Debian Bug report logs - #506550
quassel: IRC client command injection vulnerability

version graph

Package: quassel; Maintainer for quassel is Debian KDE Extras Team <pkg-kde-extras@lists.alioth.debian.org>; Source for quassel is src:quassel (PTS, buildd, popcon).

Reported by: Eckhart Wörner <kde@ewsoftware.de>

Date: Sat, 22 Nov 2008 14:15:02 UTC

Severity: grave

Tags: security

Fixed in version quassel/0.2~rc1-1.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, kde@ewsoftware.de, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Thomas Mueller <thomas_mueller_ffb@online.de>:
Bug#506550; Package quassel. (Sat, 22 Nov 2008 14:15:04 GMT) (full text, mbox, link).


Acknowledgement sent to Eckhart Wörner <kde@ewsoftware.de>:
New Bug report received and forwarded. Copy sent to kde@ewsoftware.de, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Thomas Mueller <thomas_mueller_ffb@online.de>. (Sat, 22 Nov 2008 14:15:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Eckhart Wörner <kde@ewsoftware.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: quassel: IRC client command injection vulnerability
Date: Sat, 22 Nov 2008 15:13:43 +0100
Package: quassel
Severity: grave
Tags: security
Justification: user security hole

Quassel version in Debian is vulnerable to IRC command injection as described in http://www.frsirt.com/english/advisories/2008/3164
Updated packages are already available at http://quassel.irc.org/ , according to quassel developers a backport for the fix is also available.

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (400, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages quassel depends on:
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libfontconfig1         2.6.0-3           generic font configuration library
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libgcc1                1:4.3.2-1         GCC support library
ii  libice6                2:1.0.4-1         X11 Inter-Client Exchange library
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libqt4-network         4.4.3-1           Qt 4 network module
ii  libqtcore4             4.4.3-1           Qt 4 core module
ii  libqtgui4              4.4.3-1           Qt 4 GUI module
ii  libsm6                 2:1.0.3-2         X11 Session Management library
ii  libstdc++6             4.3.2-1           The GNU Standard C++ Library v3
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxext6               2:1.0.4-1         X11 miscellaneous extension librar
ii  libxi6                 2:1.1.4-1         X11 Input extension library
ii  libxrandr2             2:1.2.3-1         X11 RandR extension library
ii  libxrender1            1:0.9.4-2         X Rendering Extension client libra
pn  quassel-core           <none>            (no description available)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

quassel recommends no packages.

quassel suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>:
Bug#506550; Package quassel. (Sat, 22 Nov 2008 14:27:07 GMT) (full text, mbox, link).


Acknowledgement sent to Eckhart Wörner <kde@ewsoftware.de>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>. (Sat, 22 Nov 2008 14:27:07 GMT) (full text, mbox, link).


Message #10 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Eckhart Wörner <kde@ewsoftware.de>
To: 506550@bugs.debian.org
Subject: Re: Bug#506550: quassel: IRC client command injection vulnerability
Date: Sat, 22 Nov 2008 15:24:43 +0100
Actually the problem lies within quassel-core (same source package), stupid 
me.




Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>:
Bug#506550; Package quassel. (Sun, 23 Nov 2008 01:06:02 GMT) (full text, mbox, link).


Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>. (Sun, 23 Nov 2008 01:06:03 GMT) (full text, mbox, link).


Message #15 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 506550@bugs.debian.org
Subject: Re: quassel: IRC client command injection vulnerability
Date: Sun, 23 Nov 2008 02:01:20 +0100
On Sat, Nov 22, 2008 at 03:13:43PM +0100, Eckhart Wörner wrote:
> Package: quassel
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Quassel version in Debian is vulnerable to IRC command injection as described in http://www.frsirt.com/english/advisories/2008/3164
> Updated packages are already available at http://quassel.irc.org/ , according to quassel developers a backport for the fix is also available.

I've been looking at the upstream homepage for a patch and upstream
describes the Debian package as "hopelessly outdated and unmaintained"
and point to an external build. As such, it should likely be dropped
from Lenny rather than fixed. It can be brought into proper shape for
Squeeze (more recent packages are already available on mentors.debian.net)

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#506550; Package quassel. (Mon, 24 Nov 2008 07:39:08 GMT) (full text, mbox, link).


Acknowledgement sent to Thomas Mueller <thomas_mueller_ffb@online.de>:
Extra info received and forwarded to list. (Mon, 24 Nov 2008 07:39:08 GMT) (full text, mbox, link).


Message #20 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Thomas Mueller <thomas_mueller_ffb@online.de>
To: Moritz Muehlenhoff <jmm@inutil.org>, 506550@bugs.debian.org
Subject: Re: Bug#506550: quassel: IRC client command injection vulnerability
Date: Mon, 24 Nov 2008 08:29:38 +0100
Am Sonntag, 23. November 2008 schrieb Moritz Muehlenhoff:
> On Sat, Nov 22, 2008 at 03:13:43PM +0100, Eckhart Wörner wrote:
> > Package: quassel
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Quassel version in Debian is vulnerable to IRC command injection as
> > described in http://www.frsirt.com/english/advisories/2008/3164 Updated
> > packages are already available at http://quassel.irc.org/ , according to
> > quassel developers a backport for the fix is also available.
>
> I've been looking at the upstream homepage for a patch and upstream
> describes the Debian package as "hopelessly outdated and unmaintained"
> and point to an external build. As such, it should likely be dropped
> from Lenny rather than fixed. It can be brought into proper shape for
> Squeeze (more recent packages are already available on mentors.debian.net)
>
> Cheers,
>         Moritz


The package at mentors.debian.org is just a backport of the Ubunutu package 
and does not fit the debian package rules like copyright etc.

The packages for 0.3.0 are ready for weeks but my uploader is too busy with 
lenny.

New 0.2.0 packages containing the security patch will be available today.

THX and take care,

Tom





Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>:
Bug#506550; Package quassel. (Sat, 29 Nov 2008 10:30:03 GMT) (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>. (Sat, 29 Nov 2008 10:30:04 GMT) (full text, mbox, link).


Message #25 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: Thomas Mueller <thomas_mueller_ffb@online.de>
Cc: 506550@bugs.debian.org
Subject: Re: Bug#506550: quassel: IRC client command injection vulnerability
Date: Sat, 29 Nov 2008 11:28:43 +0100 (CET)
> New 0.2.0 packages containing the security patch will be available 
> today.

What is the status here? If you just lack a sponsor, just ask me or any 
other security team member.

Cheers,
Stefan





Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>:
Bug#506550; Package quassel. (Sat, 29 Nov 2008 14:42:13 GMT) (full text, mbox, link).


Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>. (Sat, 29 Nov 2008 14:42:13 GMT) (full text, mbox, link).


Message #30 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 506550@bugs.debian.org
Subject: intent to NMU
Date: Sat, 29 Nov 2008 15:38:20 +0100
[Message part 1 (text/plain, inline)]
Hi,
attached is a patch picked from the diff between the two 
releases to fix this issue.

Will upload as NMU.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[quassel-0.2~rc1-1_0.2~rc1-1.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. (Sat, 29 Nov 2008 16:27:12 GMT) (full text, mbox, link).


Notification sent to Eckhart Wörner <kde@ewsoftware.de>:
Bug acknowledged by developer. (Sat, 29 Nov 2008 16:27:13 GMT) (full text, mbox, link).


Message #35 received at 506550-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>
To: 506550-close@bugs.debian.org
Subject: Bug#506550: fixed in quassel 0.2~rc1-1.1
Date: Sat, 29 Nov 2008 16:17:17 +0000
Source: quassel
Source-Version: 0.2~rc1-1.1

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive:

quassel-core_0.2~rc1-1.1_amd64.deb
  to pool/main/q/quassel/quassel-core_0.2~rc1-1.1_amd64.deb
quassel_0.2~rc1-1.1.diff.gz
  to pool/main/q/quassel/quassel_0.2~rc1-1.1.diff.gz
quassel_0.2~rc1-1.1.dsc
  to pool/main/q/quassel/quassel_0.2~rc1-1.1.dsc
quassel_0.2~rc1-1.1_amd64.deb
  to pool/main/q/quassel/quassel_0.2~rc1-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506550@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 29 Nov 2008 13:50:08 +0100
Source: quassel
Binary: quassel quassel-core
Architecture: source amd64
Version: 0.2~rc1-1.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas_mueller_ffb@online.de>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 quassel    - distributed IRC client using a central core component
 quassel-core - distributed IRC client using a central core component
Closes: 506550
Changes: 
 quassel (0.2~rc1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix wrong dequoting for ctcp messages that enables attackers to craft
     a ctcp message and send arbitrary messages or irc commands to
     others (05_security.patch; Closes: #506550).
Checksums-Sha1: 
 b39ed473437fbf3228713bf0d8a741f0ae4d8ef5 1207 quassel_0.2~rc1-1.1.dsc
 1a12db18bcaf7ae00928d08d07b2e6627f65844b 18000702 quassel_0.2~rc1-1.1.diff.gz
 5b4ca366c8e7c1918e786365b1c66ca8034c09ab 1958474 quassel_0.2~rc1-1.1_amd64.deb
 01b28c63a586c0bcfba826cc8355ae918821ac42 473130 quassel-core_0.2~rc1-1.1_amd64.deb
Checksums-Sha256: 
 74d53b2f22fd178135456740391b22aa7aec1ed69ab1b42045b0ae8190b639d5 1207 quassel_0.2~rc1-1.1.dsc
 9f4af482f726ed95aa12d7e2cefc1ff1c6c8e503d6de2a8271c15dff58cf3cc2 18000702 quassel_0.2~rc1-1.1.diff.gz
 afdc1f20e1cbd61a4797bc69bb68becd8b02d22cb76a573d9801d51b834b620f 1958474 quassel_0.2~rc1-1.1_amd64.deb
 b2428ef62b019ae843d1ecee34b2eef2f3120f19904769ee1a44f7cd788cc6a0 473130 quassel-core_0.2~rc1-1.1_amd64.deb
Files: 
 34143dbdf50308a1d5539c06f5520d43 1207 net optional quassel_0.2~rc1-1.1.dsc
 8d57d730d136632e93ef82f9ffef47b6 18000702 net optional quassel_0.2~rc1-1.1.diff.gz
 c548a364333d66f8618e4fb9d4076c33 1958474 net optional quassel_0.2~rc1-1.1_amd64.deb
 103237258fccebb16457117c0c4b832c 473130 net optional quassel-core_0.2~rc1-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkxaPoACgkQHYflSXNkfP+9BACcDYBBmPc5tcNLHZQgnDfbww5K
HrYAn3+bHsStDMG6qCrmvwBFZWUdev5j
=GaGG
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#506550; Package quassel. (Sat, 29 Nov 2008 18:36:04 GMT) (full text, mbox, link).


Acknowledgement sent to Thomas Mueller <thomas_mueller_ffb@online.de>:
Extra info received and forwarded to list. (Sat, 29 Nov 2008 18:36:05 GMT) (full text, mbox, link).


Message #40 received at 506550@bugs.debian.org (full text, mbox, reply):

From: Thomas Mueller <thomas_mueller_ffb@online.de>
To: Stefan Fritsch <sf@sfritsch.de>, 506550@bugs.debian.org
Subject: Re: Bug#506550: quassel: IRC client command injection vulnerability
Date: Sat, 29 Nov 2008 19:34:09 +0100
Am Samstag, 29. November 2008 schrieb Stefan Fritsch:
> > New 0.2.0 packages containing the security patch will be available
> > today.
>
> What is the status here? If you just lack a sponsor, just ask me or any
> other security team member.
>
> Cheers,
> Stefan


Hi,

Nico Golde has done the fix already.
Thanks for offering your help.

I'll come back to you next time! ;-)

Take care,

Tom








Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 06 Jan 2009 07:32:38 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 08:09:53 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.