| Summary: | <net-irc/quassel-0.9.2 : manipulated clients can access backlog of all users on a shared core (CVE-2013-6404) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | net-irc, patrick, proxy-maint, sputnick |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2013/11/28/2 | ||
| Whiteboard: | B4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
CVE-2013-6404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6404): Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/. Arches, please test and mark stable =net-irc/quassel-0.9.2 Target keywords: amd64 ppc x86 ppc stable x86 stable amd64 stable @maintainer(s), please cleanup. @security, please vote. GLSA vote: no. + 23 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> -quassel-0.9.1.ebuild: + Security cleanup, bug #492782 Thanks, folks GLSA vote: no Closing as noglsa |
From ${URL} : Affected versions: all versions prior to 0.9.2 (released 2013-11-26) Description: A Quassel core (server daemon) supports being used by multiple users, who all have independent settings, backlog and so on. The backlog is stored in a database shared by all users on a Quassel core, tagged with a user ID. However, some SQL queries didn't check for the correct user ID being provided. This has the undesired effect that the Quassel core can be tricked into providing the backlog for an IRC channel or query that does not belong to the user session requesting it. Doing this requires a manipulated client sending appropriately crafted requests to the core. This client also needs to be properly authenticated, i.e. to have supplied valid user credentials for one of the users on the core. Credit for finding this issue goes to Andrew Hampe. Fix [1] has been released in 0.9.2 [2]. This patch can be cleanly applied to any version starting from 0.6.0, and easily backported to even older versions by adapting the schema version number. Thanks, ~ Manuel Nickschas (Sput) [1] <https://github.com/quassel/quassel/commit/a1a24da> [2] <http://quassel-irc.org/pub/quassel-0.9.2.tar.bz2> @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.