Debian Bug report logs - #537977
directory traversal bug

version graph

Package: znc; Maintainer for znc is Patrick Matthäi <pmatthaei@debian.org>; Source for znc is src:znc.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Wed, 22 Jul 2009 05:45:04 UTC

Severity: grave

Tags: patch, security

Fixed in versions znc/0.074-1, 0.045-3+etch3, 0.058-2+lenny3

Done: Patrick Matthäi <pmatthaei@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Patrick Matthäi <pmatthaei@debian.org>:
Bug#537977; Package znc. (Wed, 22 Jul 2009 05:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Patrick Matthäi <pmatthaei@debian.org>. (Wed, 22 Jul 2009 05:45:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: directory traversal bug
Date: Wed, 22 Jul 2009 07:42:29 +0200
Package: znc
Severity: grave
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

znc 0.072 fixes an high-impact directory traversal bug

| You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/. 
| The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by
| all znc users (no admin privileges required!).
| By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which
| lets everyone gain shell access. Anything is possible.
| Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.

Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570

Cheers,
Giuseppe.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpmpsEACgkQNxpp46476aoy+QCfY1B9lHH5AQvFZjzPxF7R89GU
4E4An0agaSnyhOzttT9UpQ6MF8EgqCia
=6hw9
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#537977; Package znc. (Wed, 22 Jul 2009 12:15:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to pmatthaei@debian.org:
Extra info received and forwarded to list. Copy sent to Patrick Matthäi <pmatthaei@debian.org>. (Wed, 22 Jul 2009 12:15:08 GMT) Full text and rfc822 format available.

Message #10 received at 537977@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 537977@bugs.debian.org
Subject: Re: Bug#537977: directory traversal bug
Date: Wed, 22 Jul 2009 13:58:36 +0200
Giuseppe Iuculano schrieb:
> Package: znc
> Severity: grave
> Tags: security patch
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi,
> 
> znc 0.072 fixes an high-impact directory traversal bug
> 
> | You can upload files to znc via /dcc send *status. The files will be saved in <datadir>/users/<user>/downloads/. 
> | The code for this didn't do any checking on the file name at all and thus allowed directory traversal attacks by
> | all znc users (no admin privileges required!).
> | By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys file or upload a znc module which
> | lets everyone gain shell access. Anything is possible.
> | Again: ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges. THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.
> 
> Patch: http://znc.svn.sourceforge.net/viewvc/znc?view=rev&sortby=rev&sortdir=down&revision=1570

Hello,

yes I already talked about that with upstream.
0.072 itself is b0rked (broken webadmin), so this has to wait.
But I will create in the next days fixed versions for stable-security etc.

Cheers.





Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Fri, 24 Jul 2009 12:45:03 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Fri, 24 Jul 2009 12:45:03 GMT) Full text and rfc822 format available.

Message #15 received at 537977-close@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 537977-close@bugs.debian.org
Subject: Bug#537977: fixed in znc 0.074-1
Date: Fri, 24 Jul 2009 12:17:13 +0000
Source: znc
Source-Version: 0.074-1

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive:

znc-dbg_0.074-1_i386.deb
  to pool/main/z/znc/znc-dbg_0.074-1_i386.deb
znc-dev_0.074-1_i386.deb
  to pool/main/z/znc/znc-dev_0.074-1_i386.deb
znc-perl_0.074-1_i386.deb
  to pool/main/z/znc/znc-perl_0.074-1_i386.deb
znc-webadmin_0.074-1_i386.deb
  to pool/main/z/znc/znc-webadmin_0.074-1_i386.deb
znc_0.074-1.diff.gz
  to pool/main/z/znc/znc_0.074-1.diff.gz
znc_0.074-1.dsc
  to pool/main/z/znc/znc_0.074-1.dsc
znc_0.074-1_i386.deb
  to pool/main/z/znc/znc_0.074-1_i386.deb
znc_0.074.orig.tar.gz
  to pool/main/z/znc/znc_0.074.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537977@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Jul 2009 13:46:00 +0200
Source: znc
Binary: znc znc-dbg znc-dev znc-perl znc-webadmin
Architecture: source i386
Version: 0.074-1
Distribution: unstable
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description: 
 znc        - an advanced IRC bouncer
 znc-dbg    - an advanced IRC bouncer (debugging symbols)
 znc-dev    - an advanced IRC bouncer (development headers)
 znc-perl   - an advanced IRC bouncer (Perl extension)
 znc-webadmin - an advanced IRC bouncer (webadmin module)
Closes: 537977
Changes: 
 znc (0.074-1) unstable; urgency=high
 .
   * New upstream release.
     - Bump urgency to high. This release fixes an high-impact directory
       traversal buf, where unpriviliged users can save about DCC SEND files on
       the server with the rights of the znc process. The attacker could also
       use the exploit to get a shell on the server.
       Closes: #537977
     - Use c-ares for DNS resolving, add libc-ares-dev and pkg-config as
       build-dependency.
   * Merge 0.058-2+lenny2, 0.058-2+lenny3, 0.070-1~bpo40+1 and 0.070-1~bpo50+1
     changelog.
   * Bump Standards-Version to 3.8.2 (no changes needed).
Checksums-Sha1: 
 fb4240b939f9040438e6ddaade4f55f9ba59f347 1047 znc_0.074-1.dsc
 52b49047f57e6f65af6c3e59e019bb3537fbec36 401554 znc_0.074.orig.tar.gz
 3fca6cc1225e073019ef9cd68cb4145a90ed65cb 8632 znc_0.074-1.diff.gz
 4b52289591e66e598ef7c910a359068d08b936f1 889704 znc_0.074-1_i386.deb
 f4a3837c4b57637e0799635a5e55f73d6991cdcc 4487538 znc-dbg_0.074-1_i386.deb
 eb2fcded5bd23607a44862201cd89aaaf4f64007 54576 znc-dev_0.074-1_i386.deb
 eea5a88f15ab6316aaf11679d202a4bd5bd7dc59 61552 znc-perl_0.074-1_i386.deb
 2bde317d9b56b5ed16760fa94d5b00d52a4b42df 209450 znc-webadmin_0.074-1_i386.deb
Checksums-Sha256: 
 bd3179715349d9a9ec0cb743abab2be58dc6c021d93fedeb1cbd4e35c87c86d8 1047 znc_0.074-1.dsc
 40a655833a095b9131b86c9d9ffdeaf25676076ec3239a81ae274694a67762a7 401554 znc_0.074.orig.tar.gz
 77882d2baff8c08d212121c6d30e1afa4286e9b588d756a71a1085a066277407 8632 znc_0.074-1.diff.gz
 e5534878e7d06eef20afb1a08c4fde10560d2ff82e375e2337e861ac9b96d94e 889704 znc_0.074-1_i386.deb
 12d01d98f4fc6139cd0755358834bb575067d6b77b9188afa11dba655d25597b 4487538 znc-dbg_0.074-1_i386.deb
 4c579a95efa24e278204796f65c5c9888c6bc291bea99cc64b8e92ccaf68a7f5 54576 znc-dev_0.074-1_i386.deb
 7756599d2a87b1c10215477180e50e7b1b5d603ee0a4a9f4c93c6f64ef07cdc9 61552 znc-perl_0.074-1_i386.deb
 a72c094ba95cb9ffc0374997c3adf187040cd341e0cb710888c951f0f13ff501 209450 znc-webadmin_0.074-1_i386.deb
Files: 
 07f231b6eca8c40d841e0d2cf1d53f2d 1047 net optional znc_0.074-1.dsc
 378187acd114769f8f97ef2d4b19da25 401554 net optional znc_0.074.orig.tar.gz
 990a443d2c2dd859be81894e90632c50 8632 net optional znc_0.074-1.diff.gz
 a5d550832b8576fdca7cdf903f85b553 889704 net optional znc_0.074-1_i386.deb
 af90b09e866b1e7832164aedfeec7dca 4487538 debug extra znc-dbg_0.074-1_i386.deb
 2e45a9df6751efc722cc8a1622dbac58 54576 net optional znc-dev_0.074-1_i386.deb
 69189fbc12d8d9b952a0af3d698d2a76 61552 net optional znc-perl_0.074-1_i386.deb
 b7299c08c1f978b7e3095ebe395d1c2e 209450 net optional znc-webadmin_0.074-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkppoiIACgkQ2XA5inpabMdyigCghuBEzW1O4jnRkGf1tE4aHCxj
wLEAoIKKumWIHUX103GiwZH6cORVtpSd
=WTME
-----END PGP SIGNATURE-----





Bug Marked as fixed in versions 0.045-3+etch3. Request was from Francesco Poli <frx@firenze.linux.it> to control@bugs.debian.org. (Sun, 02 Aug 2009 14:27:02 GMT) Full text and rfc822 format available.

Bug Marked as fixed in versions 0.058-2+lenny3. Request was from Francesco Poli <frx@firenze.linux.it> to control@bugs.debian.org. (Sun, 02 Aug 2009 14:27:03 GMT) Full text and rfc822 format available.

Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Sun, 02 Aug 2009 20:45:12 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 02 Aug 2009 20:45:12 GMT) Full text and rfc822 format available.

Message #24 received at 537977-close@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 537977-close@bugs.debian.org
Subject: Bug#537977: fixed in znc 0.058-2+lenny3
Date: Sun, 02 Aug 2009 20:28:35 +0000
Source: znc
Source-Version: 0.058-2+lenny3

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive:

znc_0.058-2+lenny3.diff.gz
  to pool/main/z/znc/znc_0.058-2+lenny3.diff.gz
znc_0.058-2+lenny3.dsc
  to pool/main/z/znc/znc_0.058-2+lenny3.dsc
znc_0.058-2+lenny3_amd64.deb
  to pool/main/z/znc/znc_0.058-2+lenny3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537977@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 24 Jul 2009 10:59:59 +0200
Source: znc
Binary: znc
Architecture: source amd64
Version: 0.058-2+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description: 
 znc        - advanced modular IRC bouncer
Closes: 537977
Changes: 
 znc (0.058-2+lenny3) stable-security; urgency=high
 .
   * Fixes an high-impact directory traversal bug, where unprivileged users can
     save about DCC SEND files on the server with the rights of the znc process.
     The attacker could also use the exploit to get a shell on the server.
     Closes: #537977
Checksums-Sha1: 
 c4e3bd3709fc17e95b5c6e20bf6c6cf669c7b2da 1037 znc_0.058-2+lenny3.dsc
 1a834a0e3e72aa9f795e8ed2638213989f21b0f5 9628 znc_0.058-2+lenny3.diff.gz
 d375eb69a8f3c99cbedeaaa7dd66ee23c0b4c416 1031744 znc_0.058-2+lenny3_amd64.deb
Checksums-Sha256: 
 8511df881369ca538399b93a19072cf54cda9b023d9c445b6a755f69157114ef 1037 znc_0.058-2+lenny3.dsc
 7f45d1a108f3bee681af3f9b6ba1a3a283ccc4d10c7fcb67d33994ec76e5a125 9628 znc_0.058-2+lenny3.diff.gz
 bb4eb14d973e62c224443014e2279d8b1767d0609bc267e0dfc1392e7147bfd0 1031744 znc_0.058-2+lenny3_amd64.deb
Files: 
 93fe1b9b7bd7aeebd7b3e0c3854a477f 1037 net optional znc_0.058-2+lenny3.dsc
 6fd05e2dbb8e6796dcc647bd79e9d1a0 9628 net optional znc_0.058-2+lenny3.diff.gz
 bc265fa88c9bb707b67e757b63ed5853 1031744 net optional znc_0.058-2+lenny3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpt0JkACgkQ2XA5inpabMdkqACgn00ZdobCUhTjBz9d/iVJArkU
IhkAoJk8SnR1iTnTY0sMWcmD+p+SZZXT
=sMjV
-----END PGP SIGNATURE-----





Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Sun, 02 Aug 2009 20:48:07 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 02 Aug 2009 20:48:07 GMT) Full text and rfc822 format available.

Message #29 received at 537977-close@bugs.debian.org (full text, mbox):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 537977-close@bugs.debian.org
Subject: Bug#537977: fixed in znc 0.045-3+etch3
Date: Sun, 02 Aug 2009 20:28:41 +0000
Source: znc
Source-Version: 0.045-3+etch3

We believe that the bug you reported is fixed in the latest version of
znc, which is due to be installed in the Debian FTP archive:

znc_0.045-3+etch3.diff.gz
  to pool/main/z/znc/znc_0.045-3+etch3.diff.gz
znc_0.045-3+etch3.dsc
  to pool/main/z/znc/znc_0.045-3+etch3.dsc
znc_0.045-3+etch3_amd64.deb
  to pool/main/z/znc/znc_0.045-3+etch3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 537977@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated znc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 01 Aug 2009 20:23:03 +0200
Source: znc
Binary: znc
Architecture: source amd64
Version: 0.045-3+etch3
Distribution: oldstable-security
Urgency: high
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description: 
 znc        - an advanced IRC bouncer
Closes: 537977
Changes: 
 znc (0.045-3+etch3) oldstable-security; urgency=high
 .
   * Fixes an high-impact directory traversal bug, where unprivileged users can
     save about DCC SEND files on the server with the rights of the znc process.
     The attacker could also use the exploit to get a shell on the server.
     Closes: #537977
   * Change my email address, the old one is not reachable anymore.
Files: 
 933a585b14d230df9dd1a8b6ee5ad4b6 667 net optional znc_0.045-3+etch3.dsc
 330d9e4ac7894dbfec53bf9cf1e52660 14501 net optional znc_0.045-3+etch3.diff.gz
 ed5f4fe35ce0a2550aa16a423e100065 794176 net optional znc_0.045-3+etch3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkp0ib0ACgkQ2XA5inpabMcEYwCdGO/6u7RfNaKGMWLSVKNF+ve1
riwAn3JZUa3SfP6J5yeE49PB26QoG0v1
=iWb1
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 31 Aug 2009 07:40:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 02:43:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.