgsym znc-tcl znc-tcl-dbgsym
Architecture: source amd64
Version: 1.7.2-2
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
znc - advanced modular IRC bouncer
znc-dev - advanced modular IRC bouncer (development headers)
znc-perl - advanced modular IRC bouncer (Perl extension)
znc-python - advanced modular IRC bouncer (Python extension)
znc-tcl - advanced modular IRC bouncer (Tcl extension)
Closes: 925285
Changes:
znc (1.7.2-2) unstable; urgency=high
.
* Add upstream patch 01-CVE-2019-9917 to fix a crash on invalid encoding,
which fixes CVE-2019-9917.
Closes: #925285
Checksums-Sha1:
577ab25b483f1824e0a2b81746e6ea6cc4a1d03d 2225 znc_1.7.2-2.dsc
41875b4a84db775f2d0935cb6a88b7167f328d1b 18284 znc_1.7.2-2.debian.tar.xz
ae268d741e3ef79151322c4658736b8f042a5348 32066824 znc-dbgsym_1.7.2-2_amd64.deb
614f1f72491e75d9a0fd9323e2962c0bc41028aa 113352 znc-dev_1.7.2-2_amd64.deb
9e47fbef651c09e8ce84f02b311cb949c4e78433 6971200 znc-perl-dbgsym_1.7.2-2_amd64.deb
fcfbd55bb36e4e474f5219b6852c911684cf61ff 738852 znc-perl_1.7.2-2_amd64.deb
0515052c35e376727d3b85f5c221228305d32e66 9183728 znc-python-dbgsym_1.7.2-2_amd64.deb
a2b9a0d81d14de9b3fa364c1de521beca1f5969a 757900 znc-python_1.7.2-2_amd64.deb
623460f8f1a7f6e1dceea048db42fd4a940cd8f6 623204 znc-tcl-dbgsym_1.7.2-2_amd64.deb
84e781a00a2b52572cdb8652f8bde07bb09dff9b 75064 znc-tcl_1.7.2-2_amd64.deb
0e8330fdc8a4cf366ca83637196afca5a4fc02b8 9226 znc_1.7.2-2_amd64.buildinfo
fcf98372e3b39d34d4429b127fdaf2c301f40eb6 1681212 znc_1.7.2-2_amd64.deb
Checksums-Sha256:
b351784c3c018b0702e2c8dd16320778a52bdf74037215dd4edf66f05fd66a09 2225 znc_1.7.2-2.dsc
bea1fc972ffad4a3b0d7609f1e0d8296beae3d1f241d19e7938b95875fbd6630 18284 znc_1.7.2-2.debian.tar.xz
b73022ce3bee27ec255ea071fc02c90ae8cffbd4eeb86f389dd1deb0992d4659 32066824 znc-dbgsym_1.7.2-2_amd64.deb
3efd7703d3db4a1a71941b4b0c15cd43ee426811243bf9f49712c2da4dbe6ce1 113352 znc-dev_1.7.2-2_amd64.deb
dbcc5e9aec5ed3330890744558b80c8c601584736da7838fed12415e49c30b96 6971200 znc-perl-dbgsym_1.7.2-2_amd64.deb
a6e2a88e60d3d26ddc8485661539aa0264f68b4095e5378122061b989aab2aca 738852 znc-perl_1.7.2-2_amd64.deb
33be85dbd9c8ff194fbcdb4391518803c9126705a64e855641f414580f4c373d 9183728 znc-python-dbgsym_1.7.2-2_amd64.deb
7c974865d92c7c6d604994ebe2b1ff4107435aa198611b799f98e76f7fceadee 757900 znc-python_1.7.2-2_amd64.deb
c1cbbe044ce5730b120ba14ffd529e6513487a152275652a76bd5417231fc448 623204 znc-tcl-dbgsym_1.7.2-2_amd64.deb
db0d0ed9502b1a506db23794c3e577a8faa03501c5cfd3585f747db6bb420de4 75064 znc-tcl_1.7.2-2_amd64.deb
b7314b564945967f57519958703fe3807f2b24e6b56ced5de46581d0ad3a7855 9226 znc_1.7.2-2_amd64.buildinfo
7ad7e33c3df95d61084eb75486bbdf5a2d0653ff623c354430f89e213a2c48dc 1681212 znc_1.7.2-2_amd64.deb
Files:
d44ee45645d8656933932c6d0496215b 2225 net optional znc_1.7.2-2.dsc
6d0542e2a7db13d4acf796a8cb9b4876 18284 net optional znc_1.7.2-2.debian.tar.xz
e6145839acbc9d1d13e1d781e52003ce 32066824 debug optional znc-dbgsym_1.7.2-2_amd64.deb
f289bfcf7d09d6cbe5fa46984e4f15b4 113352 net optional znc-dev_1.7.2-2_amd64.deb
04abb17a11ffe030ab8c1a317d144807 6971200 debug optional znc-perl-dbgsym_1.7.2-2_amd64.deb
fb68a5df0af1fd9631a125d2a4c23ef8 738852 net optional znc-perl_1.7.2-2_amd64.deb
807c4d94d35e53562e6090c42b175512 9183728 debug optional znc-python-dbgsym_1.7.2-2_amd64.deb
8ba9879bb38e53cdae35dab4a1023dc6 757900 net optional znc-python_1.7.2-2_amd64.deb
e52ef1d413b677b7864dade00e0f47b1 623204 debug optional znc-tcl-dbgsym_1.7.2-2_amd64.deb
a0bc1365724daf49bbb67e80dd9ad7bf 75064 interpreters optional znc-tcl_1.7.2-2_amd64.deb
273e65503b9e3522e7fdc04f45f158ef 9226 net optional znc_1.7.2-2_amd64.buildinfo
79f2620f4631ff2038ba57f96b34b0be 1681212 net optional znc_1.7.2-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIyBAEBCAAdFiEEWKA9xYJCWk3IuQ4TEtmwSpDL2OQFAlyaE5kACgkQEtmwSpDL
2ORGIg/3Yz0KMJV4OGz+pUzBnHNdDuOP9CQEdUxAL0pJ6yVPe2Zu3YepFzYETxd4
ql4iSFqfS+/QH3/FrUhVc1ekFSJWgXdgI7LhjQT1weiFEfWeL9VHYEyF5a8W3lpG
v1BcittonTvZKNws7nxn1CvmV1cO6QOF8zwSfnJJHAIH+IeoQaVqDeGkqwmM0j0o
3f/jWjXOeatQiCAwCO/G4wRP2C+WYAwvuDIgcAtys+9PSaynYHHGhE/BcRzaxUKc
VAbqtzfNjwzAPhLVrStd9RvKPy5oy540ZBQpcc1e+7JLMwwzpk/SS0AstHQG5Pu6
RLbKSE+GK4jzKIp4D+RTHSDB+EumSxdk9+HXDHtNTs28oBGsQzb3EabKPlyYlwr1
F3i1mnY1UYJedj2IdbisZXp16cWTNpTqMLXmod7GmC3t82PkTHvYKA6yMEUWNkD6
hiAR6UJ/IJsb7N6p01EPLEfEw59y0jlJtRBnBLfLLCfpwCkQTKjKww/ybkNFC+AX
n8MxH6JpvJ5QAFZrGEzi6q/ynvED84vyvJJOJIw+bqnVMbuAGXXmJPmhHMvLKlSU
OLe39y0BN38RQ0awywTy64Bjfl2rbBMLTesHphWMCY0jqxApDtf3S1K7rhCj8NJT
yVo9h48WEjQ2lGQ8uMOZ34kZ/C5RNxiDUOcWNvvETu8KIIvXKA==
=7r5O
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, konomikitten@gmail.com, Patrick Matthäi <pmatthaei@debian.org>:
Bug#925285; Package src:znc.
(Mon, 22 Apr 2019 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Konomi Kitten <konomikitten@gmail.com>:
Extra info received and forwarded to list. Copy sent to konomikitten@gmail.com, Patrick Matthäi <pmatthaei@debian.org>.
(Mon, 22 Apr 2019 10:27:03 GMT) (full text, mbox, link).
Message #15 received at 925285@bugs.debian.org (full text, mbox, reply):
Source: znc
Version: 1.6.5-1+deb9u1
Followup-For: Bug #925285
Hi,
The stable version of znc (1.6.5-1+deb9u1) is still vulnerable to this attack.
Please patch it also.
-- System Information:
Debian Release: 9.8
APT prefers stable-updates
APT policy: (650, 'stable-updates'), (650, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-0.bpo.4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 21 May 2019 07:27:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:10:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon