Your message dated Fri, 09 Sep 2011 20:47:45 +0000
with message-id <e1r27zf-0002hb...@franck.debian.org>
and subject line Bug#640960: fixed in quassel 0.7.3-1
has caused the Debian Bug report #640960,
regarding CVE-?????: broken CTCP parsing can be used to crash the core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
640960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: quassel
Version: 0.6.3-2
Severity: important
Tags: security
When people send me
00000010 75 74 61 73 21 7a 7a 40 31 37 38 2d 33 37 2d 31 |utas!zz@178-37-1|
00000020 30 34 2d 34 32 2e 61 64 73 6c 2e 69 6e 65 74 69 |04-42.adsl.ineti|
00000030 61 2e 70 6c 20 4a 4f 49 4e 20 23 71 75 61 73 73 |a.pl JOIN #quass|
00000040 65 6c 0d 0a 37 36 36 37 30 3a 55 c3 8c a6 5b 7e |el..76670:U...[~|
00000050 8a 26 3a 6b 75 74 61 73 21 7a 7a 40 31 37 38 2d |.&:kutas!zz@178-|
00000060 33 37 2d 31 30 34 2d 34 32 2e 61 64 73 6c 2e 69 |37-104-42.adsl.i|
00000070 6e 65 74 69 61 2e 70 6c 20 50 52 49 56 4d 53 47 |netia.pl PRIVMSG|
00000080 20 23 71 75 61 73 73 65 6c 20 3a 01 41 43 54 49 | #quassel :.ACTI|
00000090 4f 4e 20 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ON ..VERSION..VE|
000000a0 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
000000b0 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e |VERSION..VERSION|
000000c0 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 |..VERSION..VERSI|
000000d0 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 |ON..VERSION..VER|
000000e0 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 |SION..VERSION..V|
000000f0 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 |ERSION..VERSION.|
00000100 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f |.VERSION..VERSIO|
00000110 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 |N..VERSION..VERS|
00000120 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ION..VERSION..VE|
00000130 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
00000140 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e |VERSION..VERSION|
00000150 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 |..VERSION..VERSI|
00000160 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 |ON..VERSION..VER|
00000170 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 |SION..VERSION..V|
00000180 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 |ERSION..VERSION.|
00000190 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f |.VERSION..VERSIO|
000001a0 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 |N..VERSION..VERS|
000001b0 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ION..VERSION..VE|
000001c0 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
000001d0 56 45 52 53 49 4f 4e 01 01 0d 0a |VERSION....|
quasselcore crashes. The upstream bug report is
http://bugs.quassel-irc.org/issues/1095
Gentoo bug report is
https://bugs.gentoo.org/382313
(there is some mention about requesting a CVE)
Workaround:
1) Settings->Configure Quassel->IRC->Ignore List->New
2) Strictness: Dynamic
3) Rule Type: CTCP
4) Ignore Rule: * VERSION
5) Scope: Global
Where is the Vcs for quassel? I could prepare a fix.
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages quassel depends on:
ii dbus-x11 1.2.24-4+squeeze1 simple interprocess messaging syst
ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.5-8 GCC support library
ii libphonon4 4:4.6.0really4.4.2-1 the core library of the Phonon mul
ii libqt4-dbus 4:4.6.3-4+squeeze1 Qt 4 D-Bus module
ii libqt4-network 4:4.6.3-4+squeeze1 Qt 4 network module
ii libqt4-script 4:4.6.3-4+squeeze1 Qt 4 script module
ii libqt4-sql 4:4.6.3-4+squeeze1 Qt 4 SQL module
ii libqt4-sql-sqlite 4:4.6.3-4+squeeze1 Qt 4 SQLite 3 database driver
ii libqt4-webkit 4:4.6.3-4+squeeze1 Qt 4 WebKit module
ii libqt4-xmlpatterns 4:4.6.3-4+squeeze1 Qt 4 XML patterns module
ii libqtcore4 4:4.6.3-4+squeeze1 Qt 4 core module
ii libqtgui4 4:4.6.3-4+squeeze1 Qt 4 GUI module
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii phonon 4:4.6.0really4.4.2-1 metapackage for the Phonon multime
ii quassel-data 0.6.3-2 distributed IRC client - shared da
quassel recommends no packages.
quassel suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 0.7.3-1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive:
quassel-client-kde4_0.7.3-1_i386.deb
to main/q/quassel/quassel-client-kde4_0.7.3-1_i386.deb
quassel-client_0.7.3-1_i386.deb
to main/q/quassel/quassel-client_0.7.3-1_i386.deb
quassel-core_0.7.3-1_i386.deb
to main/q/quassel/quassel-core_0.7.3-1_i386.deb
quassel-data-kde4_0.7.3-1_all.deb
to main/q/quassel/quassel-data-kde4_0.7.3-1_all.deb
quassel-data_0.7.3-1_all.deb
to main/q/quassel/quassel-data_0.7.3-1_all.deb
quassel-kde4_0.7.3-1_i386.deb
to main/q/quassel/quassel-kde4_0.7.3-1_i386.deb
quassel_0.7.3-1.debian.tar.gz
to main/q/quassel/quassel_0.7.3-1.debian.tar.gz
quassel_0.7.3-1.dsc
to main/q/quassel/quassel_0.7.3-1.dsc
quassel_0.7.3-1_i386.deb
to main/q/quassel/quassel_0.7.3-1_i386.deb
quassel_0.7.3.orig.tar.bz2
to main/q/quassel/quassel_0.7.3.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 640...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Mueller <thomas.muel...@tmit.eu> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Sep 2011 19:00:55 +0000
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4
quassel-kde4 quassel-data-kde4
Architecture: source i386 all
Version: 0.7.3-1
Distribution: unstable
Urgency: medium
Maintainer: Thomas Mueller <thomas.muel...@tmit.eu>
Changed-By: Thomas Mueller <thomas.muel...@tmit.eu>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 640960
Changes:
quassel (0.7.3-1) unstable; urgency=medium
.
* New upstream release
* Translation update
* Fixing security issue: ctcp DoS (Closes: #640960)
Checksums-Sha1:
3ba1b52cbc7fb40b245e9f3e556a5f3b01ffca8a 1436 quassel_0.7.3-1.dsc
5cb44cadd1520aa26675555aa5c967f2a28fb86e 2714969 quassel_0.7.3.orig.tar.bz2
3ff1916e72e3b42aed9c79f00394e80858f85c80 18165 quassel_0.7.3-1.debian.tar.gz
47ce4f046ec43edd2235f5221da4f443dba509b4 1421992 quassel-core_0.7.3-1_i386.deb
c24f7d67f488450267210b1f4cd8d52fea2da2cd 2436830
quassel-client_0.7.3-1_i386.deb
92dd79a7c316ff3ab1a16e2df6b301ce64e13a4c 2879372 quassel_0.7.3-1_i386.deb
4c3f4ead8e17d68a40a6a62eec4cd477016a8575 18570 quassel-data_0.7.3-1_all.deb
68aac90453c70341a1ec32c21fe3f8a3a3ae0d5f 989014
quassel-client-kde4_0.7.3-1_i386.deb
d8320e0b035bc59f42cd6ec8436ea9a0538af3df 1267854 quassel-kde4_0.7.3-1_i386.deb
9c808fb1c02cb1ea8f217611775e39a1b6227240 891680
quassel-data-kde4_0.7.3-1_all.deb
Checksums-Sha256:
4a0832c0900e363cd380f05e03ead26495d4d90892552cefd8bda8386fdc8925 1436
quassel_0.7.3-1.dsc
9e78dbc28bfeda2ed66fa3082392951cbd002f851ef1a7f1228988bb18c7c98d 2714969
quassel_0.7.3.orig.tar.bz2
c895f1ed57fa7cbfdb758e9bf25061566640d289acddbf919b73eaccc77570a2 18165
quassel_0.7.3-1.debian.tar.gz
e999a61b32725b8ea4a2c26b440c5ad665291afdafe9b1a06e20ef4f5dd0c86e 1421992
quassel-core_0.7.3-1_i386.deb
6c460a0ebb1ef6defe7d171656dcee9271708b1d932e1f5db3da76c1eff3b706 2436830
quassel-client_0.7.3-1_i386.deb
f7737ab4ec971f7d8f78d878f34d7d296fd63e3552f6ca261228b9a66cbd4d96 2879372
quassel_0.7.3-1_i386.deb
cd067e6bc7a9de5ac0dec6714a0f5d97697f20a6a5b47c94aff727c64ad8e8f7 18570
quassel-data_0.7.3-1_all.deb
9405b17c6ae29aecb72818f5ed3e1ca50dd493559360e559b09810cd45c1edc5 989014
quassel-client-kde4_0.7.3-1_i386.deb
7a223a5e999206bd648b91d4377c8cad7db57c77c6feb0da0f0cad85d28accae 1267854
quassel-kde4_0.7.3-1_i386.deb
74deb792c22d1e8d951917f363f685139777ffc90dc8ccc7495d2cb4f3a1aa65 891680
quassel-data-kde4_0.7.3-1_all.deb
Files:
d43e5ace5f272a5734a923809fcc93f8 1436 net optional quassel_0.7.3-1.dsc
f12b2b09d8ebe533781aa969597d671c 2714969 net optional
quassel_0.7.3.orig.tar.bz2
0cc8a659649e9b19cdadeb387b4d2c85 18165 net optional
quassel_0.7.3-1.debian.tar.gz
eb43466e8fde37d7c76be372dada6abc 1421992 net optional
quassel-core_0.7.3-1_i386.deb
be60b5d2de9b4e2544a0b42f02eb9fef 2436830 net optional
quassel-client_0.7.3-1_i386.deb
68c2b2953ead1e518b83d15c54168669 2879372 net optional quassel_0.7.3-1_i386.deb
2c5b5ddd84fa425348f519844eb53b3d 18570 net optional
quassel-data_0.7.3-1_all.deb
cd3faf715c4abbdf161e06e1ced1f340 989014 net optional
quassel-client-kde4_0.7.3-1_i386.deb
5ad419a6c73cdaf936065ce9f3c1fe8e 1267854 net optional
quassel-kde4_0.7.3-1_i386.deb
8e01e1ed686fc082dc20e5f0d8ad1b04 891680 net optional
quassel-data-kde4_0.7.3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk5qdIEACgkQOB0qx4EksQB1LACcCd20cuKpFnJSLk6F/vfTwfvT
BmUAn2wEBEjoX6T+MjFAxox02MHUy+TZ
=MaM2
-----END PGP SIGNATURE-----
--- End Message ---
