FS#39854 : [znc] ZNC can be crashed by any user if webadmin is loaded

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#39854 - [znc] ZNC can be crashed by any user if webadmin is loaded

Attached to Project: Community Packages
Opened by Richard Schwab (Nothing4You) - Monday, 14 April 2014, 22:15 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 05 May 2014, 23:38 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Sébastien Luttringer (seblu)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

Details: https://github.com/znc/znc/issues/528
Patch: https://github.com/znc/znc/commit/5e6e3be32acfeadeaf1fb3bb17bada08aec6432f

Any version since znc-0.043~72 is affected.

Sidenote: Any user can load webadmin as long as the module exists.

Quoting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744712#10

the bug was introduced in the following commit:

https://github.com/znc/znc/commit/997023ea9de8fcc4ab68f0139015e1b7dba3b8a9

This is from 2005. Or put differently, everything this release is affected:

$ git describe --contains 997023ea9de8fcc4ab68f0139015e1b7dba3b8a9
znc-0.043~72

This task depends upon

Closed by Sébastien Luttringer (seblu)
Monday, 05 May 2014, 23:38 GMT
Reason for closing: Fixed
Additional comments about closing: znc-1.2-3