Bug 23327 - znc new security issues CVE-2018-1405[56], CVE-2019-9917, and CVE-2019-12816
Summary: znc new security issues CVE-2018-1405[56], CVE-2019-9917, and CVE-2019-12816
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-07-18 13:58 CEST by David Walser
Modified: 2019-09-12 21:11 CEST (History)
8 users (show)

See Also:
Source RPM: znc-1.7.3-1.mga7.src
CVE:
Status comment: Fixed upstream in 1.7.4


Attachments

Description David Walser 2018-07-18 13:58:54 CEST
Advisories have been issued today (July 18):
http://openwall.com/lists/oss-security/2018/07/18/4
http://openwall.com/lists/oss-security/2018/07/18/5

The issues are fixed upstream in 1.7.1.

Mageia 6 is also affected by the first issue, and Mageia 5 and Mageia 6 are affected by the second.
David Walser 2018-07-18 13:59:14 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-07-18 18:05:04 CEST
znc-1.7.1-1.mga7 uploaded for Cauldron by Shlomi.

Status comment: (none) => Fixed upstream in 1.7.1
Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 David Walser 2018-07-19 15:27:58 CEST
Updated package uploaded for Mageia 6 by Shlomi.  Advisory to come later.

Updated packages in core/updates_testing:
========================
znc-1.7.1-1.mga6
znc-devel-1.7.1-1.mga6
znc-modperl-1.7.1-1.mga6
znc-modpython-1.7.1-1.mga6

from znc-1.7.1-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Comment 3 David Walser 2018-07-19 15:44:10 CEST
Debian has issued an advisory for this on July 18:
https://www.debian.org/security/2018/dsa-4252

Advisory:
========================

Updated znc packages fix security vulnerabilities:

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could
result in privilege escalation or denial of service (CVE-2018-14055,
CVE-2018-14056).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056
https://www.debian.org/security/2018/dsa-4252
Comment 4 Herman Viaene 2018-07-27 14:58:14 CEST
MGA6-32 MATE IBM Thinkpad R50e
No installation issues
$ znc --makeconf
[ .. ] Checking for list of available modules...
[ ** ] 
[ ** ] -- Global settings --
[ ** ] 
[ ?? ] Listen on port (1025 to 65534): 
[ ?? ] Listen on port (1025 to 65534): 6665-6667
[ ?? ] Listen using SSL (yes/no) [no]: 
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: no
[ .. ] Verifying the listener...
[ ** ] Unable to locate pem file: [/home/tester6/.znc/znc.pem], creating it
[ .. ] Writing Pem file [/home/tester6/.znc/znc.pem]...
[ ** ] Enabled global modules [webadmin]
[ ** ] 
[ ** ] -- Admin user settings --
[ ** ] 
[ ?? ] Username (alphanumeric): hviaene
[ ?? ] Enter password: 
[ ?? ] Confirm password: 
[ ?? ] Nick [hviaene]: 
[ ?? ] Alternate nick [hviaene_]: 
[ ?? ] Ident [hviaene]: 
[ ?? ] Real name (optional): 
[ ?? ] Bind host (optional): 
[ ** ] Enabled user modules [chansaver, controlpanel]
[ ** ] 
[ ?? ] Set up a network? (yes/no) [yes]: 
[ ** ] 
[ ** ] -- Network settings --
[ ** ] 
[ ?? ] Name [freenode]: freenode.irc.org
[ ?? ] Name [freenode]: card.freenode.net
[ ?? ] Name [freenode]: 
[ ?? ] Server host [chat.freenode.net]: 
[ ?? ] Server uses SSL? (yes/no) [yes]: no
[ ?? ] Server port (1 to 65535) [6667]: 
[ ?? ] Server password (probably empty): 
[ ?? ] Initial channels: #mageia-qa
[ ** ] Enabled network modules [simple_away]
[ ** ] 
[ .. ] Writing config [/home/tester6/.znc/configs/znc.conf]...
[ ** ] 
[ ** ] To connect to this ZNC you need to connect to it as your IRC server
[ ** ] using the port that you supplied.  You have to supply your login info
[ ** ] as the IRC server password like this: user/network:pass.
[ ** ] 
[ ** ] Try something like this in your IRC client...
[ ** ] /server <znc_server_ip> 6665 hviaene:<pass>
[ ** ] 
[ ** ] To manage settings, users and networks, point your web browser to
[ ** ] http://<znc_server_ip>:6665/
[ ** ] 
[ ?? ] Launch ZNC now? (yes/no) [yes]: 
[ .. ] Opening config [/home/tester6/.znc/configs/znc.conf]...
[ .. ] Loading global module [webadmin]...
[ .. ] Binding to port [6665] using ipv4...
[ ** ] Loading user [hviaene]
[ ** ] Loading network [freenode]
[ .. ] Loading network module [simple_away]...
[ >> ] [/usr/lib/znc/simple_away.so]
[ .. ] Adding server [chat.freenode.net 6667 ]...
[ .. ] Loading user module [chansaver]...
[ .. ] Loading user module [controlpanel]...
[ .. ] Forking into the background...
[ >> ] [pid: 24793]
[ ** ] ZNC 1.7.1 - https://znc.in

Not very sure this is all OK
Launched then hexchat and tried to connect. Got as fa* Looking up localhost
* Connecting to localhost (127.0.0.1:6665)
* Connected. Now logging in.
* Capabilities supported: batch cap-notify echo-message multi-prefix server-time userhost-in-names znc.in/batch znc.in/self-message znc.in/server-time-iso
* Capabilities requested: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso 
* Capabilities acknowledged: cap-notify multi-prefix server-time userhost-in-names znc.in/server-time-iso
* Password required
* *** You need to send your password. Configure your client to send a server password.
* *** To connect now, you can use /quote PASS <username>:<password>, or /quote PASS <username>/<network>:<password> to connect to a specific network.
 Not in a kanaal. Try /join #<channel>r as:
I try join #mageia-qa, but this gets me nowhere

CC: (none) => herman.viaene

Comment 5 claire robinson 2018-07-27 15:10:13 CEST
IIRC ZNC has a web based management console which might be easier to use to join channels etc.
Comment 7 Herman Viaene 2018-07-27 15:48:12 CEST
Did not mention it, but tried to connect localhost:6665, but Firefox does not like it. 
I get (translated): This address has restricted access. This address uses a networkport which is normally used for other purposes but webbrowsing. Firefox cancelled the request to protect you.
Not sure how to manipulate firefox for this.
Comment 8 claire robinson 2018-07-27 18:36:33 CEST
It perhaps doesn't host the web interface on all available ports.

6667 would be the standard IRC port though, try again with that one instead or choose a single port when setting up znc.
Comment 9 Herman Viaene 2018-07-28 17:56:58 CEST
I get the warning during setting up znc :WARNING: Some web browsers reject port 6667. If you intend to use ZNC's web interface, you might want to use another port.
And indeed same error in Firefox as before.
Tried again and took as port for znc 8080, defined a user and password, and accepted for the rest all defaults , except for using IPV6.
Now pointing Firefox at localhost:8080 brings me to login page, logging in with the user and password from the setup brings me to "ZNC Frontend" and settings and info menu. But I find no way to get beyond those pages.
Comment 10 claire robinson 2018-07-28 23:07:24 CEST
Before
------
# urpmi znc

    $MIRRORLIST: media/core/release/znc-1.6.3-4.mga6.x86_64.rpm
installing znc-1.6.3-4.mga6.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                      
Preparing...                     ####################
      1/1: znc                   ####################


Didn't configure it.


After
-----
# urpmi znc

    $MIRRORLIST: media/core/updates_testing/znc-1.7.1-1.mga6.x86_64.rpm
installing znc-1.7.1-1.mga6.x86_64.rpm from /var/cache/urpmi/rpms                                                                                                      
Preparing...                     ####################
      1/1: znc                   ####################
Failed to try-restart znc.service: Unit znc.service is not loaded properly: Invalid argument.
See system logs and 'systemctl status znc.service' for details.
warning: %post(znc-1.7.1-1.mga6.x86_64) scriptlet failed, exit status 1
ERROR: 'script' failed for znc-1.7.1-1.mga6.x86_64
      1/1: removing znc-1.6.3-4.mga6.x86_64
                                 #####################


Script failed with the update. Adding feedback marker.

Whiteboard: (none) => feedback

David Walser 2018-10-21 23:14:58 CEST

CC: (none) => pkg-bugs, qa-bugs
Assignee: qa-bugs => shlomif

Comment 11 David Walser 2019-04-22 23:26:47 CEST
Ubuntu has issued an advisory on April 18:
https://usn.ubuntu.com/3950-1/

One new issue is fixed upstream in 1.7.3.

Whiteboard: feedback => (none)
Status comment: Fixed upstream in 1.7.1 => Fixed upstream in 1.7.3
Summary: znc new security issues CVE-2018-1405[56] => znc new security issues CVE-2018-1405[56] and CVE-2019-9917

Comment 12 David Walser 2019-08-11 22:30:52 CEST
Debian and Ubuntu have issued advisories on June 14 and July 1:
https://www.debian.org/security/2019/dsa-4463
https://usn.ubuntu.com/4044-1/

They fix a new issue that was fixed upstream in 1.7.4.

Summary: znc new security issues CVE-2018-1405[56] and CVE-2019-9917 => znc new security issues CVE-2018-1405[56], CVE-2019-9917, and CVE-2019-12816
Version: 6 => 7
Whiteboard: (none) => MGA6TOO
Source RPM: znc-1.7.0-1.mga7.src.rpm => znc-1.7.3-1.mga7.src
Status comment: Fixed upstream in 1.7.3 => Fixed upstream in 1.7.4

Comment 13 David Walser 2019-08-12 15:29:15 CEST
Advisory:
========================

Updated znc packages fix security vulnerabilities:

Jeriko One discovered two vulnerabilities in the ZNC IRC bouncer which could
result in privilege escalation or denial of service (CVE-2018-14055,
CVE-2018-14056).

Two vulnerabilities were discovered in the ZNC IRC bouncer which could result
in remote code execution (CVE-2019-12816) or denial of service via invalid
encoding (CVE-2019-9917).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14055
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14056
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9917
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12816
https://www.debian.org/security/2018/dsa-4252
https://www.debian.org/security/2019/dsa-4463
========================

Updated packages in core/updates_testing:
========================
znc-1.7.4-1.mga6
znc-devel-1.7.4-1.mga6
znc-modperl-1.7.4-1.mga6
znc-modpython-1.7.4-1.mga6
znc-1.7.4-1.mga7
znc-devel-1.7.4-1.mga7
znc-modperl-1.7.4-1.mga7
znc-modpython-1.7.4-1.mga7

from SRPMS:
znc-1.7.4-1.mga6.src.rpm
znc-1.7.4-1.mga7.src.rpm

CC: qa-bugs => (none)
Assignee: shlomif => qa-bugs

Comment 14 Len Lawrence 2019-08-16 09:23:55 CEST
mga7, x86_64

Updated cleanly.  Ran the configuration command as above (comment 4) and all seemed to go well.  irssi is my normal IRC client but it is configured to autojoin so I tried hexchat.  That got as far as #mageia-meeting but I could not join because there seemed to be some confusion between my local id, which is 'lcl' and the IRC nickname, which is 'tarazed'.  It kept on prompting me as lcl.

I tried to log in as tarazed using
/msg NickServ identify tarazed .......
and was rejected.

Tried the web interface at port 6665 and was rejected, like Herman.
Checked znc server status:
$ systemctl status znc
● znc.service - ZNC, an advanced IRC bouncer
   Loaded: loaded (/usr/lib/systemd/system/znc.service; enabled; vendor preset:>
   Active: failed (Result: exit-code) since Fri 2019-08-16 08:14:01 BST; 16s ago
 Main PID: 2419 (code=exited, status=1/FAILURE)

Whiteboard: MGA6TOO => (none)
CC: (none) => tarazed25

Len Lawrence 2019-08-16 09:24:44 CEST

Whiteboard: (none) => MGA6TOO

Comment 15 Len Lawrence 2019-08-16 10:04:20 CEST
mga6, x86_64

Tried this before the update and ran the configuration.
Discovered by experimenting that znc needs to be started by the user.
$ znc &
That then allows the web interface to be used on the specified port, in this case 6671.  Exited there.

Updating later.
Comment 16 Len Lawrence 2019-08-16 17:25:14 CEST
OK.  Ran the update and launched the web interface on localhost:6671/
Checked the various screens.

So now what?  my irssi config file works  just as it always did - no sign of znc anywhere.  Same for hexchat.

Don't know what "bounce" means or what znc is actually for.  It is running in the background and the web interface is live so we can assume that the basics work.

Is this good enough for an OK?
Comment 17 Len Lawrence 2019-08-26 19:58:19 CEST
Further to comment 16:

Again tried creating a new conf file as in comment 4, ran up irssi, which is set for autoconnect and tried to override it without being at all clear what values to use in order to connect through the znc server.  The messages indicated that freenode was connected to localhost (the znc server?) but then the connection was reset almost immediately by peer (means nothing to me).

I still do not understand what part znc is supposed to play in all this when you are directed to use your normal IRC client.  What exactly is the advantage in connecting through an external service rather than your usual config method?

Or to put it another way, what the hell is an IRC bouncer?
Comment 18 Len Lawrence 2019-08-26 23:21:30 CEST
Another point - the web interface is only available with the original, default, config file.  As soon as that is replaced by the reconstructed user config file the web interface is inaccessible.

Also, once the znc server is running, does anybody know how you access it?  There does not seem to be an interface, cli or otherwise.
Comment 19 Len Lawrence 2019-08-27 04:07:23 CEST
Looking back at earlier comments - the znc server should be started with systemd; forgot that.

$ sudo systemctl enable znc.service
$ sudo systemctl start znc.service
Failed to start znc.service: Unit znc.service is not loaded properly: Invalid argument.
See system logs and 'systemctl status znc.service' for details.

$ systemctl status znc.service
Failed to dump process list, ignoring: Unit znc.service is not loaded properly: 
● znc.service - ZNC - an advanced IRC bouncer
   Loaded: error (Reason: Invalid argument)
   Active: inactive (dead)
Comment 20 Len Lawrence 2019-08-27 09:04:47 CEST
It looks like we are not going to get anywhere with testing this so it should be released on the basis of a clean update and the fact of a working web interface with the default configuration.

There is an advisory in comment 13 but shall leave validation in case somebody steps in with a successful operational test.

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK

Comment 21 Herman Viaene 2019-09-09 12:11:09 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Continuing later on.
Comment 22 Herman Viaene 2019-09-09 13:28:55 CEST
Configured as per Comment 4above.
Tried hexchat, but got nowhere trying to connect to mageia-meeting, message "Not registered.
Tried web interface:
- with firefox:port not allowed fro browsing
- with konqueror : localhost:6665 gives invalid url. This mentions to format the address line as http://<user>@<password>:localhost:6665, but this results in "Undocumented error
- with lynx as
$ lynx localhost:6665
and then I get into the web interface, I can navigate in the pages, but sincerely I don't know what to do there unless I would spend time to study the subject.
If Len e.a. agree, this is OK for me.
Comment 23 Len Lawrence 2019-09-09 18:00:59 CEST
@Herman, with respect to comment 22.
You have had a little more experience with this but seem to have encountered similar troubles to mine.  And time is getting short so IMHO you should just OK this on the basis of a clean update.  Thanks.
Herman Viaene 2019-09-10 08:51:04 CEST

Whiteboard: MGA6TOO MGA6-64-OK => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 24 Thomas Andrews 2019-09-11 03:51:09 CEST
Validating. Advisory in Comment 13.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-12 17:12:20 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 25 Mageia Robot 2019-09-12 21:11:18 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0262.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.