Bug 15779

Summary: quassel new security issue CVE-2015-3427
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/642884/
Whiteboard: advisory MGA4-32-OK mga4-64-ok
Source RPM: quassel-0.9.2-1.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-04-27 17:13:56 CEST 
A CVE has been assigned for a security issue fixed upstream in Quassel:
http://openwall.com/lists/oss-security/2015/04/27/3

Patch checked into Mageia 4 and Cauldron SVN.  Freeze push requested for Cauldron.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-27 17:14:02 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-04-28 00:02:37 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

This fix is due to an incorrect/incomplete fix for CVE-2013-4422 (Bug 11443).

Advisory:
========================

Updated quassel packages fix security vulnerability:

Quassel is vulnerable to SQL injection through its use of Qt's postgres driver.
If the PostgreSQL server is restarted or the connection is lost at any point,
other IRC users may be able to trick the Quassel core into executing SQL
queries upon reconnection (CVE-2015-3427).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3427
http://openwall.com/lists/oss-security/2015/04/27/3
========================

Updated packages in core/updates_testing:
========================
quassel-0.9.2-1.3.mga4
quassel-common-0.9.2-1.3.mga4
quassel-client-0.9.2-1.3.mga4
quassel-core-0.9.2-1.3.mga4

from quassel-0.9.2-1.3.mga4.src.rpm

Whiteboard: MGA5TOO, MGA4TOO => (none)
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-04-28 00:43:15 CEST 
Working fine Mageia 4 i586.

Whiteboard: (none) => MGA4-32-OK

Comment 3 claire robinson 2015-04-28 19:16:48 CEST 
Testing complete mga4 64

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: MGA4-32-OK => advisory MGA4-32-OK mga4-64-ok

Comment 4 Mageia Robot 2015-04-30 23:58:17 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-01 18:10:14 CEST

URL: (none) => http://lwn.net/Vulnerabilities/642884/