Bug 15544

Summary: quassel new DoS security issue (CVE-2015-277[89])
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/639579/
Whiteboard: advisory MGA4-32-OK MGA4-64-OK
Source RPM: quassel-0.10.1-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-20 19:09:11 CET 
A CVE has been requested for a security issue fixed upstream in quassel:
http://openwall.com/lists/oss-security/2015/03/20/12

The commit linked in the message above applies cleanly to 0.10.1 in Cauldron, but doesn't quite in 0.9.2 in Mageia 4.  I'll probably update Mageia 4 to 0.10.1.

Waiting for the CVE before I commit fixes.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-20 19:09:18 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-26 19:50:53 CET 
While the patch applies to 0.10.1, it doesn't build with it.  To fix this, we'll need to update to 0.11.0 and patch it, or update to the upcoming 0.12.0 release once it becomes available.
Comment 2 David Walser 2015-03-30 12:34:26 CEST 
CVE-2015-2778 and CVE-2015-2779 have been assigned:
http://www.openwall.com/lists/oss-security/2015/03/28/3

Summary: quassel new DoS security issue => quassel new DoS security issue (CVE-2015-277[89])

Comment 3 David Walser 2015-04-08 21:02:00 CEST 
OpenSuSE has issued an advisory for this today (April 8):
http://lists.opensuse.org/opensuse-updates/2015-04/msg00018.html

I rediffed their patch for OpenSuSE 13.2 (quassel 0.10.0) for our quassel 0.10.1 in Cauldron and got it to build locally.  Their patch for OpenSuSE 13.1 (quassel 0.9.2) applies fine in Mageia 4 (also quassel 0.9.2).

Patches checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

URL: (none) => http://lwn.net/Vulnerabilities/639579/

Comment 4 David Walser 2015-04-08 21:15:58 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated quassel packages fix security vulnerabilities:

Quassel could crash when receiving an overlength CTCP query containing only
multibyte characters (CVE-2015-2778).

Quassel could incorrectly split a message in the middle of a multibyte
character, leading to a denial of service (CVE-2015-2779).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2779
http://lists.opensuse.org/opensuse-updates/2015-04/msg00018.html
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.2.mga4
quassel-common-0.9.2-1.2.mga4
quassel-client-0.9.2-1.2.mga4
quassel-core-0.9.2-1.2.mga4

from quassel-0.9.2-1.2.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 5 olivier charles 2015-04-11 02:47:20 CEST 
Testing on Mageia4x64 real hardware

From current packages :
---------------------
quassel-0.9.2-1.1.mga4


To updated testing packages :
---------------------------
quassel-0.9.2-1.2.mga4
quassel-core-0.9.2-1.2.mga4
quassel-client-0.9.2-1.2.mga4
quassel-common-0.9.2-1.2.mga4

OK, no problems found

CC: (none) => olchal
Whiteboard: (none) => MGA4-64-OK

Comment 6 David Walser 2015-04-11 03:43:18 CEST 
Working fine here too, Mageia 4 i586.

Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK

Comment 7 claire robinson 2015-04-11 15:07:50 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2015-04-15 11:02:20 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0147.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED