Report forwarded
to debian-bugs-dist@lists.debian.org, kde@ewsoftware.de, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Thomas Mueller <thomas_mueller_ffb@online.de>: Bug#506550; Package quassel.
(Sat, 22 Nov 2008 14:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Eckhart Wörner <kde@ewsoftware.de>:
New Bug report received and forwarded. Copy sent to kde@ewsoftware.de, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Thomas Mueller <thomas_mueller_ffb@online.de>.
(Sat, 22 Nov 2008 14:15:05 GMT) (full text, mbox, link).
Package: quassel
Severity: grave
Tags: security
Justification: user security hole
Quassel version in Debian is vulnerable to IRC command injection as described in http://www.frsirt.com/english/advisories/2008/3164
Updated packages are already available at http://quassel.irc.org/ , according to quassel developers a backport for the fix is also available.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (400, 'unstable'), (100, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages quassel depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libfontconfig1 2.6.0-3 generic font configuration library
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libgcc1 1:4.3.2-1 GCC support library
ii libice6 2:1.0.4-1 X11 Inter-Client Exchange library
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libqt4-network 4.4.3-1 Qt 4 network module
ii libqtcore4 4.4.3-1 Qt 4 core module
ii libqtgui4 4.4.3-1 Qt 4 GUI module
ii libsm6 2:1.0.3-2 X11 Session Management library
ii libstdc++6 4.3.2-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii libxi6 2:1.1.4-1 X11 Input extension library
ii libxrandr2 2:1.2.3-1 X11 RandR extension library
ii libxrender1 1:0.9.4-2 X Rendering Extension client libra
pn quassel-core <none> (no description available)
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
quassel recommends no packages.
quassel suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>: Bug#506550; Package quassel.
(Sat, 22 Nov 2008 14:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Eckhart Wörner <kde@ewsoftware.de>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>.
(Sat, 22 Nov 2008 14:27:07 GMT) (full text, mbox, link).
Actually the problem lies within quassel-core (same source package), stupid
me.
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>: Bug#506550; Package quassel.
(Sun, 23 Nov 2008 01:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>.
(Sun, 23 Nov 2008 01:06:03 GMT) (full text, mbox, link).
On Sat, Nov 22, 2008 at 03:13:43PM +0100, Eckhart Wörner wrote:
> Package: quassel
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Quassel version in Debian is vulnerable to IRC command injection as described in http://www.frsirt.com/english/advisories/2008/3164
> Updated packages are already available at http://quassel.irc.org/ , according to quassel developers a backport for the fix is also available.
I've been looking at the upstream homepage for a patch and upstream
describes the Debian package as "hopelessly outdated and unmaintained"
and point to an external build. As such, it should likely be dropped
from Lenny rather than fixed. It can be brought into proper shape for
Squeeze (more recent packages are already available on mentors.debian.net)
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#506550; Package quassel.
(Mon, 24 Nov 2008 07:39:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Mueller <thomas_mueller_ffb@online.de>:
Extra info received and forwarded to list.
(Mon, 24 Nov 2008 07:39:08 GMT) (full text, mbox, link).
Am Sonntag, 23. November 2008 schrieb Moritz Muehlenhoff:
> On Sat, Nov 22, 2008 at 03:13:43PM +0100, Eckhart Wörner wrote:
> > Package: quassel
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Quassel version in Debian is vulnerable to IRC command injection as
> > described in http://www.frsirt.com/english/advisories/2008/3164 Updated
> > packages are already available at http://quassel.irc.org/ , according to
> > quassel developers a backport for the fix is also available.
>
> I've been looking at the upstream homepage for a patch and upstream
> describes the Debian package as "hopelessly outdated and unmaintained"
> and point to an external build. As such, it should likely be dropped
> from Lenny rather than fixed. It can be brought into proper shape for
> Squeeze (more recent packages are already available on mentors.debian.net)
>
> Cheers,
> Moritz
The package at mentors.debian.org is just a backport of the Ubunutu package
and does not fit the debian package rules like copyright etc.
The packages for 0.3.0 are ready for weeks but my uploader is too busy with
lenny.
New 0.2.0 packages containing the security patch will be available today.
THX and take care,
Tom
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>: Bug#506550; Package quassel.
(Sat, 29 Nov 2008 10:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>.
(Sat, 29 Nov 2008 10:30:04 GMT) (full text, mbox, link).
> New 0.2.0 packages containing the security patch will be available
> today.
What is the status here? If you just lack a sponsor, just ask me or any
other security team member.
Cheers,
Stefan
Information forwarded
to debian-bugs-dist@lists.debian.org, Thomas Mueller <thomas_mueller_ffb@online.de>: Bug#506550; Package quassel.
(Sat, 29 Nov 2008 14:42:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Thomas Mueller <thomas_mueller_ffb@online.de>.
(Sat, 29 Nov 2008 14:42:13 GMT) (full text, mbox, link).
Hi,
attached is a patch picked from the diff between the two
releases to fix this issue.
Will upload as NMU.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Source: quassel
Source-Version: 0.2~rc1-1.1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive:
quassel-core_0.2~rc1-1.1_amd64.deb
to pool/main/q/quassel/quassel-core_0.2~rc1-1.1_amd64.deb
quassel_0.2~rc1-1.1.diff.gz
to pool/main/q/quassel/quassel_0.2~rc1-1.1.diff.gz
quassel_0.2~rc1-1.1.dsc
to pool/main/q/quassel/quassel_0.2~rc1-1.1.dsc
quassel_0.2~rc1-1.1_amd64.deb
to pool/main/q/quassel/quassel_0.2~rc1-1.1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506550@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 29 Nov 2008 13:50:08 +0100
Source: quassel
Binary: quassel quassel-core
Architecture: source amd64
Version: 0.2~rc1-1.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <thomas_mueller_ffb@online.de>
Changed-By: Nico Golde <nion@debian.org>
Description:
quassel - distributed IRC client using a central core component
quassel-core - distributed IRC client using a central core component
Closes: 506550
Changes:
quassel (0.2~rc1-1.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix wrong dequoting for ctcp messages that enables attackers to craft
a ctcp message and send arbitrary messages or irc commands to
others (05_security.patch; Closes: #506550).
Checksums-Sha1:
b39ed473437fbf3228713bf0d8a741f0ae4d8ef5 1207 quassel_0.2~rc1-1.1.dsc
1a12db18bcaf7ae00928d08d07b2e6627f65844b 18000702 quassel_0.2~rc1-1.1.diff.gz
5b4ca366c8e7c1918e786365b1c66ca8034c09ab 1958474 quassel_0.2~rc1-1.1_amd64.deb
01b28c63a586c0bcfba826cc8355ae918821ac42 473130 quassel-core_0.2~rc1-1.1_amd64.deb
Checksums-Sha256:
74d53b2f22fd178135456740391b22aa7aec1ed69ab1b42045b0ae8190b639d5 1207 quassel_0.2~rc1-1.1.dsc
9f4af482f726ed95aa12d7e2cefc1ff1c6c8e503d6de2a8271c15dff58cf3cc2 18000702 quassel_0.2~rc1-1.1.diff.gz
afdc1f20e1cbd61a4797bc69bb68becd8b02d22cb76a573d9801d51b834b620f 1958474 quassel_0.2~rc1-1.1_amd64.deb
b2428ef62b019ae843d1ecee34b2eef2f3120f19904769ee1a44f7cd788cc6a0 473130 quassel-core_0.2~rc1-1.1_amd64.deb
Files:
34143dbdf50308a1d5539c06f5520d43 1207 net optional quassel_0.2~rc1-1.1.dsc
8d57d730d136632e93ef82f9ffef47b6 18000702 net optional quassel_0.2~rc1-1.1.diff.gz
c548a364333d66f8618e4fb9d4076c33 1958474 net optional quassel_0.2~rc1-1.1_amd64.deb
103237258fccebb16457117c0c4b832c 473130 net optional quassel-core_0.2~rc1-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkxaPoACgkQHYflSXNkfP+9BACcDYBBmPc5tcNLHZQgnDfbww5K
HrYAn3+bHsStDMG6qCrmvwBFZWUdev5j
=GaGG
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#506550; Package quassel.
(Sat, 29 Nov 2008 18:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Mueller <thomas_mueller_ffb@online.de>:
Extra info received and forwarded to list.
(Sat, 29 Nov 2008 18:36:05 GMT) (full text, mbox, link).
Am Samstag, 29. November 2008 schrieb Stefan Fritsch:
> > New 0.2.0 packages containing the security patch will be available
> > today.
>
> What is the status here? If you just lack a sponsor, just ask me or any
> other security team member.
>
> Cheers,
> Stefan
Hi,
Nico Golde has done the fix already.
Thanks for offering your help.
I'll come back to you next time! ;-)
Take care,
Tom
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 06 Jan 2009 07:32:38 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.