Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 547884 (CVE-2015-3427)

Summary: <net-irc/quassel-0.12.2: incomplete fix for CVE-2013-4422 (CVE-2015-3427)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: johu, net-irc, patrick, proxy-maint, sputnick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 544230    

Description Agostino Sarubbo gentoo-dev 2015-04-27 09:26:04 UTC
From ${URL} :

It's been found that in Quassel, the CVE-2013-4422 was incorrectly
fixed and that core was still vulnerable to SQL injection on reconnection.

This has been fixed with commit:

The incomplete bugfix had been released with Quassel 0.9.1:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick Lauer gentoo-dev 2015-04-27 09:34:00 UTC
Lowest version we have left is 0.10, are you sure about the versions?

If you actually meant 0.11.1 / 0.12.2 then these versions are in-tree and would need to be stabled. I'd recommend 0.12.2 only and dropping all older.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:19:49 UTC
CVE-2015-3427 (
  Quassel before 0.12.2 does not properly re-initialize the database session
  when the PostgreSQL database is restarted, which allows remote attackers to
  conduct SQL injection attacks via a \ (backslash) in a message.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2013-4422.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 03:53:49 UTC
Yes you are correct here is the blurb from the upstream blog:
 Unfortunately, this fix also uncovered a more serious issue that has been around for a long time: restarting a PostgreSQL database while Quassel Core is running would not properly re-initialize the database session inside Quassel, bringing back an old security issue that we had deemed fixed. This forced us to create yet another release, so that's why we are now at version 0.12.2. The new issue is being tracked as CVE-2015-3427. Thanks to Pierre Schweitzer for registering this!

We need to stabilize 0.12.2 when ready.

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-06-22 08:14:02 UTC
Yes arch teams please proceed

Arches:  amd64 arm ppc x86
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-22 08:21:57 UTC
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-06-22 11:37:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-24 07:56:37 UTC
ppc stable
Comment 8 Johannes Huber (RETIRED) gentoo-dev 2015-06-24 18:10:11 UTC
Thanks all. Cleanup done.

+  24 Jun 2015; Johannes Huber <> -files/DOS-sec.patch,
+  -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild:
+  Cleanup vulnerable versions, wrt bugs #547884, #544230.
Comment 9 Markus Meier gentoo-dev 2015-06-28 14:38:37 UTC
removing arm (no stable keywords)
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 19:56:09 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-30 19:59:13 UTC
GLSA Vote: No