Bug 1101280 (CVE-2018-14056)

Summary: VUL-0: CVE-2018-14056: ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skinname to access files outside of the intended skins directories.
Product: [openSUSE] openSUSE Distribution Reporter: Karol Babioch <karol>
Component: SecurityAssignee: Martin Pluskal <mpluskal>
Status: RESOLVED FIXED QA Contact: Martin Pluskal <mpluskal>
Severity: Normal    
Priority: P3 - Medium CC: meissner, security-team
Version: Leap 42.3   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/210683/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-07-16 06:45:38 UTC 
CVE-2018-14056

ZNC before 1.7.1-rc1 is prone to a path traversal flaw via ../ in a web skin
name to access files outside of the intended skins directories.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14056
http://www.cvedetails.com/cve/CVE-2018-14056/
https://github.com/znc/znc/commit/a4a5aeeb17d32937d8c7d743dae9a4cc755ce773
Comment 2 Swamp Workflow Management 2018-07-16 09:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1101280) was mentioned in
https://build.opensuse.org/request/show/623072 Factory / znc
https://build.opensuse.org/request/show/623073 15.0+42.3 / znc
Comment 3 Swamp Workflow Management 2018-07-16 10:00:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1101280) was mentioned in
https://build.opensuse.org/request/show/623100 Factory / znc
Comment 4 Swamp Workflow Management 2018-07-16 13:20:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1101280) was mentioned in
https://build.opensuse.org/request/show/623128 15.0+42.3+Backports:SLE-12-SP2 / znc
Comment 5 Swamp Workflow Management 2018-07-18 08:30:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1101280) was mentioned in
https://build.opensuse.org/request/show/623567 Factory / znc
https://build.opensuse.org/request/show/623568 15.0+42.3+Backports:SLE-12-SP2 / znc
Comment 6 Swamp Workflow Management 2018-08-07 13:07:44 UTC 
openSUSE-SU-2018:2228-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101280,1101281
CVE References: CVE-2018-14055,CVE-2018-14056
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    znc-1.7.1-2.1
Comment 7 Swamp Workflow Management 2018-08-07 13:09:42 UTC 
openSUSE-SU-2018:2231-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101280,1101281
CVE References: CVE-2018-14055,CVE-2018-14056
Sources used:
openSUSE Leap 42.3 (src):    znc-1.7.1-20.3.1
openSUSE Leap 15.0 (src):    znc-1.7.1-lp150.2.6.1
Comment 8 Marcus Meissner 2018-08-07 13:22:48 UTC 
released
Comment 9 Swamp Workflow Management 2019-03-25 12:10:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1101280) was mentioned in
https://build.opensuse.org/request/show/688205 15.0+42.3+Backports:SLE-12+Backports:SLE-12-SP2+Backports:SLE-15 / znc