Bug 14855 - znc new security issue CVE-2014-9403
Summary: znc new security issue CVE-2014-9403
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627056/
Whiteboard: has_procedure advisory MGA4-64-OK MG...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-19 17:09 CET by David Walser
Modified: 2014-12-21 21:48 CET (History)
3 users (show)

See Also:
Source RPM: znc-1.0-4.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-19 17:09:12 CET
Gentoo has issued an advisory today (December 19):
http://www.gentoo.org/security/en/glsa/glsa-201412-31.xml

For some reason, I had this patched in Cauldron in April but didn't push it to Mageia 4.

Patched package uploaded for Mageia 4.

Advisory:
========================

Updated znc packages fix security vulnerability:

Adding an already existing channel to a user/network via web admin in ZNC
causes a crash if the channel name isn't prefixed with '#' (CVE-2014-9403).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9403
http://www.gentoo.org/security/en/glsa/glsa-201412-31.xml
========================

Updated packages in core/updates_testing:
========================
znc-1.0-4.1.mga4
znc-devel-1.0-4.1.mga4

from znc-1.0-4.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-19 17:09:30 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=11034#c1

Whiteboard: (none) => has_procedure

Comment 2 Len Lawrence 2014-12-19 23:44:28 CET
Tried to test this on mga4 x86_64 but had problems understanding the procedure.

Installed 
znc-1.0-4.1.mga4
znc-devel-1.0-4.1.mga4
from Core Updates Testing

Ran znc --makeconf and defined server, port, user, password as in the procedure outlined in bug 11034#c1.....
  What port would you like ZNC to listen on? (1025 to 65535): 3456
  Would you like ZNC to listen using SSL? (yes/no) [no]: 
  Would you like ZNC to listen using ipv6? (yes/no) [yes]: 
  Listen Host (Blank for all ips): localhost 
  Load global module <partyline>? (yes/no) [no]: 
  Load global module <webadmin>? (yes/no) [no]: 
  Username (AlphaNumeric): znctest
  Enter Password: znctest
  Confirm Password: znctest 
  Would you like this user to be an admin? (yes/no) [yes]: 
  Nick [znctest]: 

Left this running.
Used mcc to configure the firewall to allow web server to connect to internet (??)
Ran up irssi (only IRC client I know)
irssi --port=3456 --connect=localhost --password=znctest/freenode:znctest

and received error message: Unable to connect to localhost

https://localhost:3456/ in Firefox failed likewise on server at localhost:3456

CC: (none) => tarazed25

Comment 3 Len Lawrence 2014-12-19 23:59:29 CET
Tried 
irssi --port=3456 --hostname=localhost --password=znctest/freenode:znctest
and this time irssi came up with a blank page and a status line (blank) so I assume the IRC end is OK.  Still no connection in Firefox for https://localhost:3456
Comment 4 Len Lawrence 2014-12-20 00:05:19 CET
Next attempt:
Set up znc with webadmin global module loaded.
No further forward.
Comment 5 olivier charles 2014-12-20 01:00:56 CET
Hi Len,

Try with this option in znc --makeconfig :
Listen Host (Blank for all ips):  (leave blank)
(...)
Load global module <webadmin>? (yes/no) [no]: yes

and browse to http://localhost:3456 (not https) if you don't configure it to use SSL.

CC: (none) => olchal

Comment 6 Len Lawrence 2014-12-20 11:11:20 CET
Thanks for the suggestions olivier/charles.  Still no connection.
Checked .znc/configs and found no config file there, which means that the znc session (still open) has not written the config file.  I think we are supposed to close the makeconfig session cleanly and run znc &.  Just guessing though.
I am flying blind as far as znc goes.  How to close it?  No idea.
Comment 7 Len Lawrence 2014-12-20 11:22:29 CET
Tried /exit and hit a whole list of queries, many of which I did not understand.  Eventually realized that this was a closedown dialogue - some of my responses were nonsense but all the same znc was able to proceed and asked about launching ZNC now.  Config file written and znc forked to the background.  After that the web interface was available.
Comment 8 claire robinson 2014-12-20 14:17:07 CET
Well done Len, got there in the end. Don't forget to add the 'OK' if you're happy with it.
Comment 9 Len Lawrence 2014-12-20 16:26:19 CET
The web interface seems to be functional.  Marking this as OK.
Will check later in 32bit vbox.

Whiteboard: has_procedure => advisory has_procedure MGA4-64-OK

Len Lawrence 2014-12-20 16:34:20 CET

Whiteboard: advisory has_procedure MGA4-64-OK => has_procedure MGA4-64-OK

Comment 10 olivier charles 2014-12-20 16:43:52 CET
Testing on Mageia 4x32 real hardware

Following procedure mentioned in comment 1 and remarks from Len

From current package :
-------------------
znc-1.0-4.mga4

$ znc --makeconf
Set up znc on localhost port 3456 using ssl with webadmin module
(...)
[ ?? ] Launch ZNC now? (yes/no) [yes]: yes
[ ok ] Opening config [/home/zitounu/.znc/configs/znc.conf]... 
[ ok ] Loading global module [webadmin]... [/usr/lib/znc/webadmin.so]
[ ok ] Binding to port [+3456]... 
[ ** ] Loading user [zncuser]
[ ok ] Forking into the background... [pid: 4034]
[ ** ] ZNC 1.0 - http://znc.in

Could connect to https://localhost:3456/
Used Webadmin to create a new user

Launched irrsi
/connect -ssl localhost 3456 zncuser:zncuser
16:30 -!- Irssi: Looking up localhost
16:30 -!- Irssi: Connecting to localhost [127.0.0.1] port 3456
16:30 -!- Irssi: Connection to localhost established
16:30 -*status(znc@znc.in)- You have no networks configured. Use /znc AddNetwork <network> to add one.
16:30 -!- - Welcome to ZNC 

$ killall znc

All OK

To updated testing package :
--------------------------
znc-1.0-4.1.mga4

$ znc (to launch znc from previous config)
Browsed to https://localhost:3456/
in Webadmin created a new user

Launched irssi and connected with new user 
/connect -ssl localhost 3456 user2:user2

Reconfigured znc without SSL with a new user
Could connect to it in browser and irssi.

Updated testing package working fine.

Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK

Comment 11 claire robinson 2014-12-21 17:22:23 CET
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Whiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
Keywords: (none) => validated_update

Comment 12 Mageia Robot 2014-12-21 21:48:02 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0543.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.