Bug 513152

Summary: ZNC: Users data directory traversal flaw via Direct Client Connection message
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nb, reed
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://en.znc.in/wiki/ChangeLog/0.072
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-23 23:07:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-07-22 09:22:35 UTC 
An users data directory traversal flaw was found in the way ZNC used
to handle file upload requests via Direct Client Connection (DCC) /dcc SEND
messages. A remote, valid ZNC (IRC) user could issue a /dcc SEND message
with a specially-crafted content (file to upload), which once accepted
by a local, unsuspecting ZNC (IRC) user, would overwrite relevant files
in the users/<user>/downloads data directory.

References:
----------
http://en.znc.in/wiki/ZNC
http://en.znc.in/wiki/ChangeLog/0.072
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537977

Upstream patch:
---------------
http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570

DCC protocol details:
--------------------
http://www.mircscripts.org/showdoc.php?type=tutorial&id=2355

Workaround:
-----------

Till the flaw is fixed, all Fedora users utilizing services of 
ZNC IRC bouncer are strongly recommended NOT to accept /dcc 
SEND messages from remote, untrusted IRC users.
Comment 1 Jan Lieskovsky 2009-07-22 09:25:53 UTC 
CVE identifier for this vulnerability has been requested here:

  http://www.openwall.com/lists/oss-security/2009/07/21/5

Note: Please ensure to mention particular CVE identifier in the ZNC's
      rpm Changelog, when scheduling Fedora updates.
Comment 2 Jan Lieskovsky 2009-07-22 09:26:35 UTC 
This issue affects the versions of the ZNC package, as shipped with
Fedora releases of 10, 11, and 12. 

Please fix.
Comment 3 Fedora Update System 2009-07-23 01:29:06 UTC 
znc-0.072-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-1.fc11
Comment 4 Fedora Update System 2009-07-23 01:30:06 UTC 
znc-0.072-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-1.fc10
Comment 5 Fedora Update System 2009-07-23 01:30:52 UTC 
znc-0.072-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-1.el5
Comment 6 Fedora Update System 2009-07-23 02:06:54 UTC 
znc-0.072-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-2.el5
Comment 7 Fedora Update System 2009-07-23 02:07:45 UTC 
znc-0.072-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-2.fc10
Comment 8 Fedora Update System 2009-07-23 02:09:38 UTC 
znc-0.072-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-2.fc11
Comment 9 Fedora Update System 2009-07-23 03:15:45 UTC 
znc-0.072-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-3.fc11
Comment 10 Fedora Update System 2009-07-23 03:15:51 UTC 
znc-0.072-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-3.fc10
Comment 11 Fedora Update System 2009-07-23 03:15:55 UTC 
znc-0.072-3.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-3.el5
Comment 12 Fedora Update System 2009-07-23 19:02:03 UTC 
znc-0.072-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-07-23 19:06:45 UTC 
znc-0.072-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Reed Loden 2009-07-23 20:27:14 UTC 
By ICQ, you mean IRC, right? Two completely different protocols. ;)
Comment 15 Fedora Update System 2009-07-23 20:57:33 UTC 
znc-0.072-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Jan Lieskovsky 2009-07-23 22:53:29 UTC 
Thanks for the catch Reed, fixed.
Comment 17 Nick Bebout 2009-07-23 23:07:19 UTC 
Updated to 0.072-3, which is 0.072 of ZNC plus a patch to fix the webadmin skins issue which was introduced in 0.072.

The updates to rawhide and F-10, F-11, and EL-5 have been pushed to stable.

-> CLOSED ERRATA
(I think that's the appropriate resolution)
Comment 18 Nick Bebout 2009-07-23 23:13:35 UTC 
Apparently I was supposed to put CLOSED NEXTRELEASE
Comment 19 Reed Loden 2009-08-05 17:48:28 UTC 
(In reply to comment #1)
> CVE identifier for this vulnerability has been requested here:
> 
>   http://www.openwall.com/lists/oss-security/2009/07/21/5
> 
> Note: Please ensure to mention particular CVE identifier in the ZNC's
>       rpm Changelog, when scheduling Fedora updates.  

This finally got assigned CVE-2009-2658.