A CVE has been requested for a security issue fixed upstream in quassel:
The commit linked in the message above applies cleanly to 0.10.1 in Cauldron, but doesn't quite in 0.9.2 in Mageia 4. I'll probably update Mageia 4 to 0.10.1.
Waiting for the CVE before I commit fixes.
Steps to Reproduce:
While the patch applies to 0.10.1, it doesn't build with it. To fix this, we'll need to update to 0.11.0 and patch it, or update to the upcoming 0.12.0 release once it becomes available.
CVE-2015-2778 and CVE-2015-2779 have been assigned:
quassel new DoS security issue =>
quassel new DoS security issue (CVE-2015-277)
OpenSuSE has issued an advisory for this today (April 8):
I rediffed their patch for OpenSuSE 13.2 (quassel 0.10.0) for our quassel 0.10.1 in Cauldron and got it to build locally. Their patch for OpenSuSE 13.1 (quassel 0.9.2) applies fine in Mageia 4 (also quassel 0.9.2).
Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron.
Patched packages uploaded for Mageia 4 and Cauldron.
Updated quassel packages fix security vulnerabilities:
Quassel could crash when receiving an overlength CTCP query containing only
multibyte characters (CVE-2015-2778).
Quassel could incorrectly split a message in the middle of a multibyte
character, leading to a denial of service (CVE-2015-2779).
Updated packages in core/updates_testing:
MGA5TOO, MGA4TOO =>
Testing on Mageia4x64 real hardware
From current packages :
To updated testing packages :
OK, no problems found
Working fine here too, Mageia 4 i586.
Validating. Advisory uploaded.
Please push to 4 updates
MGA4-32-OK MGA4-64-OK =>
advisory MGA4-32-OK MGA4-64-OKCC:
An update for this issue has been pushed to Mageia Updates repository.