Bug 18324 - quassel new security issue CVE-2016-4414
Summary: quassel new security issue CVE-2016-4414
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/686575/
Whiteboard: has_procedure advisory MGA5-64-OK MGA...
Keywords: validated_update
Depends on:
Reported: 2016-05-02 11:43 CEST by David Walser
Modified: 2016-05-06 23:57 CEST (History)
4 users (show)

See Also:
Source RPM: quassel-0.10.1-5.1.mga5.src.rpm
Status comment:


Description David Walser 2016-05-02 11:43:00 CEST
A CVE was assigned for a DoS issue fixed in quassel 0.12.4:
Comment 1 David GEIGER 2016-05-02 13:52:38 CEST
Already done for Cauldron.

Can I update to 0.12.4 upstream release for mga5 too?

CC: (none) => geiger.david68210

Comment 2 David Walser 2016-05-02 14:25:12 CEST
(In reply to David GEIGER from comment #1)
> Already done for Cauldron.
> Can I update to 0.12.4 upstream release for mga5 too?

Upstream patch here should work:
Comment 3 David GEIGER 2016-05-02 15:28:01 CEST
It doesn't built anymore with this upstream patch:

/home/david/mgarepo/quassel/BUILD/quassel-0.10.1/src/common/peerfactory.cpp:59:5: warning: identifier 'nullptr' is a keyword in C++11 [-Wc++0x-compat]
     return nullptr;
/home/david/mgarepo/quassel/BUILD/quassel-0.10.1/src/common/peerfactory.cpp: In static member function 'static RemotePeer* PeerFactory::createPeer(const ProtoList&, AuthHandler*, QTcpSocket*, Compressor::CompressionLevel, QObject*)':
/home/david/mgarepo/quassel/BUILD/quassel-0.10.1/src/common/peerfactory.cpp:59:12: error: 'nullptr' was not declared in this scope
     return nullptr;
/home/david/mgarepo/quassel/BUILD/quassel-0.10.1/src/common/peerfactory.cpp:60:1: error: control reaches end of non-void function [-Werror=return-type]
cc1plus: some warnings being treated as errors
src/common/CMakeFiles/mod_common.dir/build.make:823: recipe for target 'src/common/CMakeFiles/mod_common.dir/peerfactory.cpp.o' failed
make[2]: *** [src/common/CMakeFiles/mod_common.dir/peerfactory.cpp.o] Error 1
make[2]: *** Waiting for unfinished jobs....
Comment 4 David Walser 2016-05-02 15:53:17 CEST
I don't see how 0.12.4 would compile then either.  I don't see anything in the SPEC that indicates that it's compiling it differently, and the nullptr thing appears to have first been introduced into quassel code on Sept 21 and they didn't have to do anything special to make it work.  Maybe our older compiler in Mageia 5 just doesn't like it and needs a special argument for it to work.
Comment 5 David GEIGER 2016-05-02 16:00:13 CEST
On my local machine mga5 for x86_64 0.12.4 release compile fine but 0.10.1 release with new patch doesn't built.
Comment 6 David Walser 2016-05-02 16:07:49 CEST
That makes no sense.  It's not like nullptr is declared somewhere.  I wonder if there's something in a cmake file or something in 0.12.4 that changes compiler flags.  Can you compare the compiler flags used between the two builds?
Comment 7 David GEIGER 2016-05-02 19:35:32 CEST
So ok done now for mga5! 
I have to force C++11 support enabling in CMakeLists file.
Comment 8 Marja Van Waes 2016-05-02 23:13:19 CEST
quassel-0.10.1-5.2.mga5 landed in 5 core/updates_testing over 3 hours ago

However, this bug isn't assigned to QA team, yet, and still misses an advisory and package list (and maybe PoC?)

CC: (none) => marja11

Comment 9 David Walser 2016-05-02 23:20:36 CEST
I'm not aware of a public PoC, but I don't know if the initial bug report is.


Updated quassel packages fix security vulnerability:

It was found that quasselcore is vulnerable to a denial of service attack by
unauthenticated clients. The protocol negotiation did not take into account
lack of a match in handshake data, in which case PeerFactory::createPeer
returns a nullptr, which is immediately dereferenced (CVE-2016-4414).


Updated packages in core/updates_testing:

from quassel-0.10.1-5.2.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 10 Brian Rockwell 2016-05-05 04:09:57 CEST
uname -a
Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:05:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

urpmi quassel
Package quassel-0.10.1-5.2.mga5.x86_64 is already installed

Able to connect to Freenode and #mageia channel

[21:04:40] <-> You are now known as Guest30435
[21:04:46] <-> You are now known as brian__
[21:04:49] <brian__> Hi Testing Quassel0.10.1-5.2
[21:04:54] <brian__> anyone out there?
[21:08:08] <brian__> I'll assume this is working since I can see the connection and posts.

working as designed.

CC: (none) => brtians1
Whiteboard: (none) => MGA5-64-OK

Comment 11 Brian Rockwell 2016-05-05 04:29:03 CEST
working as designed in 586

Linux localhost 4.1.15-desktop-2.mga5 #1 SMP Wed Jan 20 17:37:30 UTC 2016 i686 i686 i686 GNU/Linux

urpmi quassel
Package quassel-0.10.1-5.2.mga5.i586 is already installed

[21:24:25] <brian_> testing quassel
[21:27:49] <rindolf> brian_: hi.
[21:27:50] <brian_> i586 test - seems to be posting

working as designed.

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Brian Rockwell 2016-05-05 04:30:01 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 claire robinson 2016-05-05 18:13:21 CEST
Advisory uploaded.

Whiteboard: MGA5-64-OK MGA5-32-OK => has_procedure advisory MGA5-64-OK MGA5-32-OK

Comment 13 Mageia Robot 2016-05-05 18:27:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

David Walser 2016-05-06 23:57:17 CEST

URL: (none) => http://lwn.net/Vulnerabilities/686575/

Note You need to log in before you can comment on or make changes to this bug.