544230 – <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779})

Bug 544230 - <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779})

Summary: <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779})

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	CVE-2015-3427
Blocks:	CVE-2014-8483
	Show dependency tree

Reported:	2015-03-23 14:17 UTC by Agostino Sarubbo
Modified:	2015-06-30 19:59 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-03-23 14:17:05 UTC

From ${URL} :

Dear all,

The following commit fixed a denial of service in quassel:
https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8

It allows a connected client to cause a core crash by sending a CTCP
request which would be too long and multibyte.

This is mitigated by the fact that it requires an authed user.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Ian Delaney (RETIRED) gentoo-dev

2015-03-30 05:53:07 UTC

*quassel-0.11.0-r1 (30 Mar 2015)

  30 Mar 2015; Ian Delaney <idella4@gentoo.org> +files/DOS-sec.patch,
  +quassel-0.11.0-r1.ebuild, -quassel-0.11.0.ebuild:
  revbump; add sec patch from bug #544230, rm affected version

Not touched this before. I see no reason why it should not be put up for fast track stablising.  Arches would be amd64 ppc x86, no idea why arm has been excluded.  Perhaps one of the others can inform.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2015-06-14 20:51:12 UTC

CVE-2015-2779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2779):
  Stack consumption vulnerability in the message splitting functionality in
  Quassel before 0.12-rc1 allows remote attackers to cause a denial of service
  (uncontrolled recursion) via a crafted massage.

CVE-2015-2778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2778):
  Quassel before 0.12-rc1 uses an incorrect data-type size when splitting a
  message, which allows remote attackers to cause a denial of service (crash)
  via a long CTCP query containing only multibyte characters.

Comment 3 Yury German Gentoo Infrastructure

2015-06-16 03:20:58 UTC

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.

Comment 4 Ian Delaney (RETIRED) gentoo-dev

2015-06-23 06:52:03 UTC

To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and previous versions. Stabilising of recently added  quassel-0.12.2 ought fix this for all sec issues of this bug. Cannot clean old versions before then.

Arch teams please proceed on arches amd64 ppc x86.

Comment 5 Agostino Sarubbo gentoo-dev

2015-06-23 06:56:12 UTC

(In reply to Ian Delaney from comment #4)
> To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and
> previous versions. Stabilising of recently added  quassel-0.12.2 ought fix
> this for all sec issues of this bug. Cannot clean old versions before then.
> 
> Arch teams please proceed on arches amd64 ppc x86.

the stabilization is already happen in bug 547884

Comment 6 Johannes Huber (RETIRED) gentoo-dev

2015-06-24 18:10:47 UTC

Thanks all. Cleanup done.

+
+  24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch,
+  -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild:
+  Cleanup vulnerable versions, wrt bugs #547884, #544230.
+

Comment 7 Yury German Gentoo Infrastructure

2015-06-30 19:57:17 UTC

Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No

Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-06-30 19:59:34 UTC

GLSA Vote: No