Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544230 - <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779})
Summary: <net-irc/quassel-0.12.2: DoS (CVE-2015-{2778,2779})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: CVE-2015-3427
Blocks: CVE-2014-8483
  Show dependency tree
 
Reported: 2015-03-23 14:17 UTC by Agostino Sarubbo
Modified: 2015-06-30 19:59 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-23 14:17:05 UTC 
From ${URL} :

Dear all,

The following commit fixed a denial of service in quassel:
https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8

It allows a connected client to cause a core crash by sending a CTCP
request which would be too long and multibyte.

This is mitigated by the fact that it requires an authed user.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-03-30 05:53:07 UTC 
*quassel-0.11.0-r1 (30 Mar 2015)

  30 Mar 2015; Ian Delaney <idella4@gentoo.org> +files/DOS-sec.patch,
  +quassel-0.11.0-r1.ebuild, -quassel-0.11.0.ebuild:
  revbump; add sec patch from bug #544230, rm affected version

Not touched this before. I see no reason why it should not be put up for fast track stablising.  Arches would be amd64 ppc x86, no idea why arm has been excluded.  Perhaps one of the others can inform.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:51:12 UTC 
CVE-2015-2779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2779):
  Stack consumption vulnerability in the message splitting functionality in
  Quassel before 0.12-rc1 allows remote attackers to cause a denial of service
  (uncontrolled recursion) via a crafted massage.

CVE-2015-2778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2778):
  Quassel before 0.12-rc1 uses an incorrect data-type size when splitting a
  message, which allows remote attackers to cause a denial of service (crash)
  via a long CTCP query containing only multibyte characters.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 03:20:58 UTC 
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-06-23 06:52:03 UTC 
To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and previous versions. Stabilising of recently added  quassel-0.12.2 ought fix this for all sec issues of this bug. Cannot clean old versions before then.

Arch teams please proceed on arches amd64 ppc x86.
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-23 06:56:12 UTC 
(In reply to Ian Delaney from comment #4)
> To my understanding these CVE-2015-{2778,2779} effect quassel:0.11.0 and
> previous versions. Stabilising of recently added  quassel-0.12.2 ought fix
> this for all sec issues of this bug. Cannot clean old versions before then.
> 
> Arch teams please proceed on arches amd64 ppc x86.

the stabilization is already happen in bug 547884
Comment 6 Johannes Huber (RETIRED) gentoo-dev 2015-06-24 18:10:47 UTC 
Thanks all. Cleanup done.

+
+  24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch,
+  -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild:
+  Cleanup vulnerable versions, wrt bugs #547884, #544230.
+
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 19:57:17 UTC 
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-30 19:59:34 UTC 
GLSA Vote: No