Debian Bug report logs -
#781024
quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 23 Mar 2015 14:03:05 UTC
Severity: grave
Tags: patch, security
Fixed in version quassel/1:0.10.0-2.3
Done: Olly Betts <olly@survex.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Mon, 23 Mar 2015 14:03:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
.
(Mon, 23 Mar 2015 14:03:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: quassel
Severity: grave
Tags: security
Justification: user security hole
The following security issue was reported against quassel:
https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8
A CVE ID has been requested, but is not yet available, we'll
update the bug once available.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Sat, 28 Mar 2015 09:27:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Sat, 28 Mar 2015 09:27:09 GMT) (full text, mbox, link).
Message #10 received at 781024@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)
Hi,
Two CVEs were assigned for issues fixed with the commit, for detail
see http://www.openwall.com/lists/oss-security/2015/03/28/3 .
Regards,
Salvatore
Changed Bug title to 'quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)' from 'quassel: Denial of service (no CVE yet)'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 781024-submit@bugs.debian.org
.
(Sat, 28 Mar 2015 09:27:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Tue, 31 Mar 2015 08:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Müller <thomas.mueller@tmit.eu>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Tue, 31 Mar 2015 08:57:04 GMT) (full text, mbox, link).
Message #17 received at 781024@bugs.debian.org (full text, mbox, reply):
NMU upload is more then welcome - I lack the time to take care of this at the moment.
Thanks a lot,
Thomas
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Tue, 31 Mar 2015 21:21:07 GMT) (full text, mbox, link).
Acknowledgement sent
to "Steinar H. Gunderson" <sgunderson@bigfoot.com>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Tue, 31 Mar 2015 21:21:08 GMT) (full text, mbox, link).
Message #22 received at 781024@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 781024 + patch
thanks
On Tue, Mar 31, 2015 at 10:48:08AM +0200, Thomas Müller wrote:
> NMU upload is more then welcome - I lack the time to take care of this at
> the moment.
I took the patch from upstream and backported it to the version in sid;
this was a fair amount of work as the patch uses C++11 lambdas heavily
(and the version in jessie is compiled in C++03 mode; I thought changing
this would be too intrusive), but not immediately tricky in itself.
There were also some other merge conflicts that I've fixed.
The patch compiles and has had a second pair of eyes for review, but I've
never used Quassel in my life, so I can't say if it works or not. In any case
it ought to help whoever ends up doing the NMU.
/* Steinar */
--
Homepage: http://www.sesse.net/
[CVE-2015-2778.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from "Steinar H. Gunderson" <sgunderson@bigfoot.com>
to control@bugs.debian.org
.
(Tue, 31 Mar 2015 21:21:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Tue, 31 Mar 2015 22:09:08 GMT) (full text, mbox, link).
Acknowledgement sent
to "Steinar H. Gunderson" <sgunderson@bigfoot.com>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Tue, 31 Mar 2015 22:09:08 GMT) (full text, mbox, link).
Message #29 received at 781024@bugs.debian.org (full text, mbox, reply):
On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> I took the patch from upstream and backported it to the version in sid;
> this was a fair amount of work as the patch uses C++11 lambdas heavily
> (and the version in jessie is compiled in C++03 mode; I thought changing
> this would be too intrusive), but not immediately tricky in itself.
> There were also some other merge conflicts that I've fixed.
More eyes: The backported patch has been OKed by two upstream Quassel
developers, including Michael Marley (original author of the patch).
So all it needs is some testing from some volunteer and we should be good to
go.
/* Steinar */
--
Homepage: http://www.sesse.net/
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Tue, 31 Mar 2015 23:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Olly Betts <olly@survex.com>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Tue, 31 Mar 2015 23:03:04 GMT) (full text, mbox, link).
Message #34 received at 781024@bugs.debian.org (full text, mbox, reply):
On Wed, Apr 01, 2015 at 12:07:12AM +0200, Steinar H. Gunderson wrote:
> On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> > I took the patch from upstream and backported it to the version in sid;
> > this was a fair amount of work as the patch uses C++11 lambdas heavily
> > (and the version in jessie is compiled in C++03 mode; I thought changing
> > this would be too intrusive), but not immediately tricky in itself.
> > There were also some other merge conflicts that I've fixed.
>
> More eyes: The backported patch has been OKed by two upstream Quassel
> developers, including Michael Marley (original author of the patch).
> So all it needs is some testing from some volunteer and we should be good to
> go.
I use quassel - I'll test with the patch and NMU if it looks good (if
anyone else wants to test as well, that would be great. Or if someone
else is particularly keen to NMU, that's fine by too - just let me
know).
Cheers,
Olly
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas.mueller@tmit.eu>
:
Bug#781024
; Package quassel
.
(Thu, 02 Apr 2015 06:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Olly Betts <olly@survex.com>
:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas.mueller@tmit.eu>
.
(Thu, 02 Apr 2015 06:00:05 GMT) (full text, mbox, link).
Message #39 received at 781024@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear maintainer,
I've been using the patched build locally for 2 working days without
issues, so I think it's time to push it to unstable for wider testing.
This is quite a complex patch for this late in the release cycle, but
I really don't see an option for a less complex one. But I suggest we
let it spend a few days in unstable before seeking an unblock request.
Attached is the nmudiff.
Cheers,
Olly
[quassel-0.10.0-2.3-nmu.diff (text/x-diff, attachment)]
Reply sent
to Olly Betts <olly@survex.com>
:
You have taken responsibility.
(Thu, 02 Apr 2015 06:06:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(Thu, 02 Apr 2015 06:06:06 GMT) (full text, mbox, link).
Message #44 received at 781024-close@bugs.debian.org (full text, mbox, reply):
Source: quassel
Source-Version: 1:0.10.0-2.3
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 781024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Olly Betts <olly@survex.com> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 01 Apr 2015 11:41:28 +1300
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source all
Version: 1:0.10.0-2.3
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Olly Betts <olly@survex.com>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 781024
Changes:
quassel (1:0.10.0-2.3) unstable; urgency=high
.
* Non-maintainer upload with maintainer's permission.
* Improve the message-splitting algorithm for PRIVMSG and CTCP. Original
patch from Michael Marley, backported by Steinar H. Gunderson. Fixes
CVE-2015-2778 and CVE-2015-2779. (Closes: #781024)
Checksums-Sha1:
b11307116151c1ff96ad3bce07374a6899bbad32 2356 quassel_0.10.0-2.3.dsc
22f0a53883ee6eb62b8f58a7dc768f15b6b053c3 21780 quassel_0.10.0-2.3.debian.tar.xz
69592504d27b2c25e3451338a1f90bc705d00d5f 22804 quassel-data_0.10.0-2.3_all.deb
398682e1a140f2d6be07dabae94c140bf5c4bdb2 625446 quassel-data-kde4_0.10.0-2.3_all.deb
Checksums-Sha256:
de6de1e586b9f56454eeed23912d514b15b4564ca47acdaab8b87d9243608a0b 2356 quassel_0.10.0-2.3.dsc
cad61ba7b89e6508dc43bcc987e581608bf0e5a21f14453c314553f2be6e1c72 21780 quassel_0.10.0-2.3.debian.tar.xz
61ca3b03b60d6b150b17712db346e03878d31401054a51e4cc4bd924d858dcb7 22804 quassel-data_0.10.0-2.3_all.deb
e57c933792a0779c92d6608b304ebf33b55e1ef677b81852a6cc4efe459aeb7e 625446 quassel-data-kde4_0.10.0-2.3_all.deb
Files:
175fca302884d4c94004d4abb2159a0f 2356 net optional quassel_0.10.0-2.3.dsc
e53ac5b221e2e50b8c1f7b46362dbc0f 21780 net optional quassel_0.10.0-2.3.debian.tar.xz
0bb473957ca32053454991831ae68037 22804 net optional quassel-data_0.10.0-2.3_all.deb
8750592f8c15398e2701ea09a17c547b 625446 net optional quassel-data-kde4_0.10.0-2.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVHNiGAAoJEBgUewc7rSsHqZoP/2KI5Rtyi4djd2xKVjTPTXkJ
TevVxO9LZf1Xg0SrBGhpjpGvr9RU6axuz7/edLxRlCje73+r+TgwAcBLgGvk5whP
ozjY3JOTWabAtau0BROQpII7aivUZdhJ3CPn5yid4WfSOtN6zdiMMAkCl6Hms4bg
LvrDsSDaVqEtDZqjGgbBJTRmUSM2q/ya3uEqyCDZbpLYf4bhgXfmOH1RnP5xmMgQ
oVR+CoGWq7g0taVSHH88DBQkA3N+XNDW46lbRql/MHgwmQlz2tvXUXAKfNi4JzU+
EWrLu+IVHIzK34J6aLEz/TygnGVsCrt8QdCR0zUtcLfmsp54QCs6SUPyTDUmUvTo
ez0wjrHoRdJgzDE7lyKzq1+YgDfxs6C5OA45ob+63gjlG+AdjREpAVnwMv2XfMC8
R6V+BK8sImFoTxxCd+bDFRxrl1xLLrfG5GlxqooHyfl20rk3Mn/+2BvLlrSy+GO1
l84teylD3LGe1GXD98El+UCd/KzSx/X6tkWTgh6iQZmfmLBLkm43YJRK/5WaMip8
8eW2wFA0nKpRxYsquk8HW84sEmGElxc6WfzHGGW9XkwsvEEIoq6ZLHwXRTQy6AJi
WX5+rtAIE5Vy5sH9/X4bW2dehfxNN05HbMPrJUx2pnakBnzyiIqi+cSPKUUFF4UM
MykHx8ybVFNbIUad/P33
=ACDZ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 30 Apr 2015 07:25:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:51:57 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.