Package: release.debian.org Severity: normal Tags: wheezy User: release.debian....@packages.debian.org Usertags: pu
Hi, The quassel package in wheezy is affected by CVE-2013-6404: clients can access backlogs belonging to other users. The security team has classified it as a minor security issues so I would like to fix it through a stable update. See the attached debdiff that contains a backport of the upstream fix. Cheers, Felix
diff -Nru quassel-0.8.0/debian/changelog quassel-0.8.0/debian/changelog --- quassel-0.8.0/debian/changelog 2012-04-25 01:02:03.000000000 +0200 +++ quassel-0.8.0/debian/changelog 2014-03-09 13:42:01.000000000 +0100 @@ -1,3 +1,10 @@ +quassel (0.8.0-1+deb7u1) wheezy; urgency=medium + + * Fix CVE-2013-6404: clients can access backlogs belonging to other users + - Backport upstream commit in CVE-2013-6404.patch + + -- Felix Geyer <fge...@debian.org> Sun, 09 Mar 2014 13:41:50 +0100 + quassel (0.8.0-1) unstable; urgency=low * New upstream release diff -Nru quassel-0.8.0/debian/patches/CVE-2013-6404.patch quassel-0.8.0/debian/patches/CVE-2013-6404.patch --- quassel-0.8.0/debian/patches/CVE-2013-6404.patch 1970-01-01 01:00:00.000000000 +0100 +++ quassel-0.8.0/debian/patches/CVE-2013-6404.patch 2014-03-09 13:41:48.000000000 +0100 @@ -0,0 +1,49 @@ +From a1a24daa615a4e0679546c8a7a673720d0dcc60f Mon Sep 17 00:00:00 2001 +From: Marcus Eggenberger <e...@quassel-irc.org> +Date: Sun, 24 Nov 2013 17:03:34 +0100 +Subject: [PATCH] Make sure that clients can't access buffers belonging to + other users + +A manipulated, but properly authenticated client was able to retrieve +the backlog of other users on the same core in some cases by providing +an appropriate BufferID to the storage engine. Note that proper +authentication was still required, so exploiting this requires +malicious users on your core. This commit fixes this issue by ensuring +that foreign BufferIDs are off-limits. +--- + src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql | 2 +- + src/core/SQL/PostgreSQL/16/update_network.sql | 3 ++- + src/core/SQL/SQLite/17/select_buffer_by_id.sql | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql +index 09f202e..cccfa7c 100644 +--- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql ++++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql +@@ -1,3 +1,3 @@ + SELECT bufferid, networkid, buffertype, groupid, buffername + FROM buffer +-WHERE bufferid = :bufferid ++WHERE userid = :userid AND bufferid = :bufferid +diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql +index a000f61..d2dea84 100644 +--- a/src/core/SQL/PostgreSQL/16/update_network.sql ++++ b/src/core/SQL/PostgreSQL/16/update_network.sql +@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels, + usesasl = :usesasl, + saslaccount = :saslaccount, + saslpassword = :saslpassword +-WHERE networkid = :networkid ++WHERE userid = :userid AND networkid = :networkid ++ +diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql +index 09f202e..6bd35f0 100644 +--- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql ++++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql +@@ -1,3 +1,3 @@ + SELECT bufferid, networkid, buffertype, groupid, buffername + FROM buffer +-WHERE bufferid = :bufferid ++WHERE bufferid = :bufferid AND userid = :userid +-- +1.8.5.1 diff -Nru quassel-0.8.0/debian/patches/series quassel-0.8.0/debian/patches/series --- quassel-0.8.0/debian/patches/series 2012-04-25 00:18:37.000000000 +0200 +++ quassel-0.8.0/debian/patches/series 2014-03-09 13:41:48.000000000 +0100 @@ -1,2 +1,3 @@ 01_default_network_channel.patch +CVE-2013-6404.patch
