Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487632 (CVE-2013-4422) - <net-irc/quassel-0.9.1: SQL injection (CVE-2013-4422)
Summary: <net-irc/quassel-0.9.1: SQL injection (CVE-2013-4422)
Status: RESOLVED FIXED
Alias: CVE-2013-4422
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/45
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-11 12:32 UTC by Mikle Kolyada
Modified: 2013-11-07 01:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-11 12:32:34 UTC
from ${URL}:

    Hi all,

    Please assign a CVE to the following issue: Quassel IRC is
    vulnerable to SQL injection on all current versions (0.9.0 being
    the latest at the time of writing), if used with Qt 4.8.5 (the
    vulnerability is caused by a change in its postgres driver[1,2]) 
    and PostgreSQL 8.2 or later with standard_conforming_strings
    enabled (which is the default in those versions). The vulnerability
    allows anyone to trick the core into executing SQL queries, which
    includes cascade deleting the entire database. It is tracked
    upstream in bug #1244 [3]. It was firstly noticed by due to minor
    issues with migration to postgres and problems with certain
    messages, a simple test with an unmodified installation of postgres
    and quassel showed that it was indeed possible to drop tables.

    No upstream fix is available at this time, although the below
    patch does fix the current issue.

    Regards, Bas Pape (Tucos)

    [1]
    https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a


[2] https://bugreports.qt-project.org/browse/QTBUG-30076

    [3] http://bugs.quassel-irc.org/issues/1244
Comment 2 Michael Palimaka (kensington) gentoo-dev 2013-10-13 12:53:19 UTC
Upstream has released 0.9.1 which contains the fix.
Comment 3 Johannes Huber gentoo-dev 2013-10-13 14:05:26 UTC
0.9.1 is already in tree. How about to start stabilization?

+
+  11 Oct 2013; Patrick Lauer <patrick@gentoo.org> +quassel-0.9.1.ebuild:
+  Bump
+
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-13 14:15:12 UTC
Arches, please test and mark stable:

=net-irc/quassel-0.9.1

target KEYWORDS="amd64 ppc x86"

Acked by Patrick
Comment 5 Agostino Sarubbo gentoo-dev 2013-10-13 14:39:41 UTC
amd64 stable
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-13 15:26:56 UTC
Added to existing GLSA request.
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-14 06:16:47 UTC
ppc stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-14 16:55:23 UTC
x86 stable
Comment 9 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-15 00:07:34 UTC
GLSA vote: no.
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-15 10:30:02 UTC
(In reply to Chris Reffett from comment #9)
> GLSA vote: no.

We already have a GLSA request from prior bug. This was added to it.
Comment 11 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-23 23:44:31 UTC
Affected versions dropped.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:15:26 UTC
CVE-2013-4422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4422):
  SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or
  later and PostgreSQL 8.2 or later are used, allows remote attackers to
  execute arbitrary SQL commands via a \ (backslash) in a message.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-11-07 01:53:43 UTC
This issue was resolved and addressed in
 GLSA 201311-03 at http://security.gentoo.org/glsa/glsa-201311-03.xml
by GLSA coordinator Sean Amoss (ackle).