Your message dated Mon, 12 Sep 2011 19:55:09 +0000
with message-id <e1r3caz-0003ih...@franck.debian.org>
and subject line Bug#640960: fixed in quassel 0.6.3-2+squeeze1
has caused the Debian Bug report #640960,
regarding CVE-2011-3354: broken CTCP parsing can be used to crash the core
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
640960: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640960
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: quassel
Version: 0.6.3-2
Severity: important
Tags: security
When people send me
00000010 75 74 61 73 21 7a 7a 40 31 37 38 2d 33 37 2d 31 |utas!zz@178-37-1|
00000020 30 34 2d 34 32 2e 61 64 73 6c 2e 69 6e 65 74 69 |04-42.adsl.ineti|
00000030 61 2e 70 6c 20 4a 4f 49 4e 20 23 71 75 61 73 73 |a.pl JOIN #quass|
00000040 65 6c 0d 0a 37 36 36 37 30 3a 55 c3 8c a6 5b 7e |el..76670:U...[~|
00000050 8a 26 3a 6b 75 74 61 73 21 7a 7a 40 31 37 38 2d |.&:kutas!zz@178-|
00000060 33 37 2d 31 30 34 2d 34 32 2e 61 64 73 6c 2e 69 |37-104-42.adsl.i|
00000070 6e 65 74 69 61 2e 70 6c 20 50 52 49 56 4d 53 47 |netia.pl PRIVMSG|
00000080 20 23 71 75 61 73 73 65 6c 20 3a 01 41 43 54 49 | #quassel :.ACTI|
00000090 4f 4e 20 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ON ..VERSION..VE|
000000a0 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
000000b0 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e |VERSION..VERSION|
000000c0 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 |..VERSION..VERSI|
000000d0 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 |ON..VERSION..VER|
000000e0 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 |SION..VERSION..V|
000000f0 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 |ERSION..VERSION.|
00000100 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f |.VERSION..VERSIO|
00000110 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 |N..VERSION..VERS|
00000120 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ION..VERSION..VE|
00000130 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
00000140 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e |VERSION..VERSION|
00000150 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 |..VERSION..VERSI|
00000160 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 |ON..VERSION..VER|
00000170 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 |SION..VERSION..V|
00000180 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 |ERSION..VERSION.|
00000190 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 49 4f |.VERSION..VERSIO|
000001a0 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 52 53 |N..VERSION..VERS|
000001b0 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 56 45 |ION..VERSION..VE|
000001c0 52 53 49 4f 4e 01 01 56 45 52 53 49 4f 4e 01 01 |RSION..VERSION..|
000001d0 56 45 52 53 49 4f 4e 01 01 0d 0a |VERSION....|
quasselcore crashes. The upstream bug report is
http://bugs.quassel-irc.org/issues/1095
Gentoo bug report is
https://bugs.gentoo.org/382313
(there is some mention about requesting a CVE)
Workaround:
1) Settings->Configure Quassel->IRC->Ignore List->New
2) Strictness: Dynamic
3) Rule Type: CTCP
4) Ignore Rule: * VERSION
5) Scope: Global
Where is the Vcs for quassel? I could prepare a fix.
-- System Information:
Debian Release: 6.0.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages quassel depends on:
ii dbus-x11 1.2.24-4+squeeze1 simple interprocess messaging syst
ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.5-8 GCC support library
ii libphonon4 4:4.6.0really4.4.2-1 the core library of the Phonon mul
ii libqt4-dbus 4:4.6.3-4+squeeze1 Qt 4 D-Bus module
ii libqt4-network 4:4.6.3-4+squeeze1 Qt 4 network module
ii libqt4-script 4:4.6.3-4+squeeze1 Qt 4 script module
ii libqt4-sql 4:4.6.3-4+squeeze1 Qt 4 SQL module
ii libqt4-sql-sqlite 4:4.6.3-4+squeeze1 Qt 4 SQLite 3 database driver
ii libqt4-webkit 4:4.6.3-4+squeeze1 Qt 4 WebKit module
ii libqt4-xmlpatterns 4:4.6.3-4+squeeze1 Qt 4 XML patterns module
ii libqtcore4 4:4.6.3-4+squeeze1 Qt 4 core module
ii libqtgui4 4:4.6.3-4+squeeze1 Qt 4 GUI module
ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3
ii phonon 4:4.6.0really4.4.2-1 metapackage for the Phonon multime
ii quassel-data 0.6.3-2 distributed IRC client - shared da
quassel recommends no packages.
quassel suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 0.6.3-2+squeeze1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive:
quassel-client-kde4_0.6.3-2+squeeze1_i386.deb
to main/q/quassel/quassel-client-kde4_0.6.3-2+squeeze1_i386.deb
quassel-client_0.6.3-2+squeeze1_i386.deb
to main/q/quassel/quassel-client_0.6.3-2+squeeze1_i386.deb
quassel-core_0.6.3-2+squeeze1_i386.deb
to main/q/quassel/quassel-core_0.6.3-2+squeeze1_i386.deb
quassel-data-kde4_0.6.3-2+squeeze1_all.deb
to main/q/quassel/quassel-data-kde4_0.6.3-2+squeeze1_all.deb
quassel-data_0.6.3-2+squeeze1_all.deb
to main/q/quassel/quassel-data_0.6.3-2+squeeze1_all.deb
quassel-kde4_0.6.3-2+squeeze1_i386.deb
to main/q/quassel/quassel-kde4_0.6.3-2+squeeze1_i386.deb
quassel_0.6.3-2+squeeze1.debian.tar.gz
to main/q/quassel/quassel_0.6.3-2+squeeze1.debian.tar.gz
quassel_0.6.3-2+squeeze1.dsc
to main/q/quassel/quassel_0.6.3-2+squeeze1.dsc
quassel_0.6.3-2+squeeze1_i386.deb
to main/q/quassel/quassel_0.6.3-2+squeeze1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 640...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Mueller <thomas.muel...@tmit.eu> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 09 Sep 2011 20:30:15 +0000
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4
quassel-kde4 quassel-data-kde4
Architecture: source i386 all
Version: 0.6.3-2+squeeze1
Distribution: stable
Urgency: low
Maintainer: Thomas Mueller <thomas.muel...@tmit.eu>
Changed-By: Thomas Mueller <thomas.muel...@tmit.eu>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 640960
Changes:
quassel (0.6.3-2+squeeze1) stable; urgency=low
.
* Fixing security issue: ctcp DoS (Closes: #640960)
Checksums-Sha1:
7537db3c263f206dcdee2373228c21c9fd896ae7 1387 quassel_0.6.3-2+squeeze1.dsc
397fd15ca87cf15fe13842b05c847fdfb28fd2a5 18068
quassel_0.6.3-2+squeeze1.debian.tar.gz
2899b59ee9cfff5954e61874ccb5f4cb52823413 681244
quassel-core_0.6.3-2+squeeze1_i386.deb
3df0777a97dae6791fcb505492d70af43979b6b3 1602612
quassel-client_0.6.3-2+squeeze1_i386.deb
f71f8b1b8a48f0c10707b71601459ee8e337982a 2032964
quassel_0.6.3-2+squeeze1_i386.deb
febe15d4fb2423a01bc7b9873d026265d5a3fa84 18214
quassel-data_0.6.3-2+squeeze1_all.deb
069c85276e35b333afaf5e26c6a4afce887c24dc 896670
quassel-client-kde4_0.6.3-2+squeeze1_i386.deb
c9e2e12066c9b734565f1426ed82f4bfb3af6f8f 1148966
quassel-kde4_0.6.3-2+squeeze1_i386.deb
077986ba1ba9133ef5bda9d5ab78da45858705b7 158136
quassel-data-kde4_0.6.3-2+squeeze1_all.deb
Checksums-Sha256:
f0c73ab4850a35faa92a9b293e4dd24171e7da40c053a6cbce79d88cdd19564f 1387
quassel_0.6.3-2+squeeze1.dsc
6cac5cf89a3a26f5a5756aaf826d537c05c8d19d3e29c83acdc408c2d4514051 18068
quassel_0.6.3-2+squeeze1.debian.tar.gz
f7a8b3820af56f1698ded98fe9bab3466764e7e12565a18d24efa6a5f1691a53 681244
quassel-core_0.6.3-2+squeeze1_i386.deb
32b7ab2fa3fd2c71def5cc60fab22a06d97167e3a6d3ff8e5c8cc31a04d86771 1602612
quassel-client_0.6.3-2+squeeze1_i386.deb
e192e6bc8eddaa1feaa63c829503ece03e63e238549594b8a9cdd09a162ca6c9 2032964
quassel_0.6.3-2+squeeze1_i386.deb
6b3f00b8f57fb0889da839baad7be44779629133ac3630c87acaaeea4d5c999e 18214
quassel-data_0.6.3-2+squeeze1_all.deb
bbf4cb00cd6fe046dd108e118d1b17084a52db9af3fad7b48457b8d6f2bb566d 896670
quassel-client-kde4_0.6.3-2+squeeze1_i386.deb
18b0e557cd284db22227927156e66c407bff03866c16135a183b4b7bce64d819 1148966
quassel-kde4_0.6.3-2+squeeze1_i386.deb
eff9d7c571fafc63dc1e3474f785afa0155814c685ba964370f3db18a08d43ed 158136
quassel-data-kde4_0.6.3-2+squeeze1_all.deb
Files:
323f942a78f35c0cc9b81d54ac7307a5 1387 net optional quassel_0.6.3-2+squeeze1.dsc
262d82a3165dcf59dcb91d663bccc913 18068 net optional
quassel_0.6.3-2+squeeze1.debian.tar.gz
f6203c89eaa6833eb1f69b1196c60fc5 681244 net optional
quassel-core_0.6.3-2+squeeze1_i386.deb
a2c2465cf0bb356d65ed9ba1fe347fb0 1602612 net optional
quassel-client_0.6.3-2+squeeze1_i386.deb
7263d6661b035a8a8cd0ed817529c337 2032964 net optional
quassel_0.6.3-2+squeeze1_i386.deb
9fc48c3dcbd9f50e99b9ef5616da566d 18214 net optional
quassel-data_0.6.3-2+squeeze1_all.deb
0cf3874bc9e9672ce60eef8e29c4cd2a 896670 net optional
quassel-client-kde4_0.6.3-2+squeeze1_i386.deb
fdfb6e82741cc3e76f3d7e90c8c5ac14 1148966 net optional
quassel-kde4_0.6.3-2+squeeze1_i386.deb
74f8c89f03381fb4bb6471f4b6d5660f 158136 net optional
quassel-data-kde4_0.6.3-2+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk5qlCkACgkQOB0qx4EksQBKUgCfWmuqn+apJyy+dpAIqqwX94/K
KVUAn0jtACrfFYgU1ugzUY+ykimCjN0C
=USZK
-----END PGP SIGNATURE-----
--- End Message ---
