Alexey Sokolov 8cbf8d6281 Fix RCE vulnerability in modtcl ...

Remote attacker could execute arbitrary code embedded into the kick
reason while kicking someone on a channel.

To mitigate this for existing installations, simply unload the modtcl
module for every user, if it's loaded.
Note that only users with admin rights can load modtcl at all.

While at it, also escape the channel name.

Discovered by Johannes Kuhn (DasBrain)

Patch by https://github.com/glguy

CVE-2024-39844

2024-07-01 10:27:49 +01:00

18 KiB

Raw Permalink Blame History

View Raw