Bug 513152 - ZNC: Users data directory traversal flaw via Direct Client Connection message
Summary: ZNC: Users data directory traversal flaw via Direct Client Connection message
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://en.znc.in/wiki/ChangeLog/0.072
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-22 09:22 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-23 23:07:19 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2009-07-22 09:22:35 UTC
An users data directory traversal flaw was found in the way ZNC used
to handle file upload requests via Direct Client Connection (DCC) /dcc SEND
messages. A remote, valid ZNC (IRC) user could issue a /dcc SEND message
with a specially-crafted content (file to upload), which once accepted
by a local, unsuspecting ZNC (IRC) user, would overwrite relevant files
in the users/<user>/downloads data directory.

References:
----------
http://en.znc.in/wiki/ZNC
http://en.znc.in/wiki/ChangeLog/0.072
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537977

Upstream patch:
---------------
http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570

DCC protocol details:
--------------------
http://www.mircscripts.org/showdoc.php?type=tutorial&id=2355

Workaround:
-----------

Till the flaw is fixed, all Fedora users utilizing services of 
ZNC IRC bouncer are strongly recommended NOT to accept /dcc 
SEND messages from remote, untrusted IRC users.

Comment 1 Jan Lieskovsky 2009-07-22 09:25:53 UTC
CVE identifier for this vulnerability has been requested here:

  http://www.openwall.com/lists/oss-security/2009/07/21/5

Note: Please ensure to mention particular CVE identifier in the ZNC's
      rpm Changelog, when scheduling Fedora updates.

Comment 2 Jan Lieskovsky 2009-07-22 09:26:35 UTC
This issue affects the versions of the ZNC package, as shipped with
Fedora releases of 10, 11, and 12. 

Please fix.

Comment 3 Fedora Update System 2009-07-23 01:29:06 UTC
znc-0.072-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-1.fc11

Comment 4 Fedora Update System 2009-07-23 01:30:06 UTC
znc-0.072-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-1.fc10

Comment 5 Fedora Update System 2009-07-23 01:30:52 UTC
znc-0.072-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-1.el5

Comment 6 Fedora Update System 2009-07-23 02:06:54 UTC
znc-0.072-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-2.el5

Comment 7 Fedora Update System 2009-07-23 02:07:45 UTC
znc-0.072-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-2.fc10

Comment 8 Fedora Update System 2009-07-23 02:09:38 UTC
znc-0.072-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-2.fc11

Comment 9 Fedora Update System 2009-07-23 03:15:45 UTC
znc-0.072-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/znc-0.072-3.fc11

Comment 10 Fedora Update System 2009-07-23 03:15:51 UTC
znc-0.072-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/znc-0.072-3.fc10

Comment 11 Fedora Update System 2009-07-23 03:15:55 UTC
znc-0.072-3.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/znc-0.072-3.el5

Comment 12 Fedora Update System 2009-07-23 19:02:03 UTC
znc-0.072-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2009-07-23 19:06:45 UTC
znc-0.072-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Reed Loden 2009-07-23 20:27:14 UTC
By ICQ, you mean IRC, right? Two completely different protocols. ;)

Comment 15 Fedora Update System 2009-07-23 20:57:33 UTC
znc-0.072-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Jan Lieskovsky 2009-07-23 22:53:29 UTC
Thanks for the catch Reed, fixed.

Comment 17 Nick Bebout 2009-07-23 23:07:19 UTC
Updated to 0.072-3, which is 0.072 of ZNC plus a patch to fix the webadmin skins issue which was introduced in 0.072.

The updates to rawhide and F-10, F-11, and EL-5 have been pushed to stable.

-> CLOSED ERRATA
(I think that's the appropriate resolution)

Comment 18 Nick Bebout 2009-07-23 23:13:35 UTC
Apparently I was supposed to put CLOSED NEXTRELEASE

Comment 19 Reed Loden 2009-08-05 17:48:28 UTC
(In reply to comment #1)
> CVE identifier for this vulnerability has been requested here:
> 
>   http://www.openwall.com/lists/oss-security/2009/07/21/5
> 
> Note: Please ensure to mention particular CVE identifier in the ZNC's
>       rpm Changelog, when scheduling Fedora updates.  

This finally got assigned CVE-2009-2658.


Note You need to log in before you can comment on or make changes to this bug.