Summary: | <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | johu, net-irc, patrick, proxy-maint, slawomir.nizio, sputnick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/03/20/12 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 547884 | ||
Bug Blocks: | 527090 |
Description
Agostino Sarubbo
2015-03-23 14:17:05 UTC
*quassel-0.11.0-r1 (30 Mar 2015) 30 Mar 2015; Ian Delaney <idella4@gentoo.org> +files/DOS-sec.patch, +quassel-0.11.0-r1.ebuild, -quassel-0.11.0.ebuild: revbump; add sec patch from bug #544230, rm affected version Not touched this before. I see no reason why it should not be put up for fast track stablising. Arches would be amd64 ppc x86, no idea why arm has been excluded. Perhaps one of the others can inform. CVE-2015-2779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2779): Stack consumption vulnerability in the message splitting functionality in Quassel before 0.12-rc1 allows remote attackers to cause a denial of service (uncontrolled recursion) via a crafted massage. CVE-2015-2778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2778): Quassel before 0.12-rc1 uses an incorrect data-type size when splitting a message, which allows remote attackers to cause a denial of service (crash) via a long CTCP query containing only multibyte characters. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and previous versions. Stabilising of recently added quassel-0.12.2 ought fix this for all sec issues of this bug. Cannot clean old versions before then. Arch teams please proceed on arches amd64 ppc x86. (In reply to Ian Delaney from comment #4) > To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and > previous versions. Stabilising of recently added quassel-0.12.2 ought fix > this for all sec issues of this bug. Cannot clean old versions before then. > > Arch teams please proceed on arches amd64 ppc x86. the stabilization is already happen in bug 547884 Thanks all. Cleanup done. + + 24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch, + -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild: + Cleanup vulnerable versions, wrt bugs #547884, #544230. + Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |