Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Apr 2018 00:39:42 +0200
From: nongiach nongiach <>
Cc: Kurt Seifried <>,
Subject: CVE-XXX (quasselclient/quasselcore version 0.12.4):
 Heap Remote Code Execution and Null Pointer DDOS


two vulnerabilities have been fixed in quassel, an IRC connection
one with a high severity and another with a low severity, they are both
publicly fixed:
- these patches apply cleanly to 0.12.4 sources
- 0.12.5 release (Tuesday 24.04) includes these patches, distros have been
notified for the embargo.

Vuln 1:
Title: quasselcore, corruption of heap metadata caused by qdatastream
leading to preauth remote code execution.
Severity: high, by default the server port is publicly open and the address
can be requested using the /WHOIS command of IRC protocol.
Description: In Qdatastream protocol each object are prepended with 4 bytes
for the object size, this can be used to trigger allocation errors.
Source: void DataStreamPeer::processMessage(const QByteArray &msg),
datastreampeer.cpp line 62
CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in
the quasselcore that allows an attacker to remote code execution.
Screen POC:
Credit: @chaign_c
Information: This vulnerability is not specific to qdatastream.

Vuln 2:
Title: quasselcore DDOS
Severity: low, impact only a quasselcore not configured.
Description: A login attempt causes a NULL pointer dereference because when
the database is not initialized.
Source: void CoreAuthHandler::handle(const Login &msg),
coreauthhandler.cpp  line 235
CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4
in the quasselcore that allows an attacker to denial of service.
Credit: @chaign_c


With lead dev agreement, POC will be released here in one month from now.
A big thx to quassel team for their quick responses and reaction.

CVE number assignation is ongoing.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ