Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 10 Oct 2013 23:40:50 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - Quassel IRC SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 10:48 AM, Bas Pape wrote:
> Hi all,
> 
> Please assign a CVE to the following issue: Quassel IRC is
> vulnerable to SQL injection on all current versions (0.9.0 being
> the latest at the time of writing), if used with Qt 4.8.5 (the
> vulnerability is caused by a change in its postgres driver[1,2]) 
> and PostgreSQL 8.2 or later with standard_conforming_strings
> enabled (which is the default in those versions). The vulnerability
> allows anyone to trick the core into executing SQL queries, which
> includes cascade deleting the entire database. It is tracked
> upstream in bug #1244 [3]. It was firstly noticed by due to minor
> issues with migration to postgres and problems with certain
> messages, a simple test with an unmodified installation of postgres
> and quassel showed that it was indeed possible to drop tables.
> 
> No upstream fix is available at this time, although the below
> patch does fix the current issue.
> 
> Regards, Bas Pape (Tucos)
> 
> [1]
> https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a
>
> 
[2] https://bugreports.qt-project.org/browse/QTBUG-30076
> [3] http://bugs.quassel-irc.org/issues/1244
> 
> commit 7c64ed0d05718d907770d11a38436aa4ed65f2bb Author: Bas Pape
> <baspape@...il.com> Date:   Mon Oct 7 19:51:52 2013 +0200
> 
> Detect the need for standard_conforming_strings.
> 
> diff --git a/src/core/postgresqlstorage.cpp
> b/src/core/postgresqlstorage.cpp index 3965704..70bf894 100644 ---
> a/src/core/postgresqlstorage.cpp +++
> b/src/core/postgresqlstorage.cpp @@ -101,6 +101,15 @@ void
> PostgreSqlStorage::initDbSession(QSqlDatabase &db) // this blows...
> but unfortunately Qt's PG driver forces us to this... db.exec("set
> standard_conforming_strings = off"); db.exec("set
> escape_string_warning = off"); + +    // Fortunately things can
> always blow more. Refer to the commit message for +    // the juicy
> details, tread lightly. +    // First standard_conforming_strings
> are turned off, because that's what used +    // to be necessary,
> here the actual behaviour is tested. +    QSqlQuery query =
> db.exec("SELECT '\\\\' x"); +    if (query.first()) +        if
> (query.value(0).toString() == "\\") +            db.exec("set
> standard_conforming_strings = on"); }
> 

Please use CVE-2013-4422 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV49iAAoJEBYNRVNeJnmTp7wQANne6+eEaU2fT88CbBKhj0d9
agw3qF7QCsFN7qURQhZ3ilj+DJp7HEmS6X21tbrnJaNrIZKTjho1P1J64YlBLXbm
NClN3M1olKF6LLElL6cyf5WzjQ/m4mLhD0h74+c6libRXKui2oG+3fQCyYHo8MV/
f5GGBGQ0i2eiNrFCVz2r4/G0VpFUkbbcopFR/vQXJPp+/qvP9IZLkAFowfTBHL+c
k65XsdF4mXAZU/wIrHLKqgEta5T1mXixt2O8aGSJrlQBDDkEJ8Z90bRQs8Va+QKd
yGle+kjpA6/9j3xHdbUZ52MnMO/PApkFR1R8mZUEakWcYOKuCqgtyaTsN+GkivNi
fMySRBR5pCBX2u6JxL+JqOIgR4si0zGUa7z0TwFDyhg/YE5tYQLBLNHCeWK8N910
zmwEC8jUg4sjh12tBau2rIQsaPi0LFOc7X0zaIQrMPlw5ask+seOXNFm5Zx5nBf7
0ePjvmOPf0hDaityrK2ej/RMq++dxTFmUwVtGxT9s92AuO6+DF9XtoeOe68GQC2y
BZeOV/gzlk4FP71Or77r/0hNxyNcJ59gZ+gYMfc9do7A+NnSrkzXlAqk5hI3W1cG
+1yuW/+8IDeAjVhOBaq4s4ZbxwnnnkwpLj+49c2+gGGhPsUpdFpVS9n/tEucmEDg
Cez/bUHjWWLRKeZh03Dp
=/nNu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.