Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 28 Nov 2013 01:05:39 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: Quassel IRC - manipulated clients
 can access backlog of all users on a shared core

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/27/2013 02:37 PM, Manuel Nickschas wrote:
> Hi all,
> 
> I'd like to request a CVE for the following vulnerability in
> Quassel IRC:
> 
> Affected versions: all versions prior to 0.9.2 (released
> 2013-11-26)
> 
> Description:
> 
> A Quassel core (server daemon) supports being used by multiple
> users, who all have independent settings, backlog and so on. The
> backlog is stored in a database shared by all users on a Quassel
> core, tagged with a user ID. However, some SQL queries didn't check
> for the correct user ID being provided.
> 
> This has the undesired effect that the Quassel core can be tricked
> into providing the backlog for an IRC channel or query that does
> not belong to the user session requesting it. Doing this requires a
> manipulated client sending appropriately crafted requests to the
> core. This client also needs to be properly authenticated, i.e. to
> have supplied valid user credentials for one of the users on the
> core.
> 
> Credit for finding this issue goes to Andrew Hampe.
> 
> Fix [1] has been released in 0.9.2 [2].
> 
> This patch can be cleanly applied to any version starting from
> 0.6.0, and easily backported to even older versions by adapting the
> schema version number.
> 
> Thanks, ~ Manuel Nickschas (Sput)
> 
> [1] <https://github.com/quassel/quassel/commit/a1a24da> [2]
> <http://quassel-irc.org/pub/quassel-0.9.2.tar.bz2>
> 

Please use CVE-2013-6404 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSlvlTAAoJEBYNRVNeJnmTIecQAILaEfaJEtbNtpB0qC31XOBh
yezgIglqcJEsdyP3mh31B1rs/WrJhR2UGN70afZ5UG7eB3AIYCaYhwXu+Soc9YkJ
38ZyVZAM0O1woIsG0tDHTnmuQm4QCLbexAbTRnQBUGBJ5NA4N8hxIX8iw0O3cHL1
5CLjcYGiEGH9XCv1f9GZp28Wb0FqOqbKmmXdo1Ku0ZRF/u/4bbvWfQPNBVYKZi+l
lQvCuYdQFRxlOeymwdHtHvOe94SIUUnFQomRXZEQBOI0qOxCsSRNxVOU+FPkZ2Cy
0AElUeDeF3BXlHDIBYF23Jh/fgAU9FilMVyuey6SRJaYiMzXn2re8epBTSbB+VE1
htdzmOQh6BTcf1RyQr3FsQqhPY6X5IyHfB6Te5JCYdwvrCdFRfVd7pmNbuckSvny
jYogv+NGLiKBLOcxDBJc+TznvDV9dMXZ6ec9TBDdM2p3OtcmysmONqPBFJZQOoHw
YwSU7ZFxqmB3LEZgdv6/QH6Y/s3yz5Yx9t+kZwJB6XIg+Sku9JT4Z8qe9P7iElne
gcFuBH0pHDF0sOuPwYHAmAbYgxDcm+yegzdaOaD0g9I/asDiEZI6KfXROPK1/9bx
X3Jnv7icgSbZKdxCQKMbmMLR9w45MRBdbA61nMSuf8Hn6zS4WaX5cA2Kf4kJI6zX
HKuWwAVgqgrGVaESEcN6
=LfbD
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ