Ubuntu
znc package

Vulnerabilities in znc package CVE-2018-14055 CVE-2018-14056

  1. Xenial (16.04)
  2. Bug #1781925
Bug #1781925 reported by Bas Alberts
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
znc (Ubuntu)
Fix Released
Medium
Thomas Ward
Trusty
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Alex Murray
Artful
Won't Fix
Medium
Unassigned
Bionic
Fix Released
Medium
Alex Murray
Cosmic
Fix Released
Medium
Thomas Ward

Bug Description

Multiple remote vulnerabilities reported in ZNC package: CVE-2018-14055, CVE-2018-14056

Debian LTS has updates available: http://www.linuxsecurity.com/content/view/213083?rdf

Relevant patches in znc git:

https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
https://github.com/znc/znc/commit/a7bfbd93812950b7444841431e8e297e62cb524e
https://github.com/znc/znc/commit/d22fef8620cdd87490754f607e7153979731c69d

Currently no updates available in Xenial, did not see any existing reports.

Bas Alberts (basalberts)
information type: Private Security → Public Security
Simon Quigley (tsimonq2)
tags: added: community-security
Revision history for this message
Thomas Ward (teward) wrote :

Actually working on a patch set for my own ZNC deployment, guess I'll prep the patches for Ubuntu while I am at it.

Changed in znc (Ubuntu):
assignee: nobody → Thomas Ward (teward)
status: New → Confirmed
Thomas Ward (teward)
Changed in znc (Ubuntu):
status: Confirmed → In Progress
importance: Undecided → Medium
Changed in znc (Ubuntu Trusty):
status: New → Confirmed
status: Confirmed → In Progress
Changed in znc (Ubuntu Xenial):
status: New → In Progress
Changed in znc (Ubuntu Bionic):
status: New → In Progress
Changed in znc (Ubuntu Artful):
status: New → Won't Fix
Changed in znc (Ubuntu Trusty):
assignee: nobody → Thomas Ward (teward)
Changed in znc (Ubuntu Xenial):
assignee: nobody → Thomas Ward (teward)
Changed in znc (Ubuntu Bionic):
assignee: nobody → Thomas Ward (teward)
Revision history for this message
Thomas Ward (teward) wrote :

Artful reaches End of Life on July 19th. Due to this being in two days, and under the advisement of the Security Team, a patch will not be available by the EOL date. Marking "Won't Fix" for Artful only.

Changed in znc (Ubuntu Trusty):
importance: Undecided → Medium
Changed in znc (Ubuntu Xenial):
importance: Undecided → Medium
Changed in znc (Ubuntu Artful):
importance: Undecided → Medium
Changed in znc (Ubuntu Bionic):
importance: Undecided → Medium
Revision history for this message
Thomas Ward (teward) wrote :

Autosync from Debian Unstable pulled in the fix for this. 1.7.1-1

Changed in znc (Ubuntu Cosmic):
assignee: Thomas Ward (teward) → nobody
status: In Progress → Fix Released
assignee: nobody → Thomas Ward (teward)
Revision history for this message
Thomas Ward (teward) wrote :

Had some issues getting the patches to cleanly apply in Trusty, so I'm letting that one be handled by the Community. I have some patchsets from Debian that can probably be applied for this issue in Xenial, and will be looking into that in the next couple of days.

Changed in znc (Ubuntu Trusty):
status: In Progress → Triaged
assignee: Thomas Ward (teward) → nobody
status: Triaged → Confirmed
Revision history for this message
Alex Murray (alexmurray) wrote :

If you haven't gotten far with Xenial, I can have a look at that (since am running znc myself on a Xenial instance...)

Revision history for this message
Thomas Ward (teward) wrote :

Alex,

I've got a Xenial patchset that I'm working on already, but if you want to take a shot at making a valid patchset for it, be my guest.

Revision history for this message
Thomas Ward (teward) wrote :

I've got a locally building patchset for Artful currently, though, so I'll still hold onto the Artful one.

Revision history for this message
Thomas Ward (teward) wrote :

Bionic, not Artful, in my last message, force of habit sorry.

Revision history for this message
Alex Murray (alexmurray) wrote :

debdiff against xenial znc - will upload this to security-proposed ppa soon

Changed in znc (Ubuntu Xenial):
assignee: Thomas Ward (teward) → Alex Murray (alexmurray)
Revision history for this message
Alex Murray (alexmurray) wrote :

debdiff against bionic

Changed in znc (Ubuntu Bionic):
assignee: Thomas Ward (teward) → Alex Murray (alexmurray)
Revision history for this message
Alex Murray (alexmurray) wrote :

Have uploaded both to security-proposed - @teward any testing you could give would be appreciated.

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Revision history for this message
Thomas Ward (teward) wrote :

well I WAS going to provide my Bionic debdiff, but you beat me to it. I'm not in a position just now to do testing, as I've got a very busy couple of days, I'll add it to the list of things I have to test though.

Revision history for this message
Alex Murray (alexmurray) wrote :

Apologies - I was on a roll and figured I might as well do it too. I'm hoping to push the update out early next week but will wait for your feedback first.

Revision history for this message
Alex Murray (alexmurray) wrote :

@teward - I am planning to push this out within the next 24h - please let me know if you have any concerns.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package znc - 1.6.3-1ubuntu0.1

---------------
znc (1.6.3-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
      network configuration change directives. Based on upstream patch.
    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
      writing out configuration file. Based on upstream patch.
    - CVE-2018-14055
  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
    skins (LP: #1781925)
    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
      in skin names to ensure path traversal is not possible. Based on
      upstream patch.
    - CVE-2018-14056

 -- Alex Murray <email address hidden> Wed, 25 Jul 2018 16:08:05 +0930

Changed in znc (Ubuntu Xenial):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package znc - 1.6.6-1ubuntu0.1

---------------
znc (1.6.6-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
      network configuration change directives. Based on upstream patch.
    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
      writing out configuration file. Based on upstream patch.
    - CVE-2018-14055
  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
    skins (LP: #1781925)
    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
      in skin names to ensure path traversal is not possible. Based on
      upstream patch.
    - CVE-2018-14056

 -- Alex Murray <email address hidden> Thu, 26 Jul 2018 15:28:39 +0930

Changed in znc (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package znc - 1.2-3ubuntu0.1

---------------
znc (1.2-3ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: Privilege escalation for non-admin users (LP: #1781925)
    - debian/patches/CVE-2018-14055-1.patch: Remove newlines from incoming
      network configuration change directives. Based on upstream patch.
    - debian/patches/CVE-2018-14055-2.patch: Remove extra newlines when
      writing out configuration file. Based on upstream patch.
    - CVE-2018-14055
  * SECURITY UPDATE: Path traversal flaw allows access to files outside of
    skins (LP: #1781925)
    - debian/patches/CVE-2018-14056.patch: Replace path traversal components
      in skin names to ensure path traversal is not possible. Based on
      upstream patch.
    - CVE-2018-14056
  * SECURITY UPDATE: Denial of service (crash) from remote authenticated users
    - debian/patches/CVE-2014-9403.patch: Check whether channel exists
      when dealing with user specified channel name. Based on upstream
      patch.
    - CVE-2014-9403

 -- Alex Murray <email address hidden> Tue, 07 Aug 2018 14:38:37 +0930

Changed in znc (Ubuntu Trusty):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.