Merge branch 'epel9' into epel8

0001-Fix-RCE-vulnerability-in-modtcl.patch

@@ -0,0 +1,62 @@
+From e273660b0e10857cc56eb0022cf0d9f0c0a7bd2f Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Mon, 1 Jul 2024 09:59:16 +0100
+Subject: [PATCH] Fix RCE vulnerability in modtcl
+
+Remote attacker could execute arbitrary code embedded into the kick
+reason while kicking someone on a channel.
+
+To mitigate this for existing installations, simply unload the modtcl
+module for every user, if it's loaded.
+Note that only users with admin rights can load modtcl at all.
+
+While at it, also escape the channel name.
+
+Discovered by Johannes Kuhn (DasBrain)
+
+Patch by https://github.com/glguy
+
+CVE-2024-39844
+
+(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e)
+---
+ modules/modtcl.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
+index c64bc43f..58e68f51 100644
+--- a/modules/modtcl.cpp
++++ b/modules/modtcl.cpp
+@@ -248,8 +248,9 @@ class CModTcl : public CModule {
+         // chan specific
+         unsigned int nLength = vChans.size();
+         for (unsigned int n = 0; n < nLength; n++) {
++            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
+             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
+-                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
++                       "} - {" + sChannel + "} {" + sNewNickTmp +
+                        "}";
+             int i = Tcl_Eval(interp, sCommand.c_str());
+             if (i != TCL_OK) {
+@@ -260,14 +261,16 @@ class CModTcl : public CModule {
+ 
+     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
+                 const CString& sMessage) override {
++        CString sMes = TclEscape(sMessage);
+         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
+         CString sNick = TclEscape(sKickedNick);
+         CString sOpHost =
+             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
++        CString sChannel = TclEscape(Channel.GetName());
+ 
+         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
+-                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
+-                           sMessage + "}";
++                           "} - {" + sChannel + "} {" + sNick + "} {" +
++                           sMes + "}";
+         int i = Tcl_Eval(interp, sCommand.c_str());
+         if (i != TCL_OK) {
+             PutModule(Tcl_GetStringResult(interp));
+-- 
+2.48.1
+

znc.spec

@@ -13,7 +13,7 @@
 
 Name:           znc
 Version:        1.8.2
-Release:        15%{?dist}
+Release:        16%{?dist}
 Summary:        An advanced IRC bouncer
 
 License:        ASL 2.0
@@ -26,6 +26,10 @@ Source2:        gpgkey-5AE420CC0209989E.asc
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:         0001-Use-system-wide-crypto-policy.patch
 
+# https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
+# Fixes CVE-2024-39844
+Patch1:         0001-Fix-RCE-vulnerability-in-modtcl.patch
+
 BuildRequires: make
 BuildRequires:  automake
 BuildRequires:  c-ares-devel
@@ -118,8 +122,6 @@ gpgv2 --homedir "$gpghome" --quiet --keyring $key.gpg %{SOURCE1} %{SOURCE0}
 rm -rf "$gpghome" $key.gpg # Cleanup tmp gpg home dir and dearmored key
 
 %autosetup -p1
-#%setup -n znc-1.7.5-rc1
-#%patch0 -p1
 
 # The manual page references /usr/local/; fix that
 sed -ie 's!/usr/local/!/usr/!' man/znc.1
@@ -221,6 +223,9 @@ getent passwd znc >/dev/null || \
 
 
 %changelog
+* Fri May 09 2025 Robby Callicotte <rcallicotte@fedoraproject.org> - 1.8.2-16
+- Fix for CVE-2024-39844
+
 * Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.8.2-15
 - Rebuilt for ICU 71.1