Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 487632 (CVE-2013-4422)

Summary: <net-irc/quassel-0.9.1: SQL injection (CVE-2013-4422)
Product: Gentoo Security Reporter: Mikle Kolyada (RETIRED) <zlogene>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-irc, patrick, proxy-maint, sputnick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2013/q4/45
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-11 12:32:34 UTC 
from ${URL}:

    Hi all,

    Please assign a CVE to the following issue: Quassel IRC is
    vulnerable to SQL injection on all current versions (0.9.0 being
    the latest at the time of writing), if used with Qt 4.8.5 (the
    vulnerability is caused by a change in its postgres driver[1,2]) 
    and PostgreSQL 8.2 or later with standard_conforming_strings
    enabled (which is the default in those versions). The vulnerability
    allows anyone to trick the core into executing SQL queries, which
    includes cascade deleting the entire database. It is tracked
    upstream in bug #1244 [3]. It was firstly noticed by due to minor
    issues with migration to postgres and problems with certain
    messages, a simple test with an unmodified installation of postgres
    and quassel showed that it was indeed possible to drop tables.

    No upstream fix is available at this time, although the below
    patch does fix the current issue.

    Regards, Bas Pape (Tucos)

    [1]
    https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a


[2] https://bugreports.qt-project.org/browse/QTBUG-30076

    [3] http://bugs.quassel-irc.org/issues/1244
Comment 2 Michael Palimaka (kensington) gentoo-dev 2013-10-13 12:53:19 UTC 
Upstream has released 0.9.1 which contains the fix.
Comment 3 Johannes Huber (RETIRED) gentoo-dev 2013-10-13 14:05:26 UTC 
0.9.1 is already in tree. How about to start stabilization?

+
+  11 Oct 2013; Patrick Lauer <patrick@gentoo.org> +quassel-0.9.1.ebuild:
+  Bump
+
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-13 14:15:12 UTC 
Arches, please test and mark stable:

=net-irc/quassel-0.9.1

target KEYWORDS="amd64 ppc x86"

Acked by Patrick
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-13 14:39:41 UTC 
amd64 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-13 15:26:56 UTC 
Added to existing GLSA request.
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-14 06:16:47 UTC 
ppc stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-14 16:55:23 UTC 
x86 stable
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-15 00:07:34 UTC 
GLSA vote: no.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-15 10:30:02 UTC 
(In reply to Chris Reffett from comment #9)
> GLSA vote: no.

We already have a GLSA request from prior bug. This was added to it.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-23 23:44:31 UTC 
Affected versions dropped.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:15:26 UTC 
CVE-2013-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4422):
  SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or
  later and PostgreSQL 8.2 or later are used, allows remote attackers to
  execute arbitrary SQL commands via a \ (backslash) in a message.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-11-07 01:53:43 UTC 
This issue was resolved and addressed in
 GLSA 201311-03 at http://security.gentoo.org/glsa/glsa-201311-03.xml
by GLSA coordinator Sean Amoss (ackle).