Remote attacker could execute arbitrary code embedded into the kick
reason while kicking someone on a channel.
To mitigate this for existing installations, simply unload the modtcl
module for every user, if it's loaded.
Note that only users with admin rights can load modtcl at all.
While at it, also escape the channel name.
Discovered by Johannes Kuhn (DasBrain)
Patch by https://github.com/glguy
CVE-2024-39844
Update modtcl -> adding GetServerName function and network variable with network name value.
Modification to have the variable ::network such as an eggdrop.
Example usage:
<MalaGaM> return $network
<*modtcl> artis
<MalaGaM> return $::network
<*modtcl> artis
<MalaGaM> return [GetServerName]
<*modtcl> artis
The following people agreed with the change, in alphabetical order:
(people who approved in several ways are listed only once)
By email:
- Adam (from Anope)
- Austin Morton
- Brian Campbell
- Christian Walde
- Daniel Holbert
- Daniel Wallace
- Falk Seidel
- Heiko Hund
- Ingmar Runge
- Jim Hull
- Kyle Fuller
- Lee Aylward
- Martin Martimeo
- Matt Harper
- Michael J Edgar
- Michael Ziegler
- Nick Bebout
- Paul Driver
- Perry Nguyen
- Philippe (cycomate)
- Reuben Morais
- Roland Hieber
- Sebastian Ramacher
- Stefan Rado
- Stéphan Kochen
- Thomas Ward
- Toon Schoenmakers
- Veit Wahlich
- Wulf C. Krueger
By IRC:
- CNU
- Jonas Gorski
- Joshua M. Clulow
- Prozac/SHiZNO
- SilverLeo
- Uli Schlachter
At https://github.com/znc/znc/issues/311 :
- Alexey Sokolov
- Elizabeth Myers
- flakes
- Jens-Andre Koch
- Jyzee
- KindOne/ineedalifetoday
- Lee Williams
- Mantas Mikulėnas
- md-5
- Reed Loden
At the last few pull requests' comments:
- Allan Odgaard
- Jacob Baines
- Lluís Batlle i Rossell
- ravomavain
- protomouse
The following commits' authors didn't respond:
Trivial changes:
- f70f1086fd
- 4ca8b50e45
The changes which are not presented in master anymore:
- 5512ed2ea0
- 960a4498f7
- 0f739de2c0
- 7f53cc810bFix#311Fix#218
If you did ./configure --enable-tcl, tcl wasn't actually enabled because
--enable-extra was missing, That's less than optimal.
Just moving modtcl out of modules/extra solves this problem.
Big thanks go to zynox/kylef for noticing this!
Signed-off-by: Uli Schlachter <psychon@znc.in>
