CVE-2014-8483: quassel: out-of-bounds read issue

Debian Bug report logs - #766962
CVE-2014-8483: quassel: out-of-bounds read issue

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: CVE-2014-8483: quassel: out-of-bounds read issue

Date: Mon, 27 Oct 2014 11:02:32 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: quassel
Version: 0.10.0-2
Severity: important
Tags: security, fixed-upstream

https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
http://bugs.quassel-irc.org/issues/1314

"""
 Check for invalid input in encrypted buffers

 The ECB Blowfish decryption function assumed that encrypted input would
 always come in blocks of 12 characters, as specified. However, buggy
 clients or annoying people may not adhere to that assumption, causing
 the core to crash while trying to process the invalid base64 input.

 With this commit we make sure that we're not overstepping the bounds of
 the input string while decoding it; instead we bail out early and display
 the original input. Fixes #1314.

 Thanks to Tucos for finding that one!
"""

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlROCigACgkQXf6hBi6kbk9F7wCgiMXj+fPrji5W3ABkpGicRfhV
ioIAn3hTgwWppPDKcDBngyjSrUrU1FmO
=K8h6
-----END PGP SIGNATURE-----

Message #14 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Henri Salo <henri@nerv.fi>, 766962@bugs.debian.org

Subject: Re: Bug#766962: CVE-2014-8483: quassel: out-of-bounds read issue

Date: Tue, 28 Oct 2014 17:43:44 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Hi

Attached are proposed debdiffs for unstable (and wheezy-security).
Have altough not (yet) tested the resulting packages.

Regards,
Salvatore

[quassel_0.10.0-2.1.debdiff (text/plain, attachment)]

[quassel_0.8.0-1+deb7u3.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Pierre Schweitzer <pierre@reactos.org>

To: 766962@bugs.debian.org

Date: Sat, 01 Nov 2014 14:47:42 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tested the quassel-core_0.8.0-1+deb7u3_amd64.deb matching the debdiff
from Salvatore.
It's working fine.

- -- 
Pierre Schweitzer <pierre at reactos.org>
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUVOR+AAoJEHVFVWw9WFsLAoEP/2rvwAl+Wo6kRy83W3x7ghqj
JhQLgWuJDhxKJffDeNJwrvZIPNweWDR8UfA5gLzCPz5YBbnPjlat125lgOJhwHPF
Y39tPpCraEfUKMXwx0IwBUwdaDMlCIDsdm1VA3+nIO2yvm0eVb46LveH09zqdtsl
l3GZVzviQsr+mwAaTDJXoUqTDcTyHPKglmO4qFiNG+TLpOn+RieZjA2paBuvV/jU
T36IePXA6AwwlQgFbLTKI/Ub+Tf0K9AI2OZuKcVGiPu2Xb4YhdcAFeGRh6hDpI1h
21MZ1hc2gvV23Z3cfxlAU8JUEyzABHPbGWIaoEzG5frriAIdt5ToPUhgKYpnZEGp
h+mwsRwR4XHNiYlHbdebD6BnBiijQkc5Qcu3OedKlQyQsvyyaGauFtS3e44DcMBU
mwhvMGrNK+Qf/QgUOZb9CcKzmg/Ea081SUoLmVK6NK9I7LLoHUpdNI56uURDHiUk
XnNHKiBOk9vfnExVpiYBp+VoO9IKZmh4Q57rNSAH8uM85Ys6WnR0SmSFp6lpf1cX
uW9KFUiG1lWy/1cKGY+2qiSJbdTlnKJZgXgYVPEEHq8kOafKeFTTK/3uK4Ca1m5n
AQn5NaHAtUKF7QDVx7LLZKP6CYrSxwaIkL4byAiEzjfsLDTtrZzFn3DYT9Prv3Lx
/ge5NPp0P/aKgl6MK99o
=fxtF
-----END PGP SIGNATURE-----

Message #26 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 766962@bugs.debian.org, luciano@debian.org

Subject: quassel: diff for NMU version 0.10.0-2.1

Date: Sun, 2 Nov 2014 19:35:34 +0100

[Message part 1 (text/plain, inline)]

Control: tags 766962 + pending

Hi Thomas,

I've prepared an NMU for quassel (versioned as 0.10.0-2.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should delay it
longer. Note that Luciano Bello is planning to release a DSA for
wheezy-security too.

Regards,
Salvatore

[quassel-0.10.0-2.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #33 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: 766962@bugs.debian.org

Subject: Re: quassel: diff for NMU version 0.10.0-2.1

Date: Sun, 02 Nov 2014 22:44:18 +0100

[Message part 1 (text/plain, inline)]

On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote:
> Note that Luciano Bello is planning to release a DSA for
> wheezy-security too.

DSA released: 
https://lists.debian.org/debian-security-announce/2014/msg00251.html

Cheers, luciano

[signature.asc (application/pgp-signature, inline)]

Message #38 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Thomas Müller <thomas.mueller@tmit.eu>

To: Luciano Bello <luciano@debian.org>, 766962@bugs.debian.org

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Mon, 03 Nov 2014 09:15:25 +0100

Thanks a lot for your support on this - very much welcome!

Thomas

-- 
Thomas Müller                 E-Mail: thomas.mueller@tmit.eu


Am Sonntag, den 02.11.2014 um 22:44 schrieb Luciano Bello:
> On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote:
> > Note that Luciano Bello is planning to release a DSA for
> > wheezy-security too.
> 
> DSA released: 
> https://lists.debian.org/debian-security-announce/2014/msg00251.html
> 
> Cheers, luciano

Message #43 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Müller <thomas.mueller@tmit.eu>, 766962@bugs.debian.org

Cc: Luciano Bello <luciano@debian.org>

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Mon, 3 Nov 2014 09:41:34 +0100

Hi Thomas,

Thanks for your reply. Just a question below:

On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote:
> 
> Thanks a lot for your support on this - very much welcome!

Do you plan to override my NMU in the delayed queue? If not I would
like to move it straight to the archive from the delayed queue without
the 2 days delay.

Please let me know and thanks for your work in maintaining quassel!

Salvatore

Message #48 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Thomas Müller <thomas.mueller@tmit.eu>

To: Salvatore Bonaccorso <carnil@debian.org>, 766962@bugs.debian.org

Cc: Luciano Bello <luciano@debian.org>

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Mon, 03 Nov 2014 09:46:16 +0100

Hi,

I have no plans to override your NMUs - I'll prepare an upload of 0.11.0 to unstable these days.

Regards,

Thomas


Am Montag, den 03.11.2014 um 9:41 schrieb Salvatore Bonaccorso:
> Hi Thomas,
> 
> Thanks for your reply. Just a question below:
> 
> On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote:
> > 
> > Thanks a lot for your support on this - very much welcome!
> 
> Do you plan to override my NMU in the delayed queue? If not I would
> like to move it straight to the archive from the delayed queue without
> the 2 days delay.
> 
> Please let me know and thanks for your work in maintaining quassel!
> 
> Salvatore
> 

Message #53 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Thomas Müller <thomas.mueller@tmit.eu>, 766962@bugs.debian.org

Cc: Luciano Bello <luciano@debian.org>

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Mon, 3 Nov 2014 14:57:35 +0100

Hi,

On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote:
> Hi,
> 
> I have no plans to override your NMUs - I'll prepare an upload of
> 0.11.0 to unstable these days.

Ok thanks! Please note that we are shortly before the freeze, so
consider to upload the new upstream version to unstable.

 [1] https://lists.debian.org/debian-devel-announce/2014/09/msg00002.html
 [2] https://release.debian.org/jessie/freeze_policy.html

Regards,
Salvatore

Message #58 received at 766962-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 766962-close@bugs.debian.org

Subject: Bug#766962: fixed in quassel 0.10.0-2.1

Date: Mon, 03 Nov 2014 17:19:21 +0000

Source: quassel
Source-Version: 0.10.0-2.1

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 766962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 02 Nov 2014 19:10:58 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 0.10.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes:
 quassel (0.10.0-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2014-8483.patch patch.
     CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
     (Closes: #766962)
Checksums-Sha1:
 d3a55b7f85744e3bb411706a94027f0fdaf56bf4 2356 quassel_0.10.0-2.1.dsc
 5954f07e31c0fd1513f98fc684f4f6d8906652de 17124 quassel_0.10.0-2.1.debian.tar.xz
 230c30d5e99956b3b880f5828cefeb2096ee8a17 22542 quassel-data_0.10.0-2.1_all.deb
 00145cc9affbd9338fcae40f045c38d59fed769d 625614 quassel-data-kde4_0.10.0-2.1_all.deb
Checksums-Sha256:
 eb44dbeb1c684701c94fb96ba0147a373550c174b90c0fdf6dd0305d676c3aa3 2356 quassel_0.10.0-2.1.dsc
 7ff2d1597bbe21038c688628c2d52def792f6336a9f7bf9ba023ef83dc305121 17124 quassel_0.10.0-2.1.debian.tar.xz
 11ecb6a6f887728c93c3a55ce0b9d8989ad65c7eda99437ad9fa44da776cf628 22542 quassel-data_0.10.0-2.1_all.deb
 203bbb5fbf9fc3f23dfbb3848cc1760fbde8edc6330445f6f6f971a8fb151a45 625614 quassel-data-kde4_0.10.0-2.1_all.deb
Files:
 1922519370afb0dd3d1935b917384b42 2356 net optional quassel_0.10.0-2.1.dsc
 60b22deab9640f70a078f20d242fdf80 17124 net optional quassel_0.10.0-2.1.debian.tar.xz
 4510561905f40dcf61f2976473b3ebf1 22542 net optional quassel-data_0.10.0-2.1_all.deb
 019ef44715f9b9115fd88645951301c4 625614 net optional quassel-data-kde4_0.10.0-2.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUVnfoAAoJEAVMuPMTQ89ELEQP/0IgXm4nmC/4otUHNnt893Z4
ov/87eW+w8CWI8/7l0kZ6i82j+2IX3xljaCgD0GvctcR2vGeF/IcjFZNPr/L80bp
8ORnr4b188XNso4G0Jh+N4ZZ60dDmcwYbA4O/M71mGhvY/Rgvr31H2mLbIYeZQOZ
QTGh4uAUQHGAryI3Ux1IfS0j3RpGazl0/PaGLaLXDlFkmqeaUEcOyDi9Yr2slgkF
mQafe/AC/awtTYjyd1hDZFMMFeLG6HtqWbviDnpzCMN0/FNfjraKPpXR142wZFLN
OCQl6217H/2kBxXG+S6TfGZOeMyw1aATqfUCNx4qQ9MCLwtA6UKZwDO91I44dhAc
Ermw/IoYKmEHUR8M3SUpt6QGFcIjWnEtMlcMgFjfZp6PURX+HYp8RkR1SEBB7tGo
7aKh094MxfI0xfAGqKupQolcMT+xbdI6o2cKeB2XHlXJK60E4/dFC4IQRU281IrO
FlR68y1iXovnNJ4GbcpDwh4y0eb3L/Qjayjz9SxidFGi0KWWxlRhKQIXzB+mhrVe
bNgd2o5Hp0aO4rJ9AyUObts6osFC1XAOcIVlDGYwCByCOlJLAUkVYek2bcvF3njq
GGhom2BzNASEoBAc4mqFBuzGtvUH20zqmXc7287cXYFs8hGi15s70lBG7kn8y6dA
9OUXEL6ImY/gkOIJDdx8
=zVeJ
-----END PGP SIGNATURE-----

Message #63 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 766962@bugs.debian.org

Cc: Thomas Müller <thomas.mueller@tmit.eu>, Luciano Bello <luciano@debian.org>

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Tue, 4 Nov 2014 13:44:20 +0100

Hi,

On Mon, Nov 03, 2014 at 02:57:35PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote:
> > Hi,
> > 
> > I have no plans to override your NMUs - I'll prepare an upload of
> > 0.11.0 to unstable these days.
> 
> Ok thanks! Please note that we are shortly before the freeze, so
> consider to upload the new upstream version to unstable.

... there was a small tiny word missing in my sentence: the "not". We
currently are short before freeze, it is quite impossible that release
team will accept the new upstream version to enter jessie.

It should have been read: [...] so please consider to upload the new
upstream version to experimental.

Salvatore

Message #68 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Felix Geyer <fgeyer@debian.org>

To: 766962@bugs.debian.org

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Wed, 05 Nov 2014 18:45:09 +0100

Control: reopen -1
Control: found -1 0.11.0-1

Version 0.11.0 does *not* contain the commit that fixes this bug.
0.11.0-1 is also wrongly marked as fixed in the security tracker.

I guess now 0.10.0-2.1 has to be re-uploaded with a different version
to testing-proposed-updates.

Cheers,
Felix

Message #81 received at 766962@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Felix Geyer <fgeyer@debian.org>, 766962@bugs.debian.org

Subject: Re: Bug#766962: quassel: diff for NMU version 0.10.0-2.1

Date: Wed, 5 Nov 2014 20:13:40 +0100

Hi Felix,

On Wed, Nov 05, 2014 at 06:45:09PM +0100, Felix Geyer wrote:
> Control: reopen -1
> Control: found -1 0.11.0-1
>
> Version 0.11.0 does *not* contain the commit that fixes this bug.

Thanks for checking also this version!

> 0.11.0-1 is also wrongly marked as fixed in the security tracker.

Yes and no about the security-tracker. The CVE/bug was fixed in
0.10.0-2.1 which was superseeded by 0.11.0-1 in unstable before
reaching testing. The security-tracker cannot notice that it was fixed
in 0.10.0-2.1 but would not be fixed in 0.11.0-1 (as 0.10.0-2.1 <
0.11.0-1). The security-tracker has the following entry, which now
needs an adjustment depending on the choosen aproach:

CVE-2014-8483 [out-of-bounds read on a heap-allocated array]
        RESERVED
        {DSA-3063-1}
        - quassel 0.10.0-2.1 (bug #766962)
        NOTE: https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
        NOTE: http://bugs.quassel-irc.org/issues/1314
        - konversation <unfixed>
        NOTE: https://bugs.kde.org/show_bug.cgi?id=210792

> I guess now 0.10.0-2.1 has to be re-uploaded with a different version
> to testing-proposed-updates.

Either that or a 1:0.10.0-2.1 upload again to unstable, and ask the
release team for an unblock of this version. I think the latter would
be preferable as it leaves more changes of updates trough unstable
during the freeze complying with the freeze policy given.

Regards,
Salvatore

Message #86 received at 766962-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 766962-close@bugs.debian.org

Subject: Bug#766962: fixed in quassel 0.8.0-1+deb7u3

Date: Thu, 06 Nov 2014 17:05:47 +0000

Source: quassel
Source-Version: 0.8.0-1+deb7u3

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 766962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Oct 2014 17:10:53 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 0.8.0-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes: 
 quassel (0.8.0-1+deb7u3) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-8483.patch patch.
     CVE-2014-8483: out-of-bounds read on a heap-allocated array.
     (Closes: #766962)
Checksums-Sha1: 
 6a8edeed9893f85f8bb8d7facce015f51c912cc3 2347 quassel_0.8.0-1+deb7u3.dsc
 b74967fa9f19b5d7c708279075cc0ef3a3dbbe8b 2663465 quassel_0.8.0.orig.tar.bz2
 13abdf229f1fe027776a22614b6437d2614965dd 19739 quassel_0.8.0-1+deb7u3.debian.tar.gz
 61695cdd47a46e945535f89ba3a6ab95ea064686 1615764 quassel-core_0.8.0-1+deb7u3_amd64.deb
 cef13261567a10e0dd6e1e849e6a9646317c6371 2563012 quassel-client_0.8.0-1+deb7u3_amd64.deb
 8d3b9474e28f812067ca2517f9e8c5ad8a447d14 3037680 quassel_0.8.0-1+deb7u3_amd64.deb
 696ab808e6a1408b95b4e2a5bf2c0262275f8593 19490 quassel-data_0.8.0-1+deb7u3_all.deb
 03f8137c82304f7776d440e806e1473469850085 910918 quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 af599a044803719f659393946b6ec4228e2350d7 1176952 quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 9796b87ae6b6fae33f1822c2f1e90e7bb5073923 1047556 quassel-data-kde4_0.8.0-1+deb7u3_all.deb
Checksums-Sha256: 
 3c89ef81e3002b1806ee7e97524a09102cc2f240624f1b0143ddd9691823bc82 2347 quassel_0.8.0-1+deb7u3.dsc
 a3515bd18e2b100eb9a72480e76b1faefaa5e84cdb236b6af1f05b477a1e9071 2663465 quassel_0.8.0.orig.tar.bz2
 e9bf33f7e37fc448ef24509174874206992789d69c32772901531f69d5166484 19739 quassel_0.8.0-1+deb7u3.debian.tar.gz
 93c68a115a557eea51455a77703a0cff17431f983888ad95ca0ec6709dce3377 1615764 quassel-core_0.8.0-1+deb7u3_amd64.deb
 a7817129f52aced4b0dc71c63925de536f9d5a355fb0017f1d4bc7e4731f97aa 2563012 quassel-client_0.8.0-1+deb7u3_amd64.deb
 222ff2b476c0e8dba0f21d18c4da3c644743794f6efda8ed52fdcf023eff4922 3037680 quassel_0.8.0-1+deb7u3_amd64.deb
 0605834f71e631e7f4555b8a6af1ce852b79b3464b00dea95e18010cc088007c 19490 quassel-data_0.8.0-1+deb7u3_all.deb
 c7e859b7dc7685593fc933d92295d386b773c5076e7194a1ff2388afa72e17ce 910918 quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 fd63f36397aef15842f2e094a1e4e3e0601165ef2d125f24d6241d8f57cb8a38 1176952 quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 050bbdcc3d4d21a6859b0af2d171b514f86546f1504654cdd2270d0c88f449a8 1047556 quassel-data-kde4_0.8.0-1+deb7u3_all.deb
Files: 
 97cabb01c3ebc933cfe56f286db5f24f 2347 net optional quassel_0.8.0-1+deb7u3.dsc
 546e2a950f44c4c0262c09d48f14e998 2663465 net optional quassel_0.8.0.orig.tar.bz2
 2593832712a00e658b9c9027f9f1bbc2 19739 net optional quassel_0.8.0-1+deb7u3.debian.tar.gz
 cbe9d42fc216cccb877b9a8289efbb14 1615764 net optional quassel-core_0.8.0-1+deb7u3_amd64.deb
 19ac65cfc7eafcf1393f225cf922731d 2563012 net optional quassel-client_0.8.0-1+deb7u3_amd64.deb
 76e85988ad6213d787fc734b77927273 3037680 net optional quassel_0.8.0-1+deb7u3_amd64.deb
 4944ce516e1d6227e22311bd40444d2b 19490 net optional quassel-data_0.8.0-1+deb7u3_all.deb
 7c80953a154871bba42c3d2447e2f0d0 910918 net optional quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 58c2ccda86215ba56368fd136656aca2 1176952 net optional quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 cbefbedd79c71f578a0539f8a4caf62b 1047556 net optional quassel-data-kde4_0.8.0-1+deb7u3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUT8MvAAoJEAVMuPMTQ89Es+wQAIL2q0W76D9ukrHQWCz9RSt7
FnF3tzPiK9cEd2ueoGBNG8qPAs+D/QwNFomxYkf15AlogSwlok/iMAP9BH9CdMvr
zeHuW/xGO0PVgFW6Z/1vk6qT7t2dRucVS/Upg4jAT6JQTI07ROHZjcJSIBa/yUqD
5kANITsjhOO5mME0XAAbCmxFLvT+k3lXx41VhDe7UvUf9/aNYDSUVtHF3ARj/31p
GVKJhDok5YHj9HwVn8ekZDnMS/dOxpsLNue+G2MJtmfJu0wURh+1jEQCCfzRUzCh
5Mr4kuaYuNmT2+hmmEivc2+AS4H5rMDYgEEaffAld+HFyrr4JPXXI2gf83gSKvtW
9GM0CcDSECE04PSGwo9Vp66xEe82Pp9laOG63iABlVrxe5HdSuiTw5lHwpw0UIJJ
USjqYDzwaQF8VYI6r7PMJJer4Ahkaa/RgJ3LAqozbwGn99N5oO9LgEccRcU6qCCN
RhAUcNPHrhUtvS/Vkxobm1xLP6JliDfcUg/0Yl/1VYdoIBLI49Dq6xqz8wcq4fcd
xjeZwN7CgLBMkNs/fYxx8XHccGB0UVLUEf7k0iIq84XyUWoHbF1qisZV6FWMVhbe
iMsRsCMQ8UvdrPzST4tdJqBkImqlDutF1KgbCoO5gCSuV+G83QOtpp3cOMpVDYx5
toKiIboRV7LCh5wMEMf6
=GyfJ
-----END PGP SIGNATURE-----

Message #91 received at 766962-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 766962-close@bugs.debian.org

Subject: Bug#766962: fixed in quassel 1:0.10.0-2.2

Date: Sat, 08 Nov 2014 15:30:00 +0000

Source: quassel
Source-Version: 1:0.10.0-2.2

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 766962@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 08 Nov 2014 14:14:56 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 1:0.10.0-2.2
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes:
 quassel (1:0.10.0-2.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Increment Debian revision and epoch to re-upload 0.10.0-2.1 to
     unstable containing the fix for #766962 / CVE-2014-8483:
     out-of-bounds read in ECB Blowfish decryption.
 .
 quassel (0.10.0-2.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Add CVE-2014-8483.patch patch.
     CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
     (Closes: #766962)
Checksums-Sha1:
 37df0deebe7bd5417beb07772ddc4630fe659150 2358 quassel_0.10.0-2.2.dsc
 0404d8d9b882bed8b0933d01645955e3c1870e32 17176 quassel_0.10.0-2.2.debian.tar.xz
 d586bee4384298d9ff14788febdd296fb37e9916 22606 quassel-data_0.10.0-2.2_all.deb
 fac76078cc59c1a31b5948b5b6654f055e069f34 625518 quassel-data-kde4_0.10.0-2.2_all.deb
Checksums-Sha256:
 f89604115f9822a657dfbc93af5c4baff0fcdd3303304df74f2738280ebbbf28 2358 quassel_0.10.0-2.2.dsc
 004f6f14c0d113ed6e625bedb2b5293c7c1aed5e8745fecb7009c46e7abc6229 17176 quassel_0.10.0-2.2.debian.tar.xz
 25c678a2a5bb0134d650e1f985da75acde1944ce21ea642fee7b6d8e330694af 22606 quassel-data_0.10.0-2.2_all.deb
 36cd61eaa8000141b7a060074e45a008464120f2582a8ad2b8e98e2e31d5e519 625518 quassel-data-kde4_0.10.0-2.2_all.deb
Files:
 1790eb7cbdc4de4992934967c67eceb9 2358 net optional quassel_0.10.0-2.2.dsc
 63ba80e8d0d96e028a9bec2a1f460644 17176 net optional quassel_0.10.0-2.2.debian.tar.xz
 a1dc72d9705091b22228f60c1257a871 22606 net optional quassel-data_0.10.0-2.2_all.deb
 6473fba4bbb759460fc956aad2d0a2e2 625518 net optional quassel-data-kde4_0.10.0-2.2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUXiB2AAoJEAVMuPMTQ89E1mgP/0Sa+rNN2UNReEfBSuqPTanr
7/aW75DluzcE6PT3VhKIr5mWKu8/lskyUPcRJck98xD34BjO9ZOVlEMdgGafrxDJ
3JrehPj+nAIrckUTeVuMqZa/loMB2FrmXhtyF+cHnXsXZ7IdKUFj3xdmMY0TiBQ9
2Dpht8NwJES56O6k0P5PKOU/LEvfoY1t19/QYlsszzEmyajkR9ebOeOIoas2jLH0
uZ7sbhmTSYHxLiJcftROdgV0KuC47ajQ831LRhEKAFqc4RFm+Dji67cVCxFXogCd
T4im1Yksifb7vyANaP4WTPpnMg006CbGdOKVH7N42ituOf+/hF4hvBpl/ynfQUSo
PIgnnF9sMMBn7W9PG0ltOgbzzLKVIpLmJcbo174a+HrXzyQRh4PhP6b7O3jg2o7q
vG5vhV3n2j0QIZ2j9dYYekE6nAxiQkWG6TO1prx/zvFqkdM1SieGBYZXmKE2sViH
rQPnHugnEHrtSYByWt+DcAsAHfrBE6Hvfej1NpV4tUGEAKCnHPLcfl7ST7zS80/s
jVB8B72atcAvTkivDJ52wJH/5zfkMrvIC+/Xikc6r+sTgrXFcF9P776njpz5XQSX
OMRCzJaEv8hxvq8knZfGLCAPUd91j+9p4fX88nhIx1nwrHNPXfJX1MEBfGthXt5S
DaS+qwsNhK/tfYlxkJ34
=dHSG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.