Control: tags 783926 + pending
Dear maintainer,
I've prepared an NMU for quassel (versioned as 1:0.10.0-2.4) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Felix
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2015-04-01 00:44:18.000000000 +0200
+++ quassel-0.10.0/debian/changelog 2015-05-05 16:53:47.000000000 +0200
@@ -1,3 +1,13 @@
+quassel (1:0.10.0-2.4) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend.
+ (Closes: #783926)
+ - Add debian/patches/CVE-2015-3427.patch, cherry-picked from upstream.
+ - The original issue was CVE-2013-4422 which had an incomplete fix.
+
+ -- Felix Geyer <fge...@debian.org> Tue, 05 May 2015 16:48:57 +0200
+
quassel (1:0.10.0-2.3) unstable; urgency=high
* Non-maintainer upload with maintainer's permission.
diff -Nru quassel-0.10.0/debian/patches/CVE-2015-3427.patch quassel-0.10.0/debian/patches/CVE-2015-3427.patch
--- quassel-0.10.0/debian/patches/CVE-2015-3427.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2015-3427.patch 2015-05-05 16:48:42.000000000 +0200
@@ -0,0 +1,68 @@
+From 6605882f41331c80f7ac3a6992650a702ec71283 Mon Sep 17 00:00:00 2001
+From: Michael Marley <mich...@michaelmarley.com>
+Date: Thu, 23 Apr 2015 08:46:43 -0400
+Subject: [PATCH] Execute initDbSession() on DB reconnects
+
+Previously, the initDbSession() function would only be run on the
+initial connect. Since the initDbSession() code in PostgreSQL is
+used to fix the CVE-2013-4422 SQL Injection bug, this means that
+Quassel was still vulnerable to that CVE if the PostgreSQL server
+is restarted or the connection is lost at any point while Quassel
+is running.
+
+This bug also causes the Qt5 psql timezone fix to stop working
+after a reconnect.
+
+The fix is to disable Qt's automatic reconnecting, check the
+connection status ourselves, and reconnect if necessary, executing
+the initDbSession() function afterward.
+---
+ src/core/abstractsqlstorage.cpp | 15 ++++++++++++++-
+ src/core/abstractsqlstorage.h | 1 +
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/abstractsqlstorage.cpp b/src/core/abstractsqlstorage.cpp
+index cb07454..dce39cb 100644
+--- a/src/core/abstractsqlstorage.cpp
++++ b/src/core/abstractsqlstorage.cpp
+@@ -53,7 +53,14 @@ QSqlDatabase AbstractSqlStorage::logDb()
+ if (!_connectionPool.contains(QThread::currentThread()))
+ addConnectionToPool();
+
+- return QSqlDatabase::database(_connectionPool[QThread::currentThread()]->name());
++ QSqlDatabase db = QSqlDatabase::database(_connectionPool[QThread::currentThread()]->name(),false);
++
++ if (!db.isOpen()) {
++ qWarning() << "Database connection" << displayName() << "for thread" << QThread::currentThread() << "was lost, attempting to reconnect...";
++ dbConnect(db);
++ }
++
++ return db;
+ }
+
+
+@@ -90,6 +97,12 @@ void AbstractSqlStorage::addConnectionToPool()
+ db.setPassword(password());
+ }
+
++ dbConnect(db);
++}
++
++
++void AbstractSqlStorage::dbConnect(QSqlDatabase &db)
++{
+ if (!db.open()) {
+ quWarning() << "Unable to open database" << displayName() << "for thread" << QThread::currentThread();
+ quWarning() << "-" << db.lastError().text();
+diff --git a/src/core/abstractsqlstorage.h b/src/core/abstractsqlstorage.h
+index 90a8aa9..c39e826 100644
+--- a/src/core/abstractsqlstorage.h
++++ b/src/core/abstractsqlstorage.h
+@@ -87,6 +87,7 @@ private slots:
+
+ private:
+ void addConnectionToPool();
++ void dbConnect(QSqlDatabase &db);
+
+ int _schemaVersion;
+ bool _debug;
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2015-04-01 00:37:31.000000000 +0200
+++ quassel-0.10.0/debian/patches/series 2015-05-05 16:48:55.000000000 +0200
@@ -1,3 +1,4 @@
01_default_network_channel.patch
CVE-2014-8483.patch
CVE-2015-2778.patch
+CVE-2015-3427.patch
