Please assign a CVE to the following issue: Quassel IRC is
vulnerable to SQL injection on all current versions (0.9.0 being
the latest at the time of writing), if used with Qt 4.8.5 (the
vulnerability is caused by a change in its postgres driver[1,2])
and PostgreSQL 8.2 or later with standard_conforming_strings
enabled (which is the default in those versions). The vulnerability
allows anyone to trick the core into executing SQL queries, which
includes cascade deleting the entire database. It is tracked
upstream in bug #1244 . It was firstly noticed by due to minor
issues with migration to postgres and problems with certain
messages, a simple test with an unmodified installation of postgres
and quassel showed that it was indeed possible to drop tables.
No upstream fix is available at this time, although the below
patch does fix the current issue.
Regards, Bas Pape (Tucos)
the patch: https://github.com/quassel/quassel/commit/aa1008be162cb27da938cce93ba533f54d228869
Upstream has released 0.9.1 which contains the fix.
0.9.1 is already in tree. How about to start stabilization?
+ 11 Oct 2013; Patrick Lauer <email@example.com> +quassel-0.9.1.ebuild:
Arches, please test and mark stable:
target KEYWORDS="amd64 ppc x86"
Acked by Patrick
Added to existing GLSA request.
GLSA vote: no.
(In reply to Chris Reffett from comment #9)
> GLSA vote: no.
We already have a GLSA request from prior bug. This was added to it.
Affected versions dropped.
SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or
later and PostgreSQL 8.2 or later are used, allows remote attackers to
execute arbitrary SQL commands via a \ (backslash) in a message.
This issue was resolved and addressed in
GLSA 201311-03 at http://security.gentoo.org/glsa/glsa-201311-03.xml
by GLSA coordinator Sean Amoss (ackle).