Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Dear all,
A security issue was found in quassel-core (CVE-2015-8547), allowing an
authenticated remote client to cause a denial of service.
Given the fact that Quassel isn't widely used in the client/server model
nowadays, the Debian Security Team has asked the issue to be fixed with the
next Jessie point release.
You'll find attached the dsc and the debdiff for the proposed upload against
Jessie.
Cheers
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2015-05-10 16:41:35.000000000 +0200
+++ quassel-0.10.0/debian/changelog 2015-12-28 00:02:39.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command.
+ (Closes: #807801)
+ - Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream.
+
+ -- Pierre Schweitzer <pie...@reactos.org> Sun, 13 Dec 2015 11:04:05 +0100
+
quassel (1:0.10.0-2.3+deb8u1) jessie-security; urgency=high
* Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend.
diff -Nru quassel-0.10.0/debian/patches/CVE-2015-8547.patch quassel-0.10.0/debian/patches/CVE-2015-8547.patch
--- quassel-0.10.0/debian/patches/CVE-2015-8547.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2015-8547.patch 2015-12-28 00:02:13.000000000 +0100
@@ -0,0 +1,22 @@
+From 476aaa050f26d6a31494631d172724409e4c569b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konstantin=20Bl=C3=A4si?= <kbla...@gmail.com>
+Date: Wed, 21 Oct 2015 03:26:02 +0200
+Subject: [PATCH] Fixes a crash of the core when executing "/op *" in a query.
+
+---
+ src/core/coreuserinputhandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/coreuserinputhandler.cpp b/src/core/coreuserinputhandler.cpp
+index 7887a92..73aac48 100644
+--- a/src/core/coreuserinputhandler.cpp
++++ b/src/core/coreuserinputhandler.cpp
+@@ -232,7 +232,7 @@ void CoreUserInputHandler::doMode(const BufferInfo &bufferInfo, const QChar& add
+ if (!isNumber || maxModes == 0) maxModes = 1;
+
+ QStringList nickList;
+- if (nicks == "*") { // All users in channel
++ if (nicks == "*" && bufferInfo.type() == BufferInfo::ChannelBuffer) { // All users in channel
+ const QList<IrcUser*> users = network()->ircChannel(bufferInfo.bufferName())->ircUsers();
+ foreach(IrcUser *user, users) {
+ if ((addOrRemove == '+' && !network()->ircChannel(bufferInfo.bufferName())->userModes(user).contains(mode))
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2015-05-05 16:48:55.000000000 +0200
+++ quassel-0.10.0/debian/patches/series 2015-12-28 00:02:13.000000000 +0100
@@ -2,3 +2,4 @@
CVE-2014-8483.patch
CVE-2015-2778.patch
CVE-2015-3427.patch
+CVE-2015-8547.patch
Format: 3.0 (quilt)
Source: quassel
Binary: quassel-core, quassel-client, quassel, quassel-data,
quassel-client-kde4, quassel-kde4, quassel-data-kde4
Architecture: any all
Version: 1:0.10.0-2.3+deb8u2
Maintainer: Thomas Mueller <thomas.muel...@tmit.eu>
Homepage: http://www.quassel-irc.org
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9.20120417), libqt4-dev, cmake,
libfontconfig1-dev, libfreetype6-dev, libpng-dev, libsm-dev, libice-dev,
libxi-dev, libxrandr-dev, libxrender-dev, zlib1g-dev, libssl-dev,
libdbus-1-dev, pkg-kde-tools, kdelibs5-dev, libqca2-dev, qt4-dev-tools,
libqtwebkit-dev, libindicate-qt-dev, libdbusmenu-qt-dev
Package-List:
quassel deb net optional arch=any
quassel-client deb net optional arch=any
quassel-client-kde4 deb net optional arch=any
quassel-core deb net optional arch=any
quassel-data deb net optional arch=all
quassel-data-kde4 deb net optional arch=all
quassel-kde4 deb net optional arch=any
Checksums-Sha1:
305d56774b1af2a891775a5637174d9048d875a7 2873233 quassel_0.10.0.orig.tar.bz2
40abd40ac178fdd7ce9d80e5cff83c887b12bb62 23128
quassel_0.10.0-2.3+deb8u2.debian.tar.xz
Checksums-Sha256:
68228ce23aa3a992add3d00cb1e8b4863d8ca64bea99c881edf6d16ff9ec7c23 2873233
quassel_0.10.0.orig.tar.bz2
99ea16063c487057409aeed3b805f4f12e0a11b4df087e45f9c4bd503a00dab9 23128
quassel_0.10.0-2.3+deb8u2.debian.tar.xz
Files:
382466a7790979c172b7d7edf10a2981 2873233 quassel_0.10.0.orig.tar.bz2
0a6ca72fd93eb30cffdce5ec8d457bd7 23128 quassel_0.10.0-2.3+deb8u2.debian.tar.xz
