Bug#506550: intent to NMU

Nico Golde Sat, 29 Nov 2008 06:45:14 -0800

Hi,
attached is a patch picked from the diff between the two 
releases to fix this issue.


Will upload as NMU.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u quassel-0.2~rc1/debian/changelog quassel-0.2~rc1/debian/changelog
--- quassel-0.2~rc1/debian/changelog
+++ quassel-0.2~rc1/debian/changelog
@@ -1,3 +1,12 @@
+quassel (0.2~rc1-1.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix wrong dequoting for ctcp messages that enables attackers to craft
+    a ctcp message and send arbitrary messages or irc commands to
+    others (05_security.patch; Closes: #506550).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Sat, 29 Nov 2008 13:50:08 +0100
+
 quassel (0.2~rc1-1) unstable; urgency=low
 
   * download link in copyright changed
only in patch2:
unchanged:
--- quassel-0.2~rc1.orig/debian/patches/05_security.patch
+++ quassel-0.2~rc1/debian/patches/05_security.patch
@@ -0,0 +1,103 @@
+diff -Nurad quassel-0.3.0.2/src/core/ctcphandler.cpp quassel-0.3.0.3/src/core/ctcphandler.cpp
+--- quassel-0.3.0.2/src/core/ctcphandler.cpp	2008-09-28 22:48:29.000000000 +0200
++++ quassel-0.3.0.3/src/core/ctcphandler.cpp	2008-10-26 14:14:06.000000000 +0100
+@@ -30,9 +30,9 @@
+ {
+ 
+   QByteArray MQUOTE = QByteArray("\020");
+-  ctcpMDequoteHash[MQUOTE + '0'] = QByteArray("\000");
+-  ctcpMDequoteHash[MQUOTE + 'n'] = QByteArray("\n");
+-  ctcpMDequoteHash[MQUOTE + 'r'] = QByteArray("\r");
++  ctcpMDequoteHash[MQUOTE + '0'] = QByteArray(1, '\000');
++  ctcpMDequoteHash[MQUOTE + 'n'] = QByteArray(1, '\n');
++  ctcpMDequoteHash[MQUOTE + 'r'] = QByteArray(1, '\r');
+   ctcpMDequoteHash[MQUOTE + MQUOTE] = MQUOTE;
+ 
+   QByteArray XQUOTE = QByteArray("\134");
+@@ -40,7 +40,23 @@
+   ctcpXDelimDequoteHash[XQUOTE + QByteArray("a")] = XDELIM;
+ }
+ 
+-QByteArray CtcpHandler::dequote(const QByteArray &message) {
++QByteArray CtcpHandler::lowLevelQuote(const QByteArray &message) {
++  QByteArray quotedMessage = message;
++
++  QHash<QByteArray, QByteArray> quoteHash = ctcpMDequoteHash;
++  QByteArray MQUOTE = QByteArray("\020");
++  quoteHash.remove(MQUOTE + MQUOTE);
++  quotedMessage.replace(MQUOTE, MQUOTE + MQUOTE);
++
++  QHash<QByteArray, QByteArray>::const_iterator quoteIter = quoteHash.constBegin();
++  while(quoteIter != quoteHash.constEnd()) {
++    quotedMessage.replace(quoteIter.value(), quoteIter.key());
++    quoteIter++;
++  }
++  return quotedMessage;
++}
++
++QByteArray CtcpHandler::lowLevelDequote(const QByteArray &message) {
+   QByteArray dequotedMessage;
+   QByteArray messagepart;
+   QHash<QByteArray, QByteArray>::iterator ctcpquote;
+@@ -62,6 +78,15 @@
+   return dequotedMessage;
+ }
+ 
++QByteArray CtcpHandler::xdelimQuote(const QByteArray &message) {
++  QByteArray quotedMessage = message;
++  QHash<QByteArray, QByteArray>::const_iterator quoteIter = ctcpXDelimDequoteHash.constBegin();
++  while(quoteIter != ctcpXDelimDequoteHash.constEnd()) {
++    quotedMessage.replace(quoteIter.value(), quoteIter.key());
++    quoteIter++;
++  }
++  return quotedMessage;
++}
+ 
+ QByteArray CtcpHandler::xdelimDequote(const QByteArray &message) {
+   QByteArray dequotedMessage;
+@@ -88,7 +113,7 @@
+   QByteArray ctcp;
+   
+   //lowlevel message dequote
+-  QByteArray dequotedMessage = dequote(message);
++  QByteArray dequotedMessage = lowLevelDequote(message);
+ 
+   CtcpType ctcptype = messageType == Message::Notice
+     ? CtcpReply
+@@ -135,19 +160,18 @@
+ }
+ 
+ QByteArray CtcpHandler::pack(const QByteArray &ctcpTag, const QByteArray &message) {
+-  return XDELIM + ctcpTag + ' ' + message + XDELIM;
++  return XDELIM + ctcpTag + ' ' + xdelimQuote(message) + XDELIM;
+ }
+ 
+-// TODO handle encodings correctly!
+ void CtcpHandler::query(const QString &bufname, const QString &ctcpTag, const QString &message) {
+   QList<QByteArray> params;
+-  params << serverEncode(bufname) << pack(serverEncode(ctcpTag), userEncode(bufname, message));
++  params << serverEncode(bufname) << lowLevelQuote(pack(serverEncode(ctcpTag), userEncode(bufname, message)));
+   emit putCmd("PRIVMSG", params);
+ }
+ 
+ void CtcpHandler::reply(const QString &bufname, const QString &ctcpTag, const QString &message) {
+   QList<QByteArray> params;
+-  params << serverEncode(bufname) << pack(serverEncode(ctcpTag), userEncode(bufname, message));
++  params << serverEncode(bufname) << lowLevelQuote(pack(serverEncode(ctcpTag), userEncode(bufname, message)));
+   emit putCmd("NOTICE", params);
+ }
+ 
+diff -Nurad quassel-0.3.0.2/src/core/ctcphandler.h quassel-0.3.0.3/src/core/ctcphandler.h
+--- quassel-0.3.0.2/src/core/ctcphandler.h	2008-09-28 22:48:29.000000000 +0200
++++ quassel-0.3.0.3/src/core/ctcphandler.h	2008-10-26 14:14:06.000000000 +0100
+@@ -36,7 +36,9 @@
+ 
+   void parse(Message::Type, const QString &prefix, const QString &target, const QByteArray &message);
+ 
+-  QByteArray dequote(const QByteArray &);
++  QByteArray lowLevelQuote(const QByteArray &);
++  QByteArray lowLevelDequote(const QByteArray &);
++  QByteArray xdelimQuote(const QByteArray &);
+   QByteArray xdelimDequote(const QByteArray &);
+ 
+   QByteArray pack(const QByteArray &ctcpTag, const QByteArray &message);

pgpqs6zqj9fjl.pgp
Description: PGP signature

Bug#506550: intent to NMU

Reply via email to