Removed unnecessary comments.

0001-Fix-RCE-vulnerability-in-modtcl.patch

@@ -0,0 +1,62 @@
+From e273660b0e10857cc56eb0022cf0d9f0c0a7bd2f Mon Sep 17 00:00:00 2001
+From: Alexey Sokolov <alexey+znc@asokolov.org>
+Date: Mon, 1 Jul 2024 09:59:16 +0100
+Subject: [PATCH] Fix RCE vulnerability in modtcl
+
+Remote attacker could execute arbitrary code embedded into the kick
+reason while kicking someone on a channel.
+
+To mitigate this for existing installations, simply unload the modtcl
+module for every user, if it's loaded.
+Note that only users with admin rights can load modtcl at all.
+
+While at it, also escape the channel name.
+
+Discovered by Johannes Kuhn (DasBrain)
+
+Patch by https://github.com/glguy
+
+CVE-2024-39844
+
+(cherry picked from commit 8cbf8d628174ddf23da680f3f117dc54da0eb06e)
+---
+ modules/modtcl.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/modules/modtcl.cpp b/modules/modtcl.cpp
+index c64bc43f..58e68f51 100644
+--- a/modules/modtcl.cpp
++++ b/modules/modtcl.cpp
+@@ -248,8 +248,9 @@ class CModTcl : public CModule {
+         // chan specific
+         unsigned int nLength = vChans.size();
+         for (unsigned int n = 0; n < nLength; n++) {
++            CString sChannel = TclEscape(CString(vChans[n]->GetName()));
+             sCommand = "Binds::ProcessNick {" + sOldNick + "} {" + sHost +
+-                       "} - {" + vChans[n]->GetName() + "} {" + sNewNickTmp +
++                       "} - {" + sChannel + "} {" + sNewNickTmp +
+                        "}";
+             int i = Tcl_Eval(interp, sCommand.c_str());
+             if (i != TCL_OK) {
+@@ -260,14 +261,16 @@ class CModTcl : public CModule {
+ 
+     void OnKick(const CNick& OpNick, const CString& sKickedNick, CChan& Channel,
+                 const CString& sMessage) override {
++        CString sMes = TclEscape(sMessage);
+         CString sOpNick = TclEscape(CString(OpNick.GetNick()));
+         CString sNick = TclEscape(sKickedNick);
+         CString sOpHost =
+             TclEscape(CString(OpNick.GetIdent() + "@" + OpNick.GetHost()));
++        CString sChannel = TclEscape(Channel.GetName());
+ 
+         CString sCommand = "Binds::ProcessKick {" + sOpNick + "} {" + sOpHost +
+-                           "} - {" + Channel.GetName() + "} {" + sNick + "} {" +
+-                           sMessage + "}";
++                           "} - {" + sChannel + "} {" + sNick + "} {" +
++                           sMes + "}";
+         int i = Tcl_Eval(interp, sCommand.c_str());
+         if (i != TCL_OK) {
+             PutModule(Tcl_GetStringResult(interp));
+-- 
+2.48.1
+

0001-Use-system-wide-crypto-policy.patch

@@ -9,24 +9,34 @@ Reference: https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  1 file changed, 3 insertions(+), 14 deletions(-)
 
 diff --git a/src/Socket.cpp b/src/Socket.cpp
-index 577f69c..f413f96 100644
+index fa510462..e40c76ea 100644
 --- a/src/Socket.cpp
 +++ b/src/Socket.cpp
-@@ -28,15 +28,11 @@
+@@ -28,21 +28,10 @@
  #endif
  
  #ifdef HAVE_LIBSSL
 -// Copypasted from
 -// https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29
--// at 2024-02-08 (version 5.7)
+-// at 2018-04-01
 +// Use system-wide crypto policy
 +// https://fedoraproject.org/wiki/Packaging:CryptoPolicies
  static CString ZNC_DefaultCipher() {
-     // This is TLS1.2 only, because TLS1.3 ciphers are probably not configurable here yet
--    return "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:"
--           "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:"
--           "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"
--           "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305";
+-    return "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-"
+-           "ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-"
+-           "AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-"
+-           "SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-"
+-           "RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:"
+-           "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-"
+-           "SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:"
+-           "DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:"
+-           "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:"
+-           "AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-"
+-           "SHA:DES-CBC3-SHA:!DSS";
 +    return "PROFILE=SYSTEM";
  }
  #endif
+ 
+-- 
+2.19.0.rc0
+

sources

@@ -1,2 +1,2 @@
-SHA512 (znc-1.10.1.tar.gz) = f125eef5a9f8bfcd278951971638fe8a937261001bfd8f6438fc51fda666b97c00780c5c6f1a921b3db79cb7656bc9675eb3881b18b22b7738e0976ebcca7cb3
-SHA512 (znc-1.10.1.tar.gz.sig) = a85b65dacce72d51cda4260ff881496c82b77dabf273fda1c3f536360950755700b352a6d22bac01c808abae13c4b686a2e5f36b0351e0b77ec032057caee311
+SHA512 (znc-1.8.2.tar.gz) = e821647b50698c3a82fad039e69943e030bf644d8f8e82afa87c6c11da44761bceecddd510a7a956a1b487b1cca6ee46e8ac8818ea03127f0f1ff8f5d1a1a7f9
+SHA512 (znc-1.8.2.tar.gz.sig) = c4fb2817a54155cef19702e3f48ba845350209019445d7b056d303c708ddf8931eea308a0ec84d58f02be0cb932b663c3d2a732c48112205dbe953f8b08423cb

znc.spec

@@ -12,12 +12,11 @@
 %endif # 0%{?fedora} || 0%{?rhel} >= 7
 
 Name:           znc
-Version:        1.10.1
-Release:        1%{?dist}
+Version:        1.8.2
+Release:        16%{?dist}
 Summary:        An advanced IRC bouncer
 
-# Automatically converted from old format: ASL 2.0 - review is highly recommended.
-License:        Apache-2.0
+License:        ASL 2.0
 URL:            https://znc.in
 Source0:        %{url}/releases/archive/%{name}-%{version}.tar.gz
 Source1:        %{url}/releases/archive/%{name}-%{version}.tar.gz.sig
@@ -27,31 +26,30 @@ Source2:        gpgkey-5AE420CC0209989E.asc
 # https://fedoraproject.org/wiki/Packaging:CryptoPolicies
 Patch0:         0001-Use-system-wide-crypto-policy.patch
 
+# https://github.com/znc/znc/commit/8cbf8d628174ddf23da680f3f117dc54da0eb06e
+# Fixes CVE-2024-39844
+Patch1:         0001-Fix-RCE-vulnerability-in-modtcl.patch
+
+BuildRequires: make
+BuildRequires:  automake
 BuildRequires:  c-ares-devel
-BuildRequires:  cmake
 BuildRequires:  cyrus-sasl-devel
 BuildRequires:  gcc-c++
 BuildRequires:  gettext-devel
 BuildRequires:  gnupg2
 BuildRequires:  libicu-devel
-BuildRequires:  make
-
 %if 0%{?fedora} || 0%{?rhel} >= 8
 BuildRequires:  openssl-devel >= 0.9.8
 %else
 BuildRequires:  openssl11-devel
 %endif
-
-%if 0%{?fedora} >= 41
-BuildRequires:  openssl-devel-engine
-%endif
-
 BuildRequires:  perl(ExtUtils::Embed)
 
 %if 0%{?rhel} && 0%{?rhel} <= 9
 Obsoletes:      znc-extra <= %{version}-%{release}
 %endif # 0%{?rhel} && 0%{?rhel} <= 9
 
+Requires(pre):  shadow-utils
 BuildRequires:  systemd
 %{?systemd_requires}
 
@@ -128,48 +126,39 @@ rm -rf "$gpghome" $key.gpg # Cleanup tmp gpg home dir and dearmored key
 # The manual page references /usr/local/; fix that
 sed -ie 's!/usr/local/!/usr/!' man/znc.1
 
-# Create a sysusers.d config file
-cat >znc.sysusers.conf <<EOF
-u znc - 'Account for ZNC to run as' /var/lib/znc -
-EOF
-
 %build
 %if 0%{?rhel} == 7
 sed -e 's/"openssl"/"openssl11"/g' -i configure
 %endif
 
-# NOTE(neil): 2024-09-02 aarch64 responds badly to building on large machines
-%ifarch aarch64
-%global _smp_build_ncpus 1
-%endif
-
-%ifarch x86_64
-%global _smp_build_ncpus 1
-%endif
-
-%cmake \
+%configure \
+     --with-module-prefix=%{_libdir}/znc \
+     --with-systemdsystemunitdir=%{_unitdir} \
 %if 0%{?with_modperl}
-    -DWANT_PERL=1 \
-%endif
+     --enable-perl \
+%else
+     --disable-perl \
+%endif # 0%{?with_modperl}
 %if 0%{?with_modpython}
-    -DWANT_PYTHON=1 \
-%endif
-    -DWANT_SYSTEMD=1 \
-    -DSYSTEMD_DIR=%{_unitdir} \
-    -DWANT_IPV6=1 \
-    -DWANT_CYRUS=1 \
-    -DWANT_TCL=1
+     --enable-python \
+%else # 0%{?with_modpython}
+     --disable-python \
+%endif # 0%{?with_modpython}
+     --enable-ipv6 --enable-cyrus --enable-tcl --with-tcl=%{_libdir}
+%make_build V=1
 
-%cmake_build
 
 %install
-%cmake_install
+%make_install
 install -d "%{buildroot}%{_sharedstatedir}/znc"
 %py_byte_compile %{__python3} %{buildroot}%{_libdir}/znc/
 
-install -m0644 -D znc.sysusers.conf %{buildroot}%{_sysusersdir}/znc.conf
-
 
+%pre
+getent group znc >/dev/null || groupadd -r znc
+getent passwd znc >/dev/null || \
+    useradd -r -g znc -d /var/lib/znc -s /sbin/nologin \
+    -c "Account for ZNC to run as" znc
 
 
 %post
@@ -206,7 +195,6 @@ install -m0644 -D znc.sysusers.conf %{buildroot}%{_sysusersdir}/znc.conf
 %exclude %{_datadir}/znc/modtcl/
 %{_unitdir}/znc.service
 %attr(-,znc,znc) %{_sharedstatedir}/znc/
-%{_sysusersdir}/znc.conf
 
 %files devel
 %{_bindir}/znc-buildmod
@@ -235,88 +223,8 @@ install -m0644 -D znc.sysusers.conf %{buildroot}%{_sysusersdir}/znc.conf
 
 
 %changelog
-* Mon Oct 13 2025 Ben Maconi <turboben@fedoraproject.org> - 1.10.1-1
-- Updated to 1.10.1
-
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.9.1-13
-- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.9.1-12
-- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Aug 06 2025 František Zatloukal <fzatlouk@redhat.com> - 1.9.1-11
-- Rebuilt for icu 77.1
-
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-10
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Mon Jul 07 2025 Jitka Plesnikova <jplesnik@redhat.com> - 1.9.1-9
-- Perl 5.42 rebuild
-
-* Mon Jun 02 2025 Python Maint <python-maint@redhat.com> - 1.9.1-8
-- Rebuilt for Python 3.14
-
-* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.9.1-7
-- Add sysusers.d config file to allow rpm to create users/groups automatically
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
-* Sun Dec 08 2024 Pete Walter <pwalter@fedoraproject.org> - 1.9.1-5
-- Rebuild for ICU 76
-
-* Sun Aug 25 2024 Neil Hanlon <neil@shrug.pw> - 1.9.1-4
-- switch to pure cmake (1.9.0 turned configure into a wrapper which dropped options)
-- resolve ftbfs, fti, new version (#226393 #2301380 #2292226)
-- resolve CVE-2024-39844 (#2295622)
-
-* Wed Jul 24 2024 Miroslav Suchý <msuchy@redhat.com> - 1.9.1-3
-- convert license to SPDX
-
-* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
-
-* Wed Jul 17 2024 Nick Bebout <nb@fedoraproject.org> - 1.9.1-1
-- Update to 1.9.1
-
-* Tue Jun 18 2024 Python Maint <python-maint@redhat.com> - 1.8.2-28
-- Rebuilt for Python 3.13
-
-* Wed Jun 12 2024 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-27
-- Perl 5.40 rebuild
-
-* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 1.8.2-26
-- Rebuilt for Python 3.13
-
-* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 1.8.2-25
-- Rebuild for ICU 74
-
-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-24
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-23
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Thu Jul 13 2023 František Zatloukal <fzatlouk@redhat.com> - 1.8.2-22
-- Rebuilt for ICU 73.2
-
-* Thu Jul 13 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-21
-- Perl 5.38 re-rebuild updated packages
-
-* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 1.8.2-20
-- Rebuilt for ICU 73.2
-
-* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 1.8.2-19
-- Perl 5.38 rebuild
-
-* Tue Jun 13 2023 Python Maint <python-maint@redhat.com> - 1.8.2-18
-- Rebuilt for Python 3.12
-
-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.2-17
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 1.8.2-16
-- Rebuild for ICU 72
+* Fri May 09 2025 Robby Callicotte <rcallicotte@fedoraproject.org> - 1.8.2-16
+- Fix for CVE-2024-39844
 
 * Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 1.8.2-15
 - Rebuilt for ICU 71.1