Bug#741587: wheezy-pu: package quassel/0.8.0-1+deb7u1
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
The quassel package in wheezy is affected by CVE-2013-6404:
clients can access backlogs belonging to other users.
The security team has classified it as a minor security issues
so I would like to fix it through a stable update.
See the attached debdiff that contains a backport of the
upstream fix.
Cheers,
Felix
diff -Nru quassel-0.8.0/debian/changelog quassel-0.8.0/debian/changelog
--- quassel-0.8.0/debian/changelog 2012-04-25 01:02:03.000000000 +0200
+++ quassel-0.8.0/debian/changelog 2014-03-09 13:42:01.000000000 +0100
@@ -1,3 +1,10 @@
+quassel (0.8.0-1+deb7u1) wheezy; urgency=medium
+
+ * Fix CVE-2013-6404: clients can access backlogs belonging to other users
+ - Backport upstream commit in CVE-2013-6404.patch
+
+ -- Felix Geyer <fgeyer@debian.org> Sun, 09 Mar 2014 13:41:50 +0100
+
quassel (0.8.0-1) unstable; urgency=low
* New upstream release
diff -Nru quassel-0.8.0/debian/patches/CVE-2013-6404.patch quassel-0.8.0/debian/patches/CVE-2013-6404.patch
--- quassel-0.8.0/debian/patches/CVE-2013-6404.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.8.0/debian/patches/CVE-2013-6404.patch 2014-03-09 13:41:48.000000000 +0100
@@ -0,0 +1,49 @@
+From a1a24daa615a4e0679546c8a7a673720d0dcc60f Mon Sep 17 00:00:00 2001
+From: Marcus Eggenberger <egs@quassel-irc.org>
+Date: Sun, 24 Nov 2013 17:03:34 +0100
+Subject: [PATCH] Make sure that clients can't access buffers belonging to
+ other users
+
+A manipulated, but properly authenticated client was able to retrieve
+the backlog of other users on the same core in some cases by providing
+an appropriate BufferID to the storage engine. Note that proper
+authentication was still required, so exploiting this requires
+malicious users on your core. This commit fixes this issue by ensuring
+that foreign BufferIDs are off-limits.
+---
+ src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql | 2 +-
+ src/core/SQL/PostgreSQL/16/update_network.sql | 3 ++-
+ src/core/SQL/SQLite/17/select_buffer_by_id.sql | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
+index 09f202e..cccfa7c 100644
+--- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
++++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
+@@ -1,3 +1,3 @@
+ SELECT bufferid, networkid, buffertype, groupid, buffername
+ FROM buffer
+-WHERE bufferid = :bufferid
++WHERE userid = :userid AND bufferid = :bufferid
+diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql
+index a000f61..d2dea84 100644
+--- a/src/core/SQL/PostgreSQL/16/update_network.sql
++++ b/src/core/SQL/PostgreSQL/16/update_network.sql
+@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
+ usesasl = :usesasl,
+ saslaccount = :saslaccount,
+ saslpassword = :saslpassword
+-WHERE networkid = :networkid
++WHERE userid = :userid AND networkid = :networkid
++
+diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
+index 09f202e..6bd35f0 100644
+--- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql
++++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
+@@ -1,3 +1,3 @@
+ SELECT bufferid, networkid, buffertype, groupid, buffername
+ FROM buffer
+-WHERE bufferid = :bufferid
++WHERE bufferid = :bufferid AND userid = :userid
+--
+1.8.5.1
diff -Nru quassel-0.8.0/debian/patches/series quassel-0.8.0/debian/patches/series
--- quassel-0.8.0/debian/patches/series 2012-04-25 00:18:37.000000000 +0200
+++ quassel-0.8.0/debian/patches/series 2014-03-09 13:41:48.000000000 +0100
@@ -1,2 +1,3 @@
01_default_network_channel.patch
+CVE-2013-6404.patch
Reply to: