Bug#809200: jessie-pu: package quassel/1:0.10.0-2.3+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#809200: jessie-pu: package quassel/1:0.10.0-2.3+deb8u1
From: Pierre Schweitzer <pierre@reactos.org>
Date: Mon, 28 Dec 2015 09:23:50 +0100
Message-id: <[🔎] 20151228082350.15577.72073.reportbug@desktop>
Reply-to: Pierre Schweitzer <pierre@reactos.org>, 809200@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear all,

A security issue was found in quassel-core (CVE-2015-8547), allowing an
authenticated remote client to cause a denial of service.
Given the fact that Quassel isn't widely used in the client/server model
nowadays, the Debian Security Team has asked the issue to be fixed with the
next Jessie point release.

You'll find attached the dsc and the debdiff for the proposed upload against
Jessie.

Cheers

-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog	2015-05-10 16:41:35.000000000 +0200
+++ quassel-0.10.0/debian/changelog	2015-12-28 00:02:39.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-8547: remote DoS in quassel core, using /op * command.
+    (Closes: #807801)
+    - Add debian/patches/CVE-2015-8547.patch, cherry-picked from upstream.
+
+ -- Pierre Schweitzer <pierre@reactos.org>  Sun, 13 Dec 2015 11:04:05 +0100
+
 quassel (1:0.10.0-2.3+deb8u1) jessie-security; urgency=high
 
   * Fix CVE-2015-3427: SQL injection vulnerability in PostgreSQL backend.
diff -Nru quassel-0.10.0/debian/patches/CVE-2015-8547.patch quassel-0.10.0/debian/patches/CVE-2015-8547.patch
--- quassel-0.10.0/debian/patches/CVE-2015-8547.patch	1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2015-8547.patch	2015-12-28 00:02:13.000000000 +0100
@@ -0,0 +1,22 @@
+From 476aaa050f26d6a31494631d172724409e4c569b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Konstantin=20Bl=C3=A4si?= <kblaesi@gmail.com>
+Date: Wed, 21 Oct 2015 03:26:02 +0200
+Subject: [PATCH] Fixes a crash of the core when executing "/op *" in a query.
+
+---
+ src/core/coreuserinputhandler.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/coreuserinputhandler.cpp b/src/core/coreuserinputhandler.cpp
+index 7887a92..73aac48 100644
+--- a/src/core/coreuserinputhandler.cpp
++++ b/src/core/coreuserinputhandler.cpp
+@@ -232,7 +232,7 @@ void CoreUserInputHandler::doMode(const BufferInfo &bufferInfo, const QChar& add
+     if (!isNumber || maxModes == 0) maxModes = 1;
+ 
+     QStringList nickList;
+-    if (nicks == "*") { // All users in channel
++    if (nicks == "*" && bufferInfo.type() == BufferInfo::ChannelBuffer) { // All users in channel
+         const QList<IrcUser*> users = network()->ircChannel(bufferInfo.bufferName())->ircUsers();
+         foreach(IrcUser *user, users) {
+             if ((addOrRemove == '+' && !network()->ircChannel(bufferInfo.bufferName())->userModes(user).contains(mode))
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series	2015-05-05 16:48:55.000000000 +0200
+++ quassel-0.10.0/debian/patches/series	2015-12-28 00:02:13.000000000 +0100
@@ -2,3 +2,4 @@
 CVE-2014-8483.patch
 CVE-2015-2778.patch
 CVE-2015-3427.patch
+CVE-2015-8547.patch

Format: 3.0 (quilt)
Source: quassel
Binary: quassel-core, quassel-client, quassel, quassel-data, quassel-client-kde4, quassel-kde4, quassel-data-kde4
Architecture: any all
Version: 1:0.10.0-2.3+deb8u2
Maintainer: Thomas Mueller <thomas.mueller@tmit.eu>
Homepage: http://www.quassel-irc.org
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9.20120417), libqt4-dev, cmake, libfontconfig1-dev, libfreetype6-dev, libpng-dev, libsm-dev, libice-dev, libxi-dev, libxrandr-dev, libxrender-dev, zlib1g-dev, libssl-dev, libdbus-1-dev, pkg-kde-tools, kdelibs5-dev, libqca2-dev, qt4-dev-tools, libqtwebkit-dev, libindicate-qt-dev, libdbusmenu-qt-dev
Package-List:
 quassel deb net optional arch=any
 quassel-client deb net optional arch=any
 quassel-client-kde4 deb net optional arch=any
 quassel-core deb net optional arch=any
 quassel-data deb net optional arch=all
 quassel-data-kde4 deb net optional arch=all
 quassel-kde4 deb net optional arch=any
Checksums-Sha1:
 305d56774b1af2a891775a5637174d9048d875a7 2873233 quassel_0.10.0.orig.tar.bz2
 40abd40ac178fdd7ce9d80e5cff83c887b12bb62 23128 quassel_0.10.0-2.3+deb8u2.debian.tar.xz
Checksums-Sha256:
 68228ce23aa3a992add3d00cb1e8b4863d8ca64bea99c881edf6d16ff9ec7c23 2873233 quassel_0.10.0.orig.tar.bz2
 99ea16063c487057409aeed3b805f4f12e0a11b4df087e45f9c4bd503a00dab9 23128 quassel_0.10.0-2.3+deb8u2.debian.tar.xz
Files:
 382466a7790979c172b7d7edf10a2981 2873233 quassel_0.10.0.orig.tar.bz2
 0a6ca72fd93eb30cffdce5ec8d457bd7 23128 quassel_0.10.0-2.3+deb8u2.debian.tar.xz

Reply to:

Follow-Ups:
- Bug#809200: jessie-pu: package quassel/1:0.10.0-2.3+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#809200: jessie-pu: package quassel/1:0.10.0-2.3+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in oldstable-new
Next by Date: Processed: block 796345 with 809198
Previous by thread: Processed: libxml-compile-dumper-perl: FTBFS with Perl 5.22: needs dependency on libpadwalker-perl
Next by thread: Bug#809200: jessie-pu: package quassel/1:0.10.0-2.3+deb8u1
Index(es):
- Date
- Thread