Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Oct 2013 23:40:50 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request - Quassel IRC SQL injection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 10:48 AM, Bas Pape wrote:
> Hi all,
> 
> Please assign a CVE to the following issue: Quassel IRC is
> vulnerable to SQL injection on all current versions (0.9.0 being
> the latest at the time of writing), if used with Qt 4.8.5 (the
> vulnerability is caused by a change in its postgres driver[1,2]) 
> and PostgreSQL 8.2 or later with standard_conforming_strings
> enabled (which is the default in those versions). The vulnerability
> allows anyone to trick the core into executing SQL queries, which
> includes cascade deleting the entire database. It is tracked
> upstream in bug #1244 [3]. It was firstly noticed by due to minor
> issues with migration to postgres and problems with certain
> messages, a simple test with an unmodified installation of postgres
> and quassel showed that it was indeed possible to drop tables.
> 
> No upstream fix is available at this time, although the below
> patch does fix the current issue.
> 
> Regards, Bas Pape (Tucos)
> 
> [1]
> https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a
>
> 
[2] https://bugreports.qt-project.org/browse/QTBUG-30076
> [3] http://bugs.quassel-irc.org/issues/1244
> 
> commit 7c64ed0d05718d907770d11a38436aa4ed65f2bb Author: Bas Pape
> <baspape@...il.com> Date:   Mon Oct 7 19:51:52 2013 +0200
> 
> Detect the need for standard_conforming_strings.
> 
> diff --git a/src/core/postgresqlstorage.cpp
> b/src/core/postgresqlstorage.cpp index 3965704..70bf894 100644 ---
> a/src/core/postgresqlstorage.cpp +++
> b/src/core/postgresqlstorage.cpp @@ -101,6 +101,15 @@ void
> PostgreSqlStorage::initDbSession(QSqlDatabase &db) // this blows...
> but unfortunately Qt's PG driver forces us to this... db.exec("set
> standard_conforming_strings = off"); db.exec("set
> escape_string_warning = off"); + +    // Fortunately things can
> always blow more. Refer to the commit message for +    // the juicy
> details, tread lightly. +    // First standard_conforming_strings
> are turned off, because that's what used +    // to be necessary,
> here the actual behaviour is tested. +    QSqlQuery query =
> db.exec("SELECT '\\\\' x"); +    if (query.first()) +        if
> (query.value(0).toString() == "\\") +            db.exec("set
> standard_conforming_strings = on"); }
> 

Please use CVE-2013-4422 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV49iAAoJEBYNRVNeJnmTp7wQANne6+eEaU2fT88CbBKhj0d9
agw3qF7QCsFN7qURQhZ3ilj+DJp7HEmS6X21tbrnJaNrIZKTjho1P1J64YlBLXbm
NClN3M1olKF6LLElL6cyf5WzjQ/m4mLhD0h74+c6libRXKui2oG+3fQCyYHo8MV/
f5GGBGQ0i2eiNrFCVz2r4/G0VpFUkbbcopFR/vQXJPp+/qvP9IZLkAFowfTBHL+c
k65XsdF4mXAZU/wIrHLKqgEta5T1mXixt2O8aGSJrlQBDDkEJ8Z90bRQs8Va+QKd
yGle+kjpA6/9j3xHdbUZ52MnMO/PApkFR1R8mZUEakWcYOKuCqgtyaTsN+GkivNi
fMySRBR5pCBX2u6JxL+JqOIgR4si0zGUa7z0TwFDyhg/YE5tYQLBLNHCeWK8N910
zmwEC8jUg4sjh12tBau2rIQsaPi0LFOc7X0zaIQrMPlw5ask+seOXNFm5Zx5nBf7
0ePjvmOPf0hDaityrK2ej/RMq++dxTFmUwVtGxT9s92AuO6+DF9XtoeOe68GQC2y
BZeOV/gzlk4FP71Or77r/0hNxyNcJ59gZ+gYMfc9do7A+NnSrkzXlAqk5hI3W1cG
+1yuW/+8IDeAjVhOBaq4s4ZbxwnnnkwpLj+49c2+gGGhPsUpdFpVS9n/tEucmEDg
Cez/bUHjWWLRKeZh03Dp
=/nNu
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.