Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 492782 (CVE-2013-6404) - <net-irc/quassel-0.9.2 : manipulated clients can access backlog of all users on a shared core (CVE-2013-6404)
Summary: <net-irc/quassel-0.9.2 : manipulated clients can access backlog of all users ...
Status: RESOLVED FIXED
Alias: CVE-2013-6404
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-11-28 11:15 UTC by Agostino Sarubbo
Modified: 2013-12-23 12:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-11-28 11:15:33 UTC 
From ${URL} :

Affected versions: all versions prior to 0.9.2 (released 2013-11-26)

Description:

A Quassel core (server daemon) supports being used by multiple users, who all 
have independent settings, backlog and so on. The backlog is stored in a 
database shared by all users on a Quassel core, tagged with a user ID. 
However, some SQL queries didn't check for the correct user ID being provided.

This has the undesired effect that the Quassel core can be tricked into 
providing the backlog for an IRC channel or query that does not belong to the 
user session requesting it. Doing this requires a manipulated client sending 
appropriately crafted requests to the core. This client also needs to be 
properly authenticated, i.e. to have supplied valid user credentials for one 
of the users on the core.

Credit for finding this issue goes to Andrew Hampe.

Fix [1] has been released in 0.9.2 [2].

This patch can be cleanly applied to any version starting from 0.6.0, and 
easily backported to even older versions by adapting the schema version 
number.

Thanks,
~ Manuel Nickschas (Sput)

[1] <https://github.com/quassel/quassel/commit/a1a24da>
[2] <http://quassel-irc.org/pub/quassel-0.9.2.tar.bz2>


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:16:00 UTC 
CVE-2013-6404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6404):
  Quassel core (server daemon) in Quassel IRC before 0.9.2 does not properly
  verify the user ID when accessing user backlogs, which allows remote
  authenticated users to read other users' backlogs via the bufferid in (1)
  16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3)
  16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
Comment 2 Sergey Popov (RETIRED) gentoo-dev 2013-12-17 07:24:34 UTC 
Arches, please test and mark stable =net-irc/quassel-0.9.2

Target keywords: amd64 ppc x86
Comment 3 Agostino Sarubbo gentoo-dev 2013-12-21 10:32:47 UTC 
ppc stable
Comment 4 Johannes Huber (RETIRED) gentoo-dev 2013-12-22 16:48:19 UTC 
x86 stable
Comment 5 Pacho Ramos gentoo-dev 2013-12-22 18:12:39 UTC 
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-12-22 18:42:49 UTC 
@maintainer(s), please cleanup.

@security, please vote.
Comment 7 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-22 18:55:21 UTC 
GLSA vote: no.
Comment 8 Sergey Popov (RETIRED) gentoo-dev 2013-12-23 12:38:29 UTC 
+  23 Dec 2013; Sergey Popov <pinkbyte@gentoo.org> -quassel-0.9.1.ebuild:
+  Security cleanup, bug #492782

Thanks, folks

GLSA vote: no

Closing as noglsa