| Summary: | <net-irc/quassel-0.12.2: incomplete fix for CVE-2013-4422 (CVE-2015-3427) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | johu, net-irc, patrick, proxy-maint, sputnick |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/04/27/2 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 544230 | ||
Lowest version we have left is 0.10, are you sure about the versions? If you actually meant 0.11.1 / 0.12.2 then these versions are in-tree and would need to be stabled. I'd recommend 0.12.2 only and dropping all older. CVE-2015-3427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3427): Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422. Yes you are correct here is the blurb from the upstream blog: ______________________________ Unfortunately, this fix also uncovered a more serious issue that has been around for a long time: restarting a PostgreSQL database while Quassel Core is running would not properly re-initialize the database session inside Quassel, bringing back an old security issue that we had deemed fixed. This forced us to create yet another release, so that's why we are now at version 0.12.2. The new issue is being tracked as CVE-2015-3427. Thanks to Pierre Schweitzer for registering this! http://quassel-irc.org ______________________________ We need to stabilize 0.12.2 when ready. Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself. Yes arch teams please proceed Arches: amd64 arm ppc x86 amd64 stable x86 stable ppc stable Thanks all. Cleanup done. + + 24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch, + -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild: + Cleanup vulnerable versions, wrt bugs #547884, #544230. + removing arm (no stable keywords) Arches and Maintainer(s), Thank you for your work. GLSA Vote: No GLSA Vote: No |
From ${URL} : It's been found that in Quassel, the CVE-2013-4422 was incorrectly fixed and that core was still vulnerable to SQL injection on reconnection. This has been fixed with commit: https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 The incomplete bugfix had been released with Quassel 0.9.1: http://quassel-irc.org/node/120 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.