A CVE has been requested for a security issue fixed upstream in quassel: http://openwall.com/lists/oss-security/2015/03/20/12 The commit linked in the message above applies cleanly to 0.10.1 in Cauldron, but doesn't quite in 0.9.2 in Mageia 4. I'll probably update Mageia 4 to 0.10.1. Waiting for the CVE before I commit fixes. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
While the patch applies to 0.10.1, it doesn't build with it. To fix this, we'll need to update to 0.11.0 and patch it, or update to the upcoming 0.12.0 release once it becomes available.
CVE-2015-2778 and CVE-2015-2779 have been assigned: http://www.openwall.com/lists/oss-security/2015/03/28/3
Summary: quassel new DoS security issue => quassel new DoS security issue (CVE-2015-277[89])
OpenSuSE has issued an advisory for this today (April 8): http://lists.opensuse.org/opensuse-updates/2015-04/msg00018.html I rediffed their patch for OpenSuSE 13.2 (quassel 0.10.0) for our quassel 0.10.1 in Cauldron and got it to build locally. Their patch for OpenSuSE 13.1 (quassel 0.9.2) applies fine in Mageia 4 (also quassel 0.9.2). Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron.
URL: (none) => http://lwn.net/Vulnerabilities/639579/
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated quassel packages fix security vulnerabilities: Quassel could crash when receiving an overlength CTCP query containing only multibyte characters (CVE-2015-2778). Quassel could incorrectly split a message in the middle of a multibyte character, leading to a denial of service (CVE-2015-2779). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2779 http://lists.opensuse.org/opensuse-updates/2015-04/msg00018.html ======================== Updated packages in core/updates_testing: ======================== quassel-0.9.2-1.2.mga4 quassel-common-0.9.2-1.2.mga4 quassel-client-0.9.2-1.2.mga4 quassel-core-0.9.2-1.2.mga4 from quassel-0.9.2-1.2.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing on Mageia4x64 real hardware From current packages : --------------------- quassel-0.9.2-1.1.mga4 To updated testing packages : --------------------------- quassel-0.9.2-1.2.mga4 quassel-core-0.9.2-1.2.mga4 quassel-client-0.9.2-1.2.mga4 quassel-common-0.9.2-1.2.mga4 OK, no problems found
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Working fine here too, Mageia 4 i586.
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0147.html
Status: NEW => RESOLVEDResolution: (none) => FIXED