Incoming details.
Hook was not able to write the comment, so I do it for him. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0a071f5a9927a03d91b853610dbbe3c7e767d73
Vuln 1: Title: quasselcore, corruption of heap metadata caused by qdatastream leading to preauth remote code execution. Severity: high, by default the server port is publicly open and the address can be requested using the /WHOIS command of IRC protocol. Description: In Qdatastream protocol each object are prepended with 4 bytes for the object size, this can be used to trigger allocation errors. Vuln 2: Title: quasselcore DDOS Severity: low, impact only a quasselcore not configured. Description: A login attempt causes a NULL pointer dereference because when the database is not initialized.
Arches please stabilize =net-irc/quassel-0.12.5. Thanks in advance.
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c51c9698d0be17a51301c20bc0039583eab5925 commit 8c51c9698d0be17a51301c20bc0039583eab5925 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-25 00:52:44 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-25 00:54:11 +0000 net-irc/quassel: amd64 stable wrt bug #653834 Bug: https://bugs.gentoo.org/653834 Package-Manager: Portage-2.3.31, Repoman-2.3.9 net-irc/quassel/quassel-0.12.5.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fd2de0126ae33ffa81d6957c41493a490436469 commit 2fd2de0126ae33ffa81d6957c41493a490436469 Author: Johannes Huber <johu@gentoo.org> AuthorDate: 2018-04-25 05:08:44 +0000 Commit: Johannes Huber <johu@gentoo.org> CommitDate: 2018-04-25 05:08:44 +0000 net-irc/quassel: Remove 0.12.4-r1 Bug: https://bugs.gentoo.org/653834 Package-Manager: Portage-2.3.31, Repoman-2.3.9 net-irc/quassel/Manifest | 1 - net-irc/quassel/quassel-0.12.4-r1.ebuild | 182 ------------------------------- 2 files changed, 183 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e59eb971d6c83343ba5c3173ae48bb11acc5aa3 commit 7e59eb971d6c83343ba5c3173ae48bb11acc5aa3 Author: Johannes Huber <johu@gentoo.org> AuthorDate: 2018-04-25 05:07:29 +0000 Commit: Johannes Huber <johu@gentoo.org> CommitDate: 2018-04-25 05:07:29 +0000 net-irc/quassel: Remove 0.12.4 (r0) Bug: https://bugs.gentoo.org/603414 Bug: https://bugs.gentoo.org/653834 Package-Manager: Portage-2.3.31, Repoman-2.3.9 net-irc/quassel/files/quasselcore.conf | 21 ---- net-irc/quassel/files/quasselcore.init | 62 ------------ net-irc/quassel/quassel-0.12.4.ebuild | 173 --------------------------------- 3 files changed, 256 deletions(-)}
Cleanup done.
This issue was resolved and addressed in GLSA 201806-04 at https://security.gentoo.org/glsa/201806-04 by GLSA coordinator Aaron Bauman (b-man).