Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568150 (CVE-2015-8547) - <net-irc/quassel-0.12.2-r3: Remote DoS (CVE-2015-8547)
Summary: <net-irc/quassel-0.12.2-r3: Remote DoS (CVE-2015-8547)
Status: RESOLVED FIXED
Alias: CVE-2015-8547
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 558660
Blocks:
  Show dependency tree
 
Reported: 2015-12-13 12:41 UTC by Manuel Rüger (RETIRED)
Modified: 2016-06-21 09:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Rüger (RETIRED) gentoo-dev 2015-12-13 12:41:13 UTC 
It was discovered and fixed [1] in Quassel, a DoS remotely triggerable
by any client on a Quassel core.

Any client sending the command "/op *" in a query will cause the Quassel
core to crash. I was able to reproduce it with Quassel 0.10.0.

No release has this fix in yet.

[1]:
https://github.com/quassel/quassel/commit/b8edbda019eeb99da8663193e224efc9d1265dc7
Comment 1 Johannes Huber (RETIRED) gentoo-dev 2016-01-09 15:59:19 UTC 
Revision bump with patch in tree. 

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=482f523317639f94b7ef195d2d105699e5966d48
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2016-02-06 16:00:02 UTC 
@maintainer: please initiate a stable req
Comment 3 Richard Freeman gentoo-dev 2016-02-10 23:20:28 UTC 
RepoMan scours the neighborhood...
  dependency.missingslot        8
   net-irc/quassel/quassel-0.12.2.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-0.12.2.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-0.12.2-r3.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-0.12.2-r3.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-0.12.3.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-0.12.3.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-9999.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
   net-irc/quassel/quassel-9999.ebuild: RDEPEND: 'kde-frameworks/oxygen-icons' matches more than one slot, please specify an explicit slot and/or use the := or :* slot operator
Comment 4 Agostino Sarubbo gentoo-dev 2016-02-11 12:28:44 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-03-15 16:41:32 UTC 
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-27 10:22:12 UTC 
ppc stable.

Maintainer(s), please cleanup.
Comment 7 Johannes Huber (RETIRED) gentoo-dev 2016-03-27 16:46:55 UTC 
Thanks all. Cleanup done, remove maintainer from cc.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b081e13464ea0f48df445ccb364344b5b4bc62e3
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-03-28 10:21:43 UTC 
CVE-2015-8547 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8547):
  The CoreUserInputHandler::doMode function in core/coreuserinputhandler.cpp
  in Quassel 0.10.0 allows remote attackers to cause a denial of service
  (application crash) via the "/op *" command in a query.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-06-21 09:39:41 UTC 
GLSA Vote: No