Debian Bug report logs -
#896914
quassel: CVE-2018-1000178: Implement custom deserializer to add our own sanity checks
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 25 Apr 2018 19:03:01 UTC
Severity: grave
Tags: patch, security, upstream
Found in version quassel/1:0.12.4-1
Fixed in versions quassel/1:0.12.5-1, quassel/1:0.12.4-2+deb9u1, quassel/1:0.10.0-2.3+deb8u4
Done: Felix Geyer <fgeyer@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#896914; Package src:quassel.
(Wed, 25 Apr 2018 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Wed, 25 Apr 2018 19:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: quassel
Version: 1:0.12.4-1
Severity: normal
Tags: patch security upstream
Control: fixed -1 1:0.12.5-1
Hi Felix,
Filling this as bug to have an identifier, since no CVE has been
assigned.
https://www.quassel-irc.org/node/130
Commit "Implement custom deserializer to add our own sanity checks":
https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b
Regards,
Salvatore
Marked as fixed in versions quassel/1:0.12.5-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 25 Apr 2018 19:03:04 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 25 Apr 2018 19:12:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#896914; Package src:quassel.
(Wed, 25 Apr 2018 21:33:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Felix Geyer <fgeyer@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Wed, 25 Apr 2018 21:33:02 GMT) (full text, mbox, link).
Message #14 received at 896914@bugs.debian.org (full text, mbox, reply):
Hi,
On Wed, 25 Apr 2018 20:58:52 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: quassel
> Version: 1:0.12.4-1
> Severity: normal
> Tags: patch security upstream
> Control: fixed -1 1:0.12.5-1
>
> Hi Felix,
>
> Filling this as bug to have an identifier, since no CVE has been
> assigned.
>
> https://www.quassel-irc.org/node/130
>
> Commit "Implement custom deserializer to add our own sanity checks":
>
> https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b
I'm working on updates for jessie and stretch.
Backporting to stretch is easy.
jessie requires a bit more work as the patch uses quite some C++11 features which
isn't enabled in 0.10.
Felix
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#896914; Package src:quassel.
(Wed, 25 Apr 2018 22:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <sklist@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Wed, 25 Apr 2018 22:09:08 GMT) (full text, mbox, link).
Message #19 received at 896914@bugs.debian.org (full text, mbox, reply):
Issue descriptions from Gentoo (input for DSA text). I'm not sure issue 2 is really a security issue.
Vuln 1:
Title: quasselcore, corruption of heap metadata caused by qdatastream
leading to preauth remote code execution.
Severity: high, by default the server port is publicly open and the address
can be requested using the /WHOIS command of IRC protocol.
Description: In Qdatastream protocol each object are prepended with 4 bytes
for the object size, this can be used to trigger allocation errors.
Vuln 2:
Title: quasselcore DDOS
Severity: low, impact only a quasselcore not configured.
Description: A login attempt causes a NULL pointer dereference because when
the database is not initialized.
Scott K
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#896914; Package src:quassel.
(Thu, 26 Apr 2018 04:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Thu, 26 Apr 2018 04:51:03 GMT) (full text, mbox, link).
Message #24 received at 896914@bugs.debian.org (full text, mbox, reply):
Hi Felix!
On Wed, Apr 25, 2018 at 11:28:53PM +0200, Felix Geyer wrote:
> Hi,
>
> On Wed, 25 Apr 2018 20:58:52 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> > Source: quassel
> > Version: 1:0.12.4-1
> > Severity: normal
> > Tags: patch security upstream
> > Control: fixed -1 1:0.12.5-1
> >
> > Hi Felix,
> >
> > Filling this as bug to have an identifier, since no CVE has been
> > assigned.
> >
> > https://www.quassel-irc.org/node/130
> >
> > Commit "Implement custom deserializer to add our own sanity checks":
> >
> > https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b
>
> I'm working on updates for jessie and stretch.
>
> Backporting to stretch is easy.
> jessie requires a bit more work as the patch uses quite some C++11 features which
> isn't enabled in 0.10.
Thank you, please just notify team@s.d.o when you have something
ready.
Thanks for working on it.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>:
Bug#896914; Package src:quassel.
(Sat, 28 Apr 2018 01:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Scott Kitterman <debian@kitterman.com>:
Extra info received and forwarded to list. Copy sent to Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>.
(Sat, 28 Apr 2018 01:09:02 GMT) (full text, mbox, link).
Message #29 received at 896914@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I'm running the patched quassel core on Stretch and it is working fine.
Scott K
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'quassel: CVE-2018-1000178: Implement custom deserializer to add our own sanity checks' from 'quassel: Implement custom deserializer to add our own sanity checks'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 01 May 2018 12:03:03 GMT) (full text, mbox, link).
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Mon, 07 May 2018 11:39:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 07 May 2018 11:39:13 GMT) (full text, mbox, link).
Message #36 received at 896914-close@bugs.debian.org (full text, mbox, reply):
Source: quassel
Source-Version: 1:0.12.4-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896914@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Apr 2018 11:54:39 +0200
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4
Architecture: source
Version: 1:0.12.4-2+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
quassel - distributed IRC client - monolithic core+client
quassel-client - distributed IRC client - client component
quassel-client-kde4 - transitional package to quassel-client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data
quassel-kde4 - transitional package to quassel
Closes: 896914 896915
Changes:
quassel (1:0.12.4-2+deb9u1) stretch-security; urgency=high
.
* Backport upstream commit to implement a custom deserializer.
Fixes possible remote code execution. (Closes: #896914)
* Backport upstream commit to reject client logins before the core is
configured. Fixes a DoS vulnerability. (Closes: #896915)
* Backport upstream commit to fix OpenSSL detection with Qt 5.6 and GCC 5.
Checksums-Sha1:
1e70cc25847370393dea2be32b93014bd24f407f 2697 quassel_0.12.4-2+deb9u1.dsc
0976e6c08a73d4138c7e09eba8975746562c6b76 3742639 quassel_0.12.4.orig.tar.bz2
fcc7e69ace457c517a3642d28edb269e23ee3b41 22912 quassel_0.12.4-2+deb9u1.debian.tar.xz
Checksums-Sha256:
c93fa1f6869b0e0e8cef3c5ac43f576fff3a791abb94c8c95b2f8a5b90cc54b7 2697 quassel_0.12.4-2+deb9u1.dsc
93e4e54cb3743cbe2e5684c2fcba94fd2bc2cd739f7672dee14341b49c29444d 3742639 quassel_0.12.4.orig.tar.bz2
b22fea9cb072146f185b2b186eaad092fdcdd360e2ece3ba91f31035e38ece8e 22912 quassel_0.12.4-2+deb9u1.debian.tar.xz
Files:
e387c704709fe34d11808a81036ccfa9 2697 net optional quassel_0.12.4-2+deb9u1.dsc
56abcde46decc5e341888a05189cece3 3742639 net optional quassel_0.12.4.orig.tar.bz2
ca24e059306edf0d810f3e5e2071b8b0 22912 net optional quassel_0.12.4-2+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlroHggACgkQ/iLG/YMT
XUV9WxAAr2LX2/xqCCjwUOn4WEoubKdyN7CxIyb34JAXTor1r/LAvv4C+68yNcov
VzTAb9zLL2gjw4lzhKteWwnAgUhnevrALmTvJnpiaB+VCT4kltkBLDLpF0igKCsb
Yh4mzYglZRTEoSBYXdx15yEtVuBeHfgpJy76qw9ER/hCRip/gaCQSnP9BcGI2xsg
y1z9U7IDKGEaqtzxv5Ppbz7uQ2WfvQFMJr4uaDk+J7XGQP3zcp51ewg6bzQwMbKW
xKf1E3SeRYDck5swS+hgKR8EOztmiUJFJxW2hByZOM3/gnWHrIzQHrYdtBU0szv1
jfe7VRPysrKPwVeMQxTAwZuc9m7lCd+zgxyY2wfsTmGn6zjsoOJD5vF39c3ruC3Y
3sd2cfbOaP42XUQ7YMIR6Hx07EGJa2Xqwyah+gxw3H39GMb+sn0ayyBnjae9qzgm
Nd/gZM8imb5JZlnz0IHBnjD5ymwPjvgaJm8OUnBd7dlRF2P8F/pDgE4VSlKHWhDZ
GXVMEzv1up1/bShj+0xQhRY8jsBbf0Nzxyee4PXgwzwY7sVdh4fFtYacGaVVb6TK
c6ILJOxYWa3IBvD2hYmcEEXkzJYBZfogbtdjMKCfQGdOiv5mbV5zk8KJXqcAxNed
wwvDlqKL5y7pV2TUXKkr2sxy5qOKxBkXxok+oNW6awT6XjLJ+gM=
=6Ehd
-----END PGP SIGNATURE-----
Reply sent
to Felix Geyer <fgeyer@debian.org>:
You have taken responsibility.
(Mon, 07 May 2018 11:39:16 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 07 May 2018 11:39:16 GMT) (full text, mbox, link).
Message #41 received at 896914-close@bugs.debian.org (full text, mbox, reply):
Source: quassel
Source-Version: 1:0.10.0-2.3+deb8u4
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 896914@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 28 Apr 2018 11:54:10 +0200
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 1:0.10.0-2.3+deb8u4
Distribution: jessie-security
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 896914 896915
Changes:
quassel (1:0.10.0-2.3+deb8u4) jessie-security; urgency=high
.
* Backport upstream commit to implement a custom deserializer.
Fixes possible remote code execution. (Closes: #896914)
* Backport upstream commit to reject client logins before the core is
configured. Fixes a DoS vulnerability. (Closes: #896915)
Checksums-Sha1:
3da6c0eae2a77110f90a9defe65c74e7d715d22d 2400 quassel_0.10.0-2.3+deb8u4.dsc
a67530ce29d7ee2bf02621d0582f3f6c31228489 27952 quassel_0.10.0-2.3+deb8u4.debian.tar.xz
50dddec3b0d50d29de07728405f955606e57fd4f 1663376 quassel-core_0.10.0-2.3+deb8u4_amd64.deb
9ec0aa36beb8ae37732255464ee54dc45251ba2e 2454760 quassel-client_0.10.0-2.3+deb8u4_amd64.deb
f45b4819f85d632e4b804eda5675675a7abd87fa 2866680 quassel_0.10.0-2.3+deb8u4_amd64.deb
d96d1e27b94f42c360a60dbd6958f04b310cf888 23216 quassel-data_0.10.0-2.3+deb8u4_all.deb
4dc6c435a1c9061269c79596071ecc83856ebf63 845010 quassel-client-kde4_0.10.0-2.3+deb8u4_amd64.deb
664b47e4fa9c384752d048ecfdad36da0b02c84d 1083386 quassel-kde4_0.10.0-2.3+deb8u4_amd64.deb
53b4a091e48c9d82a4c69421dd40a164087d3cda 623886 quassel-data-kde4_0.10.0-2.3+deb8u4_all.deb
Checksums-Sha256:
378233ff3d4b44bb09125c53ac7d3d70eb752c0444218821e6f1db76ae678319 2400 quassel_0.10.0-2.3+deb8u4.dsc
0d863b1bba9536ee031bbf85ab6462db89a576faaa24725d62608558d207fc25 27952 quassel_0.10.0-2.3+deb8u4.debian.tar.xz
59f4adf1f438a38ee79c10c21596598ed2c73c86ffc23f881e77e75447595330 1663376 quassel-core_0.10.0-2.3+deb8u4_amd64.deb
b6b0637eb4591ee14c05dd5097b6f8269a9626c07771ff884fcd9266ccde63b6 2454760 quassel-client_0.10.0-2.3+deb8u4_amd64.deb
0df4868945bdb160b0d6d53a50b8b860ac9b61064e28cc15347eddf733f5a284 2866680 quassel_0.10.0-2.3+deb8u4_amd64.deb
4265d29e6ea5f639426cb2577cc46c5825ca2534935776358683dafad8594982 23216 quassel-data_0.10.0-2.3+deb8u4_all.deb
d7a3adef6f745103b92d6bba610458769486568a04ecf996f84a90bb7546453b 845010 quassel-client-kde4_0.10.0-2.3+deb8u4_amd64.deb
6fbd01edaef71484c931a446e9d1a44e304300e98643054483cf7991aaacd8aa 1083386 quassel-kde4_0.10.0-2.3+deb8u4_amd64.deb
434d623efa6a9d77a9868a123fb7c482e36e266f980897639e6b6264b2ba59aa 623886 quassel-data-kde4_0.10.0-2.3+deb8u4_all.deb
Files:
755a4f4d40cd30e65d1414e0ef456725 2400 net optional quassel_0.10.0-2.3+deb8u4.dsc
f3fb5d9a94775486f8b7ff73cb642a80 27952 net optional quassel_0.10.0-2.3+deb8u4.debian.tar.xz
74db007256a326b5fdd44eb60ae89a3c 1663376 net optional quassel-core_0.10.0-2.3+deb8u4_amd64.deb
0e3ba0767dda6bc3c43f3b3a236cc2ec 2454760 net optional quassel-client_0.10.0-2.3+deb8u4_amd64.deb
e725a4ec20a6f1ed9f3a7e45f69c3978 2866680 net optional quassel_0.10.0-2.3+deb8u4_amd64.deb
fe132fb969368db3bf2b2742f53c6c3e 23216 net optional quassel-data_0.10.0-2.3+deb8u4_all.deb
cb1f308ffdc1ecd1ae9ea364ebd27413 845010 net optional quassel-client-kde4_0.10.0-2.3+deb8u4_amd64.deb
314263af13e93725ace27fed6a06c8d8 1083386 net optional quassel-kde4_0.10.0-2.3+deb8u4_amd64.deb
b6b4f3a9eaba7b4b97f087c87f1d9cdd 623886 net optional quassel-data-kde4_0.10.0-2.3+deb8u4_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEFkxwUS95KUdnZKtW/iLG/YMTXUUFAlroKUgACgkQ/iLG/YMT
XUX0mA/9F89mmcsXbh80nva18kx0GTdiKMYxmnMMAbpa+YyyONb6AIHr6qNspdbA
vMpV57TJrCJJX+GLalfPLfGA8HLPbWGr6ijsNCdjYVhoLafzjzS37cm8+y+lmJ/a
yFYoSXbScWo7kc1AXZPO6FvpGHGs0uEgC1hqwUixiRk2SndYobphoCESKeXum2QP
5qJaSKWMgSKLPyvbJm7SwE1KBjrwLKzBHcJTIoZaRnUvE1B3bVMG2sepC0GEz0Oj
T4sDg5vnhl8zMa7NGvxipBmQjUuTVTHyNSOBmtWjjqof6AIfd5GK/shP5wGO8cej
khUqJKwWnWn6LAb8QC8F5Zi7oDUTXtaZJq5xchYsrHgHuHIfQJqnbjlm2BAbQw7q
cKeD8je2pugW8exlyEWiRIs9+kYISr7tfrThqaEK+agsGxIJWvPj7i6CJg1Ivlmc
iCmL2Jbo+xDvp5NBJ8f5ZBhD6M5KYXidCXcrivqZBsBioPcWC8KUc9XLiwnlJgxH
kM7yUh5hCWWj9j7+Zo8P8VzpSgEr1RFOo88ysjUPgotFA5yzzbstbu9zaBGpJ5Bx
nQdAGKhfXQEv1cfyvomfHseOmB4pPeM2atqbSNn9EPGWqaT6btRCSfCJuh81T0sp
pNTsq+f1GZOao6UAXnKyYtP893hQDjFzUjK+UF28xlkYDKEAb4M=
=/w7i
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:26:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:30:49 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon