quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)

Debian Bug report logs - #781024
quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: quassel: Denial of service (no CVE yet)

Date: Mon, 23 Mar 2015 14:55:39 +0100

Package: quassel
Severity: grave
Tags: security
Justification: user security hole

The following security issue was reported against quassel:
https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8

A CVE ID has been requested, but is not yet available, we'll
update the bug once available.

Cheers,
        Moritz

Message #10 received at 781024@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 781024@bugs.debian.org

Subject: Re: Bug#781024: quassel: Denial of service (no CVE yet)

Date: Sat, 28 Mar 2015 10:24:26 +0100

Control: retitle -1 quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)

Hi,

Two CVEs were assigned for issues fixed with the commit, for detail
see http://www.openwall.com/lists/oss-security/2015/03/28/3 .

Regards,
Salvatore

Message #17 received at 781024@bugs.debian.org (full text, mbox, reply):

From: Thomas Müller <thomas.mueller@tmit.eu>

To: 781024@bugs.debian.org

Subject: Re: Bug#781024: quassel: Denial of service (no CVE yet)

Date: Tue, 31 Mar 2015 10:48:08 +0200

NMU upload is more then welcome - I lack the time to take care of this at the moment.

Thanks a lot,

Thomas

Message #22 received at 781024@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Thomas Müller <thomas.mueller@tmit.eu>, 781024@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#781024: quassel: Denial of service (no CVE yet)

Date: Tue, 31 Mar 2015 23:03:01 +0200

[Message part 1 (text/plain, inline)]

tags 781024 + patch
thanks

On Tue, Mar 31, 2015 at 10:48:08AM +0200, Thomas Müller wrote:
> NMU upload is more then welcome - I lack the time to take care of this at
> the moment.

I took the patch from upstream and backported it to the version in sid;
this was a fair amount of work as the patch uses C++11 lambdas heavily
(and the version in jessie is compiled in C++03 mode; I thought changing
this would be too intrusive), but not immediately tricky in itself.
There were also some other merge conflicts that I've fixed.

The patch compiles and has had a second pair of eyes for review, but I've
never used Quassel in my life, so I can't say if it works or not. In any case
it ought to help whoever ends up doing the NMU.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

[CVE-2015-2778.patch (text/x-diff, attachment)]

Message #29 received at 781024@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Thomas Müller <thomas.mueller@tmit.eu>, 781024@bugs.debian.org

Subject: Re: Bug#781024: quassel: Denial of service (no CVE yet)

Date: Wed, 1 Apr 2015 00:07:12 +0200

On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> I took the patch from upstream and backported it to the version in sid;
> this was a fair amount of work as the patch uses C++11 lambdas heavily
> (and the version in jessie is compiled in C++03 mode; I thought changing
> this would be too intrusive), but not immediately tricky in itself.
> There were also some other merge conflicts that I've fixed.

More eyes: The backported patch has been OKed by two upstream Quassel
developers, including Michael Marley (original author of the patch).
So all it needs is some testing from some volunteer and we should be good to
go.

/* Steinar */
-- 
Homepage: http://www.sesse.net/

Message #34 received at 781024@bugs.debian.org (full text, mbox, reply):

From: Olly Betts <olly@survex.com>

To: "Steinar H. Gunderson" <sgunderson@bigfoot.com>, 781024@bugs.debian.org

Cc: Thomas Müller <thomas.mueller@tmit.eu>

Subject: Re: Bug#781024: quassel: Denial of service (no CVE yet)

Date: Wed, 1 Apr 2015 11:36:49 +1300

On Wed, Apr 01, 2015 at 12:07:12AM +0200, Steinar H. Gunderson wrote:
> On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> > I took the patch from upstream and backported it to the version in sid;
> > this was a fair amount of work as the patch uses C++11 lambdas heavily
> > (and the version in jessie is compiled in C++03 mode; I thought changing
> > this would be too intrusive), but not immediately tricky in itself.
> > There were also some other merge conflicts that I've fixed.
> 
> More eyes: The backported patch has been OKed by two upstream Quassel
> developers, including Michael Marley (original author of the patch).
> So all it needs is some testing from some volunteer and we should be good to
> go.

I use quassel - I'll test with the patch and NMU if it looks good (if
anyone else wants to test as well, that would be great.  Or if someone
else is particularly keen to NMU, that's fine by too - just let me
know).

Cheers,
    Olly

Message #39 received at 781024@bugs.debian.org (full text, mbox, reply):

From: Olly Betts <olly@survex.com>

To: 781024@bugs.debian.org

Subject: quassel: diff for NMU version 1:0.10.0-2.3

Date: Thu, 2 Apr 2015 18:56:11 +1300

[Message part 1 (text/plain, inline)]

Dear maintainer,

I've been using the patched build locally for 2 working days without
issues, so I think it's time to push it to unstable for wider testing.

This is quite a complex patch for this late in the release cycle, but
I really don't see an option for a less complex one.  But I suggest we
let it spend a few days in unstable before seeking an unblock request.

Attached is the nmudiff.

Cheers,
    Olly

[quassel-0.10.0-2.3-nmu.diff (text/x-diff, attachment)]

Message #44 received at 781024-close@bugs.debian.org (full text, mbox, reply):

From: Olly Betts <olly@survex.com>

To: 781024-close@bugs.debian.org

Subject: Bug#781024: fixed in quassel 1:0.10.0-2.3

Date: Thu, 02 Apr 2015 06:04:05 +0000

Source: quassel
Source-Version: 1:0.10.0-2.3

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 781024@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Olly Betts <olly@survex.com> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 01 Apr 2015 11:41:28 +1300
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source all
Version: 1:0.10.0-2.3
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Olly Betts <olly@survex.com>
Description:
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 781024
Changes:
 quassel (1:0.10.0-2.3) unstable; urgency=high
 .
   * Non-maintainer upload with maintainer's permission.
   * Improve the message-splitting algorithm for PRIVMSG and CTCP.  Original
     patch from Michael Marley, backported by Steinar H. Gunderson.  Fixes
     CVE-2015-2778 and CVE-2015-2779.  (Closes: #781024)
Checksums-Sha1:
 b11307116151c1ff96ad3bce07374a6899bbad32 2356 quassel_0.10.0-2.3.dsc
 22f0a53883ee6eb62b8f58a7dc768f15b6b053c3 21780 quassel_0.10.0-2.3.debian.tar.xz
 69592504d27b2c25e3451338a1f90bc705d00d5f 22804 quassel-data_0.10.0-2.3_all.deb
 398682e1a140f2d6be07dabae94c140bf5c4bdb2 625446 quassel-data-kde4_0.10.0-2.3_all.deb
Checksums-Sha256:
 de6de1e586b9f56454eeed23912d514b15b4564ca47acdaab8b87d9243608a0b 2356 quassel_0.10.0-2.3.dsc
 cad61ba7b89e6508dc43bcc987e581608bf0e5a21f14453c314553f2be6e1c72 21780 quassel_0.10.0-2.3.debian.tar.xz
 61ca3b03b60d6b150b17712db346e03878d31401054a51e4cc4bd924d858dcb7 22804 quassel-data_0.10.0-2.3_all.deb
 e57c933792a0779c92d6608b304ebf33b55e1ef677b81852a6cc4efe459aeb7e 625446 quassel-data-kde4_0.10.0-2.3_all.deb
Files:
 175fca302884d4c94004d4abb2159a0f 2356 net optional quassel_0.10.0-2.3.dsc
 e53ac5b221e2e50b8c1f7b46362dbc0f 21780 net optional quassel_0.10.0-2.3.debian.tar.xz
 0bb473957ca32053454991831ae68037 22804 net optional quassel-data_0.10.0-2.3_all.deb
 8750592f8c15398e2701ea09a17c547b 625446 net optional quassel-data-kde4_0.10.0-2.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVHNiGAAoJEBgUewc7rSsHqZoP/2KI5Rtyi4djd2xKVjTPTXkJ
TevVxO9LZf1Xg0SrBGhpjpGvr9RU6axuz7/edLxRlCje73+r+TgwAcBLgGvk5whP
ozjY3JOTWabAtau0BROQpII7aivUZdhJ3CPn5yid4WfSOtN6zdiMMAkCl6Hms4bg
LvrDsSDaVqEtDZqjGgbBJTRmUSM2q/ya3uEqyCDZbpLYf4bhgXfmOH1RnP5xmMgQ
oVR+CoGWq7g0taVSHH88DBQkA3N+XNDW46lbRql/MHgwmQlz2tvXUXAKfNi4JzU+
EWrLu+IVHIzK34J6aLEz/TygnGVsCrt8QdCR0zUtcLfmsp54QCs6SUPyTDUmUvTo
ez0wjrHoRdJgzDE7lyKzq1+YgDfxs6C5OA45ob+63gjlG+AdjREpAVnwMv2XfMC8
R6V+BK8sImFoTxxCd+bDFRxrl1xLLrfG5GlxqooHyfl20rk3Mn/+2BvLlrSy+GO1
l84teylD3LGe1GXD98El+UCd/KzSx/X6tkWTgh6iQZmfmLBLkm43YJRK/5WaMip8
8eW2wFA0nKpRxYsquk8HW84sEmGElxc6WfzHGGW9XkwsvEEIoq6ZLHwXRTQy6AJi
WX5+rtAIE5Vy5sH9/X4bW2dehfxNN05HbMPrJUx2pnakBnzyiIqi+cSPKUUFF4UM
MykHx8ybVFNbIUad/P33
=ACDZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.