Date: Fri, 27 Apr 2018 00:39:42 +0200 From: nongiach nongiach <nongiach@...il.com> To: oss-security@...ts.openwall.com Cc: Kurt Seifried <kseifried@...hat.com>, sputnick@...ssel-irc.org Subject: CVE-XXX (quasselclient/quasselcore version 0.12.4): Heap Remote Code Execution and Null Pointer DDOS Hey, two vulnerabilities have been fixed in quassel, an IRC connection multiplexer, one with a high severity and another with a low severity, they are both publicly fixed: - these patches apply cleanly to 0.12.4 sources - 0.12.5 release (Tuesday 24.04) includes these patches, distros have been notified for the embargo. ============================================== Vuln 1: Title: quasselcore, corruption of heap metadata caused by qdatastream leading to preauth remote code execution. Severity: high, by default the server port is publicly open and the address can be requested using the /WHOIS command of IRC protocol. Description: In Qdatastream protocol each object are prepended with 4 bytes for the object size, this can be used to trigger allocation errors. Source: void DataStreamPeer::processMessage(const QByteArray &msg), datastreampeer.cpp line 62 CWE: A heap corruption of type CWE-120 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to remote code execution. Patch: https://quassel-irc.org/pub/misc/0001-Implement- custom-deserializer-to-add-our-own-sanity-.patch Screen POC: https://i.imgur.com/JJ4QcNq.png Credit: @chaign_c Information: This vulnerability is not specific to qdatastream. ============================================== Vuln 2: Title: quasselcore DDOS Severity: low, impact only a quasselcore not configured. Description: A login attempt causes a NULL pointer dereference because when the database is not initialized. Source: void CoreAuthHandler::handle(const Login &msg), coreauthhandler.cpp line 235 CWE: A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 in the quasselcore that allows an attacker to denial of service. Patch: https://quassel-irc.org/pub/misc/0002-Reject- clients-that-attempt-to-login-before-the-core.patch Credit: @chaign_c ============================================== With lead dev agreement, POC will be released here https://github.com/nongiach/CVE/ in one month from now. A big thx to quassel team for their quick responses and reaction. CVE number assignation is ongoing. Thx.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.