Bug 23327 - znc new security issues CVE-2018-1405[56]
Summary: znc new security issues CVE-2018-1405[56]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: Shlomi Fish
QA Contact: Sec team
URL:
Whiteboard: feedback
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-18 13:58 CEST by David Walser
Modified: 2018-10-21 23:14 CEST (History)
5 users (show)

See Also:
Source RPM: znc-1.7.0-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 1.7.1


Attachments

Description David Walser 2018-07-18 13:58:54 CEST
Advisories have been issued today (July 18):
http://openwall.com/lists/oss-security/2018/07/18/4
http://openwall.com/lists/oss-security/2018/07/18/5

The issues are fixed upstream in 1.7.1.

Mageia 6 is also affected by the first issue, and Mageia 5 and Mageia 6 are affected by the second.
David Walser 2018-07-18 13:59:14 CEST

Whiteboard: (none) => MGA6TOO
CC: (none) => geiger.david68210

Comment 1 David Walser 2018-07-18 18:05:04 CEST
znc-1.7.1-1.mga7 uploaded for Cauldron by Shlomi.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Status comment: (none) => Fixed upstream in 1.7.1

Comment 2 David Walser 2018-07-19 15:27:58 CEST
Updated package uploaded for Mageia 6 by Shlomi.  Advisory to come later.

Updated packages in core/updates_testing:
========================
znc-1.7.1-1.mga6
znc-devel-1.7.1-1.mga6
znc-modperl-1.7.1-1.mga6
znc-modpython-1.7.1-1.mga6

from znc-1.7.1-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2018-07-19 15:44:10 CEST
Debian has issued an advisory for this on July 18:
https://www.debian.org/security/2018/dsa-4252

Advisory:
========================

Updated znc packages fix security vulnerabilities:

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could
result in privilege escalation or denial of service (CVE-2018-14055,
CVE-2018-14056).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056
https://www.debian.org/security/2018/dsa-4252
Comment 4 Herman Viaene 2018-07-27 14:58:14 CEST
MGA6-32 MATE IBM Thinkpad R50e
No installation issues
$ znc --makeconf
[ .. ] Checking for list of available modules...
[ ** ] 
[ ** ] -- Global settings --
[ ** ] 
[ ?? ] Listen on port (1025 to 65534): 
[ ?? ] Listen on port (1025 to 65534): 6665-6667
[ ?? ] Listen using SSL (yes/no) [no]: 
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no
[ .. ] Verifying the listener...
[ ** ] Unable to locate pem file: [/home/tester6/.znc/znc.pem], creating it
[ .. ] Writing Pem file [/home/tester6/.znc/znc.pem]...
[ ** ] Enabled global modules [webadmin]
[ ** ] 
[ ** ] -- Admin user settings --
[ ** ] 
[ ?? ] Username (alphanumeric): hviaene
[ ?? ] Enter password: 
[ ?? ] Confirm password: 
[ ?? ] Nick [hviaene]: 
[ ?? ] Alternate nick [hviaene_]: 
[ ?? ] Ident [hviaene]: 
[ ?? ] Real name (optional): 
[ ?? ] Bind host (optional): 
[ ** ] Enabled user modules [chansaver, controlpanel]
[ ** ] 
[ ?? ] Set up a network? (yes/no) [yes]: 
[ ** ] 
[ ** ] -- Network settings --
[ ** ] 
[ ?? ] Name [freenode]: freenode.irc.org
[ ?? ] Name [freenode]: card.freenode.net
[ ?? ] Name [freenode]: 
[ ?? ] Server host [chat.freenode.net]: 
[ ?? ] Server uses SSL? (yes/no) [yes]: no
[ ?? ] Server port (1 to 65535) [6667]: 
[ ?? ] Server password (probably empty): 
[ ?? ] Initial channels: #mageia-qa
[ ** ] Enabled network modules [simple_away]
[ ** ] 
[ .. ] Writing config [/home/tester6/.znc/configs/znc.conf]...
[ ** ] 
[ ** ] To connect to this ZNC you need to connect to it as your IRC server
[ ** ] using the port that you supplied.  You have to supply your login info
[ ** ] as the IRC server password like this: user/network:pass.
[ ** ] 
[ ** ] Try something like this in your IRC client...
[ ** ] /server <znc_server_ip> 6665 hviaene:<pass>
[ ** ] 
[ ** ] To manage settings, users and networks, point your web browser to
[ ** ] http://<znc_server_ip>:6665/
[ ** ] 
[ ?? ] Launch ZNC now? (yes/no) [yes]: 
[ .. ] Opening config [/home/tester6/.znc/configs/znc.conf]...
[ .. ] Loading global module [webadmin]...
[ .. ] Binding to port [6665] using ipv4...
[ ** ] Loading user [hviaene]
[ ** ] Loading network [freenode]
[ .. ] Loading network module [simple_away]...
[ >> ] [/usr/lib/znc/simple_away.so]
[ .. ] Adding server [chat.freenode.net 6667 ]...
[ .. ] Loading user module [chansaver]...
[ .. ] Loading user module [controlpanel]...
[ .. ] Forking into the background...
[ >> ] [pid: 24793]
[ ** ] ZNC 1.7.1 - https://znc.in

Not very sure this is all OK
Launched then hexchat and tried to connect. Got as fa* Looking up localhost
* Connecting to localhost (127.0.0.1:6665)
* Connected. Now logging in.
* Capabilities supported: batch cap-notify echo-message multi-prefix server-time userhost-in-names znc.in/batch znc.in/self-message znc.in/server-time-iso
* Capabilities requested: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso 
* Capabilities acknowledged: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso
* Password required
* *** You need to send your password. Configure your client to send a server password.
* *** To connect now, you can use /quote PASS <username>:<password>, or /quote PASS <username>/<network>:<password> to connect to a specific network.
 Not in a kanaal. Try /join #<channel>r as:
I try join #mageia-qa, but this gets me nowhere

CC: (none) => herman.viaene

Comment 5 claire robinson 2018-07-27 15:10:13 CEST
IIRC ZNC has a web based management console which might be easier to use to join channels etc.
Comment 7 Herman Viaene 2018-07-27 15:48:12 CEST
Did not mention it, but tried to connect localhost:6665, but Firefox does not like it. 
I get (translated): This address has restricted access. This address uses a networkport which is normally used for other purposes but webbrowsing. Firefox cancelled the request to protect you.
Not sure how to manipulate firefox for this.
Comment 8 claire robinson 2018-07-27 18:36:33 CEST
It perhaps doesn't host the web interface on all available ports.

6667 would be the standard IRC port though, try again with that one instead or choose a single port when setting up znc.
Comment 9 Herman Viaene 2018-07-28 17:56:58 CEST
I get the warning during setting up znc :WARNING: Some web browsers reject port 6667. If you intend to use ZNC's web interface, you might want to use another port.
And indeed same error in Firefox as before.
Tried again and took as port for znc 8080, defined a user and password, and accepted for the rest all defaults , except for using IPV6.
Now pointing Firefox at localhost:8080 brings me to login page, logging in with the user and password from the setup brings me to "ZNC Frontend" and settings and info menu. But I find no way to get beyond those pages.
Comment 10 claire robinson 2018-07-28 23:07:24 CEST
Before
------
# urpmi znc

    $MIRRORLIST: media/core/release/znc-1.6.3-4.mga6.x86_64.rpm
installing znc-1.6.3-4.mga6.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                      
Preparing...                     ####################
      1/1: znc                   ####################


Didn't configure it.


After
-----
# urpmi znc

    $MIRRORLIST: media/core/updates_testing/znc-1.7.1-1.mga6.x86_64.rpm
installing znc-1.7.1-1.mga6.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                      
Preparing...                     ####################
      1/1: znc                   ####################
Failed to try-restart znc.service: Unit znc.service is not loaded properly: Invalid argument.
See system logs and 'systemctl status znc.service' for details.
warning: %post(znc-1.7.1-1.mga6.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for znc-1.7.1-1.mga6.x86_64
      1/1: removing znc-1.6.3-4.mga6.x86_64
                                 #####################


Script failed with the update. Adding feedback marker.

Whiteboard: (none) => feedback

David Walser 2018-10-21 23:14:58 CEST

Assignee: qa-bugs => shlomif
CC: (none) => pkg-bugs, qa-bugs


Note You need to log in before you can comment on or make changes to this bug.