Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 547884 (CVE-2015-3427) - <net-irc/quassel-0.12.2: incomplete fix for CVE-2013-4422 (CVE-2015-3427)
Summary: <net-irc/quassel-0.12.2: incomplete fix for CVE-2013-4422 (CVE-2015-3427)
Status: RESOLVED FIXED
Alias: CVE-2015-3427
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: 544230
  Show dependency tree
 
Reported: 2015-04-27 09:26 UTC by Agostino Sarubbo
Modified: 2015-06-30 19:59 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-04-27 09:26:04 UTC
From ${URL} :


It's been found that in Quassel, the CVE-2013-4422 was incorrectly
fixed and that core was still vulnerable to SQL injection on reconnection.

This has been fixed with commit:
https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283

The incomplete bugfix had been released with Quassel 0.9.1:
http://quassel-irc.org/node/120



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrick Lauer gentoo-dev 2015-04-27 09:34:00 UTC
Lowest version we have left is 0.10, are you sure about the versions?

If you actually meant 0.11.1 / 0.12.2 then these versions are in-tree and would need to be stabled. I'd recommend 0.12.2 only and dropping all older.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:19:49 UTC
CVE-2015-3427 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3427):
  Quassel before 0.12.2 does not properly re-initialize the database session
  when the PostgreSQL database is restarted, which allows remote attackers to
  conduct SQL injection attacks via a \ (backslash) in a message.  NOTE: this
  vulnerability exists because of an incomplete fix for CVE-2013-4422.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 03:53:49 UTC
Yes you are correct here is the blurb from the upstream blog:
______________________________
 Unfortunately, this fix also uncovered a more serious issue that has been around for a long time: restarting a PostgreSQL database while Quassel Core is running would not properly re-initialize the database session inside Quassel, bringing back an old security issue that we had deemed fixed. This forced us to create yet another release, so that's why we are now at version 0.12.2. The new issue is being tracked as CVE-2015-3427. Thanks to Pierre Schweitzer for registering this!

http://quassel-irc.org
______________________________

We need to stabilize 0.12.2 when ready.

Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-06-22 08:14:02 UTC
Yes arch teams please proceed

Arches:  amd64 arm ppc x86
Comment 5 Agostino Sarubbo gentoo-dev 2015-06-22 08:21:57 UTC
amd64 stable
Comment 6 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-06-22 11:37:11 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-24 07:56:37 UTC
ppc stable
Comment 8 Johannes Huber gentoo-dev 2015-06-24 18:10:11 UTC
Thanks all. Cleanup done.

+
+  24 Jun 2015; Johannes Huber <johu@gentoo.org> -files/DOS-sec.patch,
+  -quassel-0.10.0-r1.ebuild, -quassel-0.11.1.ebuild:
+  Cleanup vulnerable versions, wrt bugs #547884, #544230.
+
Comment 9 Markus Meier gentoo-dev 2015-06-28 14:38:37 UTC
removing arm (no stable keywords)
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2015-06-30 19:56:09 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 11 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-30 19:59:13 UTC
GLSA Vote: No