CVE-2015-8547: quassel: op command denial of service vulnerability

Debian Bug report logs - #807801
CVE-2015-8547: quassel: op command denial of service vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2015-8547: quassel: op command denial of service vulnerability

Date: Sun, 13 Dec 2015 09:41:26 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: quassel
Version: 1:0.12.2-2
Severity: important
Tags: security

Hi,

the following vulnerability was published for Quassel.

CVE-2015-8547: remotely triggerable DoS by any client on a Quassel core

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

https://security-tracker.debian.org/tracker/CVE-2015-8547
https://github.com/quassel/quassel/commit/b8edbda019eeb99da8663193e224efc9d1265dc7

Please adjust the affected versions in the BTS as needed.

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBAgAGBQJWbSElAAoJECet96ROqnV0Qc8P9RRgUu3nA1U50qDiHkWBQu2d
t/AzoalX8bQe+6iNM6hJpwr4+0ipvhIzwVEBdtsImfzMGsEeoIh6xiswNjIovLKS
DUxTv2mnMDFbx5HAHXc8wKYsNRwaTeW1/kZHLZRczrydZJlPvW+J3WVh4Iri+Nz3
zZWAfYFViL2vCEcR50xOEoE1vnfhxwRUgOYRLXO4VY59q1Ri9imqp8OZOYW5nN/x
EXOYA2ZxIQhOh8/pDHHHxgP84+z3E2fXT5uyRDN1B7SUEF5eU2bnLO07sTgseqgm
UyEfNAH1H3WejIjwVMp9svKG8jUNSleO5CLSpFTmJTj6IYNsj664qNz/2qQaCpu1
dIGMW1lmyehHVVkkC7oACgdogakDZS9KHGNYHj3ZBM+6PyU/Hj1e4EE3thJwe5eX
YDWsZJe2LXxEYBuHxQnJPKft7aTmo9bQXFMHcEgjgKWquARIPl4CI7B0rPr+j3Nr
lrKBYMnyylnCrarFIcmtg+H1kzgI+OsH+8K+g6y7eWamN89taph47w11Hr4EuJib
C7LrKAwo4NVrRSXVqP319tPQ3HXmHvf1M4ShcsoE1qBdhT4SQSJ0oj5tYjMmuCIr
q9bPhfA7l3AbVkdeZqmTWb0tVnstBKX+wBCDNDtrzGEJtE9LE7GUV6cNFrfP4xfG
pFXZvvFLdF4ZiDegYOs=
=aVIY
-----END PGP SIGNATURE-----

Message #10 received at 807801@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: 807801@bugs.debian.org

Subject: Patch

Date: Sun, 13 Dec 2015 11:32:14 +0100

[Message part 1 (text/plain, inline)]

Hi,

Please find attached a debdiff for Jessie backporting the fix for this
vulnerability.

Cheers,
-- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

[quassel_0.10.0-2.3+deb8u2.diff (text/x-patch, attachment)]

[quassel_0.10.0-2.3+deb8u2.dsc (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #21 received at 807801-close@bugs.debian.org (full text, mbox, reply):

From: Felix Geyer <fgeyer@debian.org>

To: 807801-close@bugs.debian.org

Subject: Bug#807801: fixed in quassel 1:0.12.2-3

Date: Mon, 14 Dec 2015 22:14:42 +0000

Source: quassel
Source-Version: 1:0.12.2-3

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Geyer <fgeyer@debian.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 14 Dec 2015 21:25:33 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4
Architecture: source
Version: 1:0.12.2-3
Distribution: unstable
Urgency: high
Maintainer: Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>
Changed-By: Felix Geyer <fgeyer@debian.org>
Description:
 quassel    - distributed IRC client - monolithic core+client
 quassel-client - distributed IRC client - client component
 quassel-client-kde4 - transitional package to quassel-client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data
 quassel-kde4 - transitional package to quassel
Closes: 807801
Changes:
 quassel (1:0.12.2-3) unstable; urgency=high
 .
   * Fix CVE-2015-8547: op command denial of service issue (Closes: #807801)
     - Add CVE-2015-8547.patch
Checksums-Sha1:
 6259ebadd4733c66179c3724b76ab68969bf5658 2636 quassel_0.12.2-3.dsc
 70bc922e1deb90758a05f25fb55367b19058352d 19128 quassel_0.12.2-3.debian.tar.xz
Checksums-Sha256:
 76e08ff26476c7dea478fa9388b6ca32f9252735f19123f5c0549d1b8e303093 2636 quassel_0.12.2-3.dsc
 fe236cb2a98f57a57784f60601055f3e9e040497513fa715e530d58b15772cc7 19128 quassel_0.12.2-3.debian.tar.xz
Files:
 bcf22c495bb0416fa186acf87fdee357 2636 net optional quassel_0.12.2-3.dsc
 9b4148ab7668afa8d6ba4c454634f48f 19128 net optional quassel_0.12.2-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWbyYfAAoJEP4ixv2DE11FtHsP/3SKHlcGE6OqVqAhVYfJ+Bw9
4xJkeBywWiLAmWa2LXJVviqZBXNlrM1IMsvnKYkyO/Hs9HMgQeFATfs/y19+jRTW
q9eAJ138Dax3tLuSNKRlJfqg6YY6s7fhBsP2j/ZVJQhb8/bYmwb0+j2cYE9j23Jg
9iCQWyiMp/HNBbWHOdjbuvEa/yaAfRlU44f97/OebyGTlUeHfikvbDiLkG3JwmiV
TeXUVcGw6qHm55LhOtL7G+ijPQS9psP0GSeuE8wZdtHAixDNyuiDO3IBLyXZRr+Z
hgGZ/xZkixro74vYm7A9jNMRTfFyf8ALT6ySXf9wO7Dzd+EJnWIwyajlb2hulSYh
9hx+fCHctA/SJB9eY75+Tcp5vrOULmAuji3ddFGWp2MxsTz1j6mlJRhVs2z+GJ+f
6D4X/kWtRS8vVpQI6j92VX6oJWZ+8qdq1aSO6OYS9GeqrXzk9ADrcgnZIgysOEEc
Q4y3RxzY+IubY0LEJHBkbEmDeip08AlKLFkyNPTwfsAJgNcqe521u19lRSJNCJ6I
WhjCyOZBV3rGBVKKmg9cZgHGiIsTgTrtqyFnhJo/sR32G6t2hovSqf+ftV8XkpF1
y/2ueT8Z9Gx+awsTY3Smgm7Xrzb8IV157wgJc+76jduKWY3oey6nrSMc6gIkYXjd
kWoNQ0egJGuPz+Fx+PPR
=GnM+
-----END PGP SIGNATURE-----

Message #26 received at 807801@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pierre Schweitzer <pierre@reactos.org>

Cc: team@security.debian.org, pkg-kde-extras@lists.alioth.debian.org, 807801@bugs.debian.org

Subject: Re: Sponsoring for upload CVE-2015-8547

Date: Sun, 27 Dec 2015 09:09:13 +0100

[Message part 1 (text/plain, inline)]

Hi Pierre,

On Mon, Dec 14, 2015 at 10:28:26PM +0100, Pierre Schweitzer wrote:
> Dear all,
> 
> After having asked for a CVE[0] for this Quassel issue [1], I've
> uploaded you (attached) a debdiff & dsc to the bug report for an upload.
> Would you be able to sponsor the upload, as I can't?
> Or perhaps the maintainers are available for the upload?

Can you help me evaluating the issue, since I'm not a quassel user
myself: From a quick search and a bit of testing with a
quassel-client/quassel-core setup, am I right that

 a/ multi-user setups with quassel-core are non-default and not
    so frequent?
 b/ This issue can (only) be triggered by a client connected to a
    quassel core?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 807801@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: team@security.debian.org, pkg-kde-extras@lists.alioth.debian.org, 807801@bugs.debian.org

Subject: Re: Sponsoring for upload CVE-2015-8547

Date: Sun, 27 Dec 2015 10:55:28 +0100

[Message part 1 (text/plain, inline)]

Hi Salvatore,

On 27/12/2015 09:09, Salvatore Bonaccorso wrote:
> Hi Pierre,
> 
> On Mon, Dec 14, 2015 at 10:28:26PM +0100, Pierre Schweitzer wrote:
>> Dear all,
>>
>> After having asked for a CVE[0] for this Quassel issue [1], I've
>> uploaded you (attached) a debdiff & dsc to the bug report for an upload.
>> Would you be able to sponsor the upload, as I can't?
>> Or perhaps the maintainers are available for the upload?
> 
> Can you help me evaluating the issue, since I'm not a quassel user
> myself: From a quick search and a bit of testing with a
> quassel-client/quassel-core setup, am I right that
> 
>  a/ multi-user setups with quassel-core are non-default and not
>     so frequent?

It's hard to say. However, there are no well-known Quassel providers (as
you would have for ZNC/BNC).

>  b/ This issue can (only) be triggered by a client connected to a
>     quassel core?

Yes.

Regards,
-- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 807801@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Pierre Schweitzer <pierre@reactos.org>

Cc: team@security.debian.org, pkg-kde-extras@lists.alioth.debian.org, 807801@bugs.debian.org

Subject: Re: Sponsoring for upload CVE-2015-8547

Date: Sun, 27 Dec 2015 20:34:34 +0100

Hi Pierre,

Thanks for you quick reply, really appreciated.

On Sun, Dec 27, 2015 at 10:55:28AM +0100, Pierre Schweitzer wrote:
> Hi Salvatore,
> 
> On 27/12/2015 09:09, Salvatore Bonaccorso wrote:
> > Hi Pierre,
> > 
> > On Mon, Dec 14, 2015 at 10:28:26PM +0100, Pierre Schweitzer wrote:
> >> Dear all,
> >>
> >> After having asked for a CVE[0] for this Quassel issue [1], I've
> >> uploaded you (attached) a debdiff & dsc to the bug report for an upload.
> >> Would you be able to sponsor the upload, as I can't?
> >> Or perhaps the maintainers are available for the upload?
> > 
> > Can you help me evaluating the issue, since I'm not a quassel user
> > myself: From a quick search and a bit of testing with a
> > quassel-client/quassel-core setup, am I right that
> > 
> >  a/ multi-user setups with quassel-core are non-default and not
> >     so frequent?
> 
> It's hard to say. However, there are no well-known Quassel providers (as
> you would have for ZNC/BNC).
> 
> >  b/ This issue can (only) be triggered by a client connected to a
> >     quassel core?
> 
> Yes.

I think this then can be fixed via a Jessie point release, which is
around the corner. Can you contact the SRM to have it scheduled via
jessie-pu?

Cf.
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

You can add me to Cc when you fill the bug against release.debian.org,
if you then need a sponsor after the ack of the stable release
managers.

(n.b.: the targetting distribution needs to be changed to jessie in
the debdiff in this case).

Regards,
Salvatore

Message #41 received at 807801-close@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: 807801-close@bugs.debian.org

Subject: Bug#807801: fixed in quassel 1:0.10.0-2.3+deb8u2

Date: Fri, 01 Jan 2016 15:47:10 +0000

Source: quassel
Source-Version: 1:0.10.0-2.3+deb8u2

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 807801@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Schweitzer <pierre@reactos.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 13 Dec 2015 11:04:05 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: all source
Version: 1:0.10.0-2.3+deb8u2
Distribution: jessie
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Pierre Schweitzer <pierre@reactos.org>
Closes: 807801
Description: 
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Changes:
 quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command.
     (Closes: #807801)
     - Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream.
Checksums-Sha1: 
 ac6d467977e0f6620b40897f634257106c618ff9 2386 quassel_0.10.0-2.3+deb8u2.dsc
 5aaaeb6c1f13f485598f9b28ba5cf19f7f613a81 23064 quassel_0.10.0-2.3+deb8u2.debian.tar.xz
 56558db9a08bd3dca419141b971a2a787cb48ceb 23042 quassel-data_0.10.0-2.3+deb8u2_all.deb
 6c804495b37a79a6b0b1da8c0a946ed1e3ff00d5 624004 quassel-data-kde4_0.10.0-2.3+deb8u2_all.deb
Checksums-Sha256: 
 7f4fcbb5ce243ab74867298f42ac3c2cbe944e1c5463c806932a90a0b44a35b8 2386 quassel_0.10.0-2.3+deb8u2.dsc
 dac4451c9b9fcabd2f5e0b53afdf3a879fe41cb90d91a9e53984bdb31c339d5a 23064 quassel_0.10.0-2.3+deb8u2.debian.tar.xz
 4837531376475b775d56fa1344811fe91e1e696205e63c68c1711d50212f0f27 23042 quassel-data_0.10.0-2.3+deb8u2_all.deb
 9657b775d6d543352dd5040a58692eccdcbef47c24cf4f856296c46a20fd1577 624004 quassel-data-kde4_0.10.0-2.3+deb8u2_all.deb
Files: 
 d7621d4383f8d05bdd6bed1f9e755685 2386 net optional quassel_0.10.0-2.3+deb8u2.dsc
 6411d27b24e1677455258cd951d2764b 23064 net optional quassel_0.10.0-2.3+deb8u2.debian.tar.xz
 8a5e0cb3206a97d05de05e6deb1f7f43 23042 net optional quassel-data_0.10.0-2.3+deb8u2_all.deb
 4e92982c71660643d6932e46394148bf 624004 net optional quassel-data-kde4_0.10.0-2.3+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWgg0iAAoJEAVMuPMTQ89EeK0P/0UdBpWnSsDDvelQOVTCL6dQ
FP0ty9wiHQsj31K6mzu1VJBpJbfJsgHdJPm8JXMlG8Hbp8i8xk6tnIz22DWxfIAM
hSdIStytzLWqdsZXDJhH8P10q3pW2xoeUMhahOyXMGKe1pFlij5RaXVRk75ThvQT
07p1OqU0LxgBkCFRE14r+87hDqZOPlkbx9ypulrjeHFxi5jzhop2P0DXjopgu3o2
VxX5+IyrAe0omEujS9oO4mee8xZs455GgYBBsxI6VglPpXI8se4glx6+aAzl0sKJ
7A/pPjrjd8wozuBlattmqq2nMMsRmQbSEp7RtbwXZOvA5ZQMo0o2UJLhPr3SYNmb
7qM6a992Rr4VfiAv5YpsHPYlgPwEYcnIspg8Ylh4E9tZbbwJ9jZOdblNAWd9rGMH
gW4pA7JU41US2Yx82HCJtrltmsWyQUkM5kDi/7rS+GGzLVGmwAq9K8UcYJeGB4LG
JtNF/qonHCitee2bDVb4VrrNk41nXqCfXPSav6fX1rWnObVa633QoE8F/X7T4e75
b2QuDAxeca/OCBZIxUypuvXigQjU5UGm+oQXzWDkeIBwvcDb9VnjZyyXtQJGFVBY
jqONveyoBD6bI2h4QWbDcte6SD4Ogd17dvD05xgQc2uA6CKS7J72AM1oHM1URpNg
iOnEOYPCgzdn211Jh09i
=3hJr
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.