znc: Fix CVE-2019-12816

This is an remote code execution and privilege escalation vulnerability.

It requires an already-existing unprivileged ZNC user.

This is znc-1.7.3nb2.

4 files changed, 100 insertions, 3 deletions

diff --git a/chat/znc/Makefile b/chat/znc/Makefile
index 22606c2179d..6ac398bbc49 100644
--- a/chat/znc/Makefile
+++ b/chat/znc/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.6 2019/04/03 00:32:28 ryoon Exp $
+# $NetBSD: Makefile,v 1.7 2019/06/18 10:21:37 nia Exp $
 
 DISTNAME=	znc-1.7.3
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	https://znc.in/releases/archive/
 
diff --git a/chat/znc/distinfo b/chat/znc/distinfo
index 24b919ed1fc..d655d1126db 100644
--- a/chat/znc/distinfo
+++ b/chat/znc/distinfo
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.3 2019/03/31 15:20:42 nia Exp $
+$NetBSD: distinfo,v 1.4 2019/06/18 10:21:37 nia Exp $
 
 SHA1 (znc-1.7.3.tar.gz) = 76c1c32d3ec6fc052b0c3854dbbb8896aecafee5
 RMD160 (znc-1.7.3.tar.gz) = a52f7f8500dc3156dd3387f9450e8558132013d6
 SHA512 (znc-1.7.3.tar.gz) = 4cd63be2cb3bc1e3950f38984b128c6511bd1b9fc01a00d51cfcdc46826c2dedad120d6ed8e30d9c400909e33d39b2b14579fb40ee1e3508b7f3a07eff3a15d8
 Size (znc-1.7.3.tar.gz) = 2084575 bytes
+SHA1 (patch-include_znc_Modules.h) = 57f5d2dcb0021c3c7c0162ccd06ad8698e68022e
+SHA1 (patch-src_Modules.cpp) = adb6f87f4c441cd438110aa58fdb31b481212eff
diff --git a/chat/znc/patches/patch-include_znc_Modules.h b/chat/znc/patches/patch-include_znc_Modules.h
new file mode 100644
index 00000000000..4f1622206a0
--- /dev/null
+++ b/chat/znc/patches/patch-include_znc_Modules.h
@@ -0,0 +1,16 @@
+$NetBSD: patch-include_znc_Modules.h,v 1.1 2019/06/18 10:21:37 nia Exp $
+
+Fix CVE-2019-12816
+
+https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311
+
+--- include/znc/Modules.h.orig	2019-03-30 14:37:00.000000000 +0000
++++ include/znc/Modules.h
+@@ -1600,6 +1600,7 @@ class CModules : public std::vector<CMod
+   private:
+     static ModHandle OpenModule(const CString& sModule, const CString& sModPath,
+                                 CModInfo& Info, CString& sRetMsg);
++    static bool ValidateModuleName(const CString& sModule, CString& sRetMsg);
+ 
+   protected:
+     CUser* m_pUser;
diff --git a/chat/znc/patches/patch-src_Modules.cpp b/chat/znc/patches/patch-src_Modules.cpp
new file mode 100644
index 00000000000..a1666af32da
--- /dev/null
+++ b/chat/znc/patches/patch-src_Modules.cpp
@@ -0,0 +1,79 @@
+$NetBSD: patch-src_Modules.cpp,v 1.1 2019/06/18 10:21:37 nia Exp $
+
+Fix CVE-2019-12816
+
+https://github.com/znc/znc/commit/8de9e376ce531fe7f3c8b0aa4876d15b479b7311
+
+--- src/Modules.cpp.orig	2019-03-30 14:37:00.000000000 +0000
++++ src/Modules.cpp
+@@ -1624,11 +1624,30 @@ CModule* CModules::FindModule(const CStr
+     return nullptr;
+ }
+ 
++bool CModules::ValidateModuleName(const CString& sModule, CString& sRetMsg) {
++    for (unsigned int a = 0; a < sModule.length(); a++) {
++        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
++            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
++            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
++            sRetMsg =
++                t_f("Module names can only contain letters, numbers and "
++                    "underscores, [{1}] is invalid")(sModule);
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ bool CModules::LoadModule(const CString& sModule, const CString& sArgs,
+                           CModInfo::EModuleType eType, CUser* pUser,
+                           CIRCNetwork* pNetwork, CString& sRetMsg) {
+     sRetMsg = "";
+ 
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     if (FindModule(sModule) != nullptr) {
+         sRetMsg = t_f("Module {1} already loaded.")(sModule);
+         return false;
+@@ -1781,6 +1800,10 @@ bool CModules::ReloadModule(const CStrin
+ 
+ bool CModules::GetModInfo(CModInfo& ModInfo, const CString& sModule,
+                           CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     CString sModPath, sTmp;
+ 
+     bool bSuccess;
+@@ -1799,6 +1822,10 @@ bool CModules::GetModInfo(CModInfo& ModI
+ 
+ bool CModules::GetModPathInfo(CModInfo& ModInfo, const CString& sModule,
+                               const CString& sModPath, CString& sRetMsg) {
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return false;
++    }
++
+     ModInfo.SetName(sModule);
+     ModInfo.SetPath(sModPath);
+ 
+@@ -1911,15 +1938,8 @@ ModHandle CModules::OpenModule(const CSt
+     // Some sane defaults in case anything errors out below
+     sRetMsg.clear();
+ 
+-    for (unsigned int a = 0; a < sModule.length(); a++) {
+-        if (((sModule[a] < '0') || (sModule[a] > '9')) &&
+-            ((sModule[a] < 'a') || (sModule[a] > 'z')) &&
+-            ((sModule[a] < 'A') || (sModule[a] > 'Z')) && (sModule[a] != '_')) {
+-            sRetMsg =
+-                t_f("Module names can only contain letters, numbers and "
+-                    "underscores, [{1}] is invalid")(sModule);
+-            return nullptr;
+-        }
++    if (!ValidateModuleName(sModule, sRetMsg)) {
++        return nullptr;
+     }
+ 
+     // The second argument to dlopen() has a long history. It seems clear