An users data directory traversal flaw was found in the way ZNC used to handle file upload requests via Direct Client Connection (DCC) /dcc SEND messages. A remote, valid ZNC (IRC) user could issue a /dcc SEND message with a specially-crafted content (file to upload), which once accepted by a local, unsuspecting ZNC (IRC) user, would overwrite relevant files in the users/<user>/downloads data directory. References: ---------- http://en.znc.in/wiki/ZNC http://en.znc.in/wiki/ChangeLog/0.072 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537977 Upstream patch: --------------- http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570 DCC protocol details: -------------------- http://www.mircscripts.org/showdoc.php?type=tutorial&id=2355 Workaround: ----------- Till the flaw is fixed, all Fedora users utilizing services of ZNC IRC bouncer are strongly recommended NOT to accept /dcc SEND messages from remote, untrusted IRC users.
CVE identifier for this vulnerability has been requested here: http://www.openwall.com/lists/oss-security/2009/07/21/5 Note: Please ensure to mention particular CVE identifier in the ZNC's rpm Changelog, when scheduling Fedora updates.
This issue affects the versions of the ZNC package, as shipped with Fedora releases of 10, 11, and 12. Please fix.
znc-0.072-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/znc-0.072-1.fc11
znc-0.072-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/znc-0.072-1.fc10
znc-0.072-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/znc-0.072-1.el5
znc-0.072-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/znc-0.072-2.el5
znc-0.072-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/znc-0.072-2.fc10
znc-0.072-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/znc-0.072-2.fc11
znc-0.072-3.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/znc-0.072-3.fc11
znc-0.072-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/znc-0.072-3.fc10
znc-0.072-3.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/znc-0.072-3.el5
znc-0.072-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
znc-0.072-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
By ICQ, you mean IRC, right? Two completely different protocols. ;)
znc-0.072-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Thanks for the catch Reed, fixed.
Updated to 0.072-3, which is 0.072 of ZNC plus a patch to fix the webadmin skins issue which was introduced in 0.072. The updates to rawhide and F-10, F-11, and EL-5 have been pushed to stable. -> CLOSED ERRATA (I think that's the appropriate resolution)
Apparently I was supposed to put CLOSED NEXTRELEASE
(In reply to comment #1) > CVE identifier for this vulnerability has been requested here: > > http://www.openwall.com/lists/oss-security/2009/07/21/5 > > Note: Please ensure to mention particular CVE identifier in the ZNC's > rpm Changelog, when scheduling Fedora updates. This finally got assigned CVE-2009-2658.