[meta-networking,kirkstone,1/4] znc: patch CVE-2024-39844

Message ID	20251213201820.3214133-1-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.221.49, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][kirkstone][PATCH 1/4] znc: patch CVE-2024-39844 Date: Sat, 13 Dec 2025 21:18:17 +0100 Message-ID: <20251213201820.3214133-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-networking,kirkstone,1/4] znc: patch CVE-2024-39844 \| expand [meta-networking,kirkstone,1/4] znc: patch CVE-2024-39844 [meta-oe,kirkstone,2/4] zlog: patch CVE-2024-22857 [meta-oe,kirkstone,3/4] sysdig: set SRCREV_FORMAT [meta-oe,kirkstone,4/4] gosu: set SRCREV_FORMAT variable

Message ID

20251213201820.3214133-1-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-networking][kirkstone][PATCH 1/4] znc: patch CVE-2024-39844
Date: Sat, 13 Dec 2025 21:18:17 +0100
Message-ID: <20251213201820.3214133-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[meta-networking,kirkstone,1/4] znc: patch CVE-2024-39844 | expand

Commit Message

Gyorgy Sarvari Dec. 13, 2025, 8:18 p.m. UTC

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-39844

Pick the patch that is mentioned in the oss-security[1] advisory

[1]: https://www.openwall.com/lists/oss-security/2024/07/03/9

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../recipes-irc/znc/znc/CVE-2024-39844.patch  | 61 +++++++++++++++++++
 meta-networking/recipes-irc/znc/znc_1.8.2.bb  |  4 +-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch

diff --git a/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch
new file mode 100644
index 0000000000..de0d8c5541
--- /dev/null
+++ b/meta-networking/recipes-irc/znc/znc/CVE-2024-39844.patch
@@ -0,0 +1,61 @@ 
+From 5f6c872e44830d41d4d242e241af7b096a62a7c3 Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Mon, 1 Jul 2024 09:59:16 +0100
+Subject: [PATCH] Fix RCE vulnerability in modtcl
+
+Remote attacker could execute arbitrary code embedded into the kick
+reason while kicking someone on a channel.
+
+To mitigate this for existing installations, simply unload the modtcl
+module for every user, if it's loaded.
+Note that only users with admin rights can load modtcl at all.
+
+While at it, also escape the channel name.
+
+Discovered by Johannes Kuhn (DasBrain)
+
+Patch by https://github.com/glguy
+
+CVE-2024-39844
+
+CVE: CVE-2024-39844
+Upstream-Status: Backport [https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ modules/modtcl.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
+index c64bc43f..58e68f51 100644
+--- a/modules/modtcl.cpp
++++ b/modules/modtcl.cpp
+@@ -248,8 +248,9 @@ class CModTcl : public CModule {
+         // chan specific
+         unsigned int nLength = vChans.size();
+         for (unsigned int n = 0; n < nLength; n++) {
++            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
+             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
+-                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
++                       "} - {" + sChannel + "} {" + sNewNickTmp +
+                        "}";
+             int i = Tcl_Eval(interp, sCommand.c_str());
+             if (i != TCL_OK) {
+@@ -260,14 +261,16 @@ class CModTcl : public CModule {
+ 
+     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
+                 const CString& sMessage) override {
++        CString sMes = TclEscape(sMessage);
+         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
+         CString sNick = TclEscape(sKickedNick);
+         CString sOpHost =
+             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
++        CString sChannel = TclEscape(Channel.GetName());
+ 
+         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
+-                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
+-                           sMessage + "}";
++                           "} - {" + sChannel + "} {" + sNick + "} {" +
++                           sMes + "}";
+         int i = Tcl_Eval(interp, sCommand.c_str());
+         if (i != TCL_OK) {
+             PutModule(Tcl_GetStringResult(interp));
diff --git a/meta-networking/recipes-irc/znc/znc_1.8.2.bb b/meta-networking/recipes-irc/znc/znc_1.8.2.bb
index a50431982e..f7a99c876f 100644
--- a/meta-networking/recipes-irc/znc/znc_1.8.2.bb
+++ b/meta-networking/recipes-irc/znc/znc_1.8.2.bb
@@ -5,7 +5,9 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=3b83ef96387f14655fc854ddc3c6bd57"
 
 DEPENDS = "openssl zlib icu"
 
-SRC_URI = "gitsm://github.com/znc/znc.git;branch=master;protocol=https"
+SRC_URI = "gitsm://github.com/znc/znc.git;branch=master;protocol=https \
+           file://CVE-2024-39844.patch \
+           "
 
 SRCREV = "bf253640d33d03331310778e001fb6f5aba2989e"