Date: Thu, 28 Nov 2013 01:05:39 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: Quassel IRC - manipulated clients can access backlog of all users on a shared core -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/27/2013 02:37 PM, Manuel Nickschas wrote: > Hi all, > > I'd like to request a CVE for the following vulnerability in > Quassel IRC: > > Affected versions: all versions prior to 0.9.2 (released > 2013-11-26) > > Description: > > A Quassel core (server daemon) supports being used by multiple > users, who all have independent settings, backlog and so on. The > backlog is stored in a database shared by all users on a Quassel > core, tagged with a user ID. However, some SQL queries didn't check > for the correct user ID being provided. > > This has the undesired effect that the Quassel core can be tricked > into providing the backlog for an IRC channel or query that does > not belong to the user session requesting it. Doing this requires a > manipulated client sending appropriately crafted requests to the > core. This client also needs to be properly authenticated, i.e. to > have supplied valid user credentials for one of the users on the > core. > > Credit for finding this issue goes to Andrew Hampe. > > Fix  has been released in 0.9.2 . > > This patch can be cleanly applied to any version starting from > 0.6.0, and easily backported to even older versions by adapting the > schema version number. > > Thanks, ~ Manuel Nickschas (Sput) > >  <https://github.com/quassel/quassel/commit/a1a24da>  > <http://quassel-irc.org/pub/quassel-0.9.2.tar.bz2> > Please use CVE-2013-6404 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSlvlTAAoJEBYNRVNeJnmTIecQAILaEfaJEtbNtpB0qC31XOBh yezgIglqcJEsdyP3mh31B1rs/WrJhR2UGN70afZ5UG7eB3AIYCaYhwXu+Soc9YkJ 38ZyVZAM0O1woIsG0tDHTnmuQm4QCLbexAbTRnQBUGBJ5NA4N8hxIX8iw0O3cHL1 5CLjcYGiEGH9XCv1f9GZp28Wb0FqOqbKmmXdo1Ku0ZRF/u/4bbvWfQPNBVYKZi+l lQvCuYdQFRxlOeymwdHtHvOe94SIUUnFQomRXZEQBOI0qOxCsSRNxVOU+FPkZ2Cy 0AElUeDeF3BXlHDIBYF23Jh/fgAU9FilMVyuey6SRJaYiMzXn2re8epBTSbB+VE1 htdzmOQh6BTcf1RyQr3FsQqhPY6X5IyHfB6Te5JCYdwvrCdFRfVd7pmNbuckSvny jYogv+NGLiKBLOcxDBJc+TznvDV9dMXZ6ec9TBDdM2p3OtcmysmONqPBFJZQOoHw YwSU7ZFxqmB3LEZgdv6/QH6Y/s3yz5Yx9t+kZwJB6XIg+Sku9JT4Z8qe9P7iElne gcFuBH0pHDF0sOuPwYHAmAbYgxDcm+yegzdaOaD0g9I/asDiEZI6KfXROPK1/9bx X3Jnv7icgSbZKdxCQKMbmMLR9w45MRBdbA61nMSuf8Hn6zS4WaX5cA2Kf4kJI6zX HKuWwAVgqgrGVaESEcN6 =LfbD -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ