from ${URL}: Hi all, Please assign a CVE to the following issue: Quassel IRC is vulnerable to SQL injection on all current versions (0.9.0 being the latest at the time of writing), if used with Qt 4.8.5 (the vulnerability is caused by a change in its postgres driver[1,2]) and PostgreSQL 8.2 or later with standard_conforming_strings enabled (which is the default in those versions). The vulnerability allows anyone to trick the core into executing SQL queries, which includes cascade deleting the entire database. It is tracked upstream in bug #1244 [3]. It was firstly noticed by due to minor issues with migration to postgres and problems with certain messages, a simple test with an unmodified installation of postgres and quassel showed that it was indeed possible to drop tables. No upstream fix is available at this time, although the below patch does fix the current issue. Regards, Bas Pape (Tucos) [1] https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a [2] https://bugreports.qt-project.org/browse/QTBUG-30076 [3] http://bugs.quassel-irc.org/issues/1244
the patch: https://github.com/quassel/quassel/commit/aa1008be162cb27da938cce93ba533f54d228869
Upstream has released 0.9.1 which contains the fix.
0.9.1 is already in tree. How about to start stabilization? + + 11 Oct 2013; Patrick Lauer <patrick@gentoo.org> +quassel-0.9.1.ebuild: + Bump +
Arches, please test and mark stable: =net-irc/quassel-0.9.1 target KEYWORDS="amd64 ppc x86" Acked by Patrick
amd64 stable
Added to existing GLSA request.
ppc stable
x86 stable
GLSA vote: no.
(In reply to Chris Reffett from comment #9) > GLSA vote: no. We already have a GLSA request from prior bug. This was added to it.
Affected versions dropped.
CVE-2013-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4422): SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message.
This issue was resolved and addressed in GLSA 201311-03 at http://security.gentoo.org/glsa/glsa-201311-03.xml by GLSA coordinator Sean Amoss (ackle).