Your message dated Mon, 03 Nov 2014 17:19:21 +0000
with message-id <[email protected]>
and subject line Bug#766962: fixed in quassel 0.10.0-2.1
has caused the Debian Bug report #766962,
regarding CVE-2014-8483: quassel: out-of-bounds read issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
766962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: quassel
Version: 0.10.0-2
Severity: important
Tags: security, fixed-upstream
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
http://bugs.quassel-irc.org/issues/1314
"""
Check for invalid input in encrypted buffers
The ECB Blowfish decryption function assumed that encrypted input would
always come in blocks of 12 characters, as specified. However, buggy
clients or annoying people may not adhere to that assumption, causing
the core to crash while trying to process the invalid base64 input.
With this commit we make sure that we're not overstepping the bounds of
the input string while decoding it; instead we bail out early and display
the original input. Fixes #1314.
Thanks to Tucos for finding that one!
"""
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlROCigACgkQXf6hBi6kbk9F7wCgiMXj+fPrji5W3ABkpGicRfhV
ioIAn3hTgwWppPDKcDBngyjSrUrU1FmO
=K8h6
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 0.10.0-2.1
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Nov 2014 19:10:58 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4
quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 0.10.0-2.1
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes:
quassel (0.10.0-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2014-8483.patch patch.
CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
(Closes: #766962)
Checksums-Sha1:
d3a55b7f85744e3bb411706a94027f0fdaf56bf4 2356 quassel_0.10.0-2.1.dsc
5954f07e31c0fd1513f98fc684f4f6d8906652de 17124 quassel_0.10.0-2.1.debian.tar.xz
230c30d5e99956b3b880f5828cefeb2096ee8a17 22542 quassel-data_0.10.0-2.1_all.deb
00145cc9affbd9338fcae40f045c38d59fed769d 625614
quassel-data-kde4_0.10.0-2.1_all.deb
Checksums-Sha256:
eb44dbeb1c684701c94fb96ba0147a373550c174b90c0fdf6dd0305d676c3aa3 2356
quassel_0.10.0-2.1.dsc
7ff2d1597bbe21038c688628c2d52def792f6336a9f7bf9ba023ef83dc305121 17124
quassel_0.10.0-2.1.debian.tar.xz
11ecb6a6f887728c93c3a55ce0b9d8989ad65c7eda99437ad9fa44da776cf628 22542
quassel-data_0.10.0-2.1_all.deb
203bbb5fbf9fc3f23dfbb3848cc1760fbde8edc6330445f6f6f971a8fb151a45 625614
quassel-data-kde4_0.10.0-2.1_all.deb
Files:
1922519370afb0dd3d1935b917384b42 2356 net optional quassel_0.10.0-2.1.dsc
60b22deab9640f70a078f20d242fdf80 17124 net optional
quassel_0.10.0-2.1.debian.tar.xz
4510561905f40dcf61f2976473b3ebf1 22542 net optional
quassel-data_0.10.0-2.1_all.deb
019ef44715f9b9115fd88645951301c4 625614 net optional
quassel-data-kde4_0.10.0-2.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUVnfoAAoJEAVMuPMTQ89ELEQP/0IgXm4nmC/4otUHNnt893Z4
ov/87eW+w8CWI8/7l0kZ6i82j+2IX3xljaCgD0GvctcR2vGeF/IcjFZNPr/L80bp
8ORnr4b188XNso4G0Jh+N4ZZ60dDmcwYbA4O/M71mGhvY/Rgvr31H2mLbIYeZQOZ
QTGh1uAUQHGAryI3Ux1IfS0j3RpGazl0/PaGLaLXDlFkmqeaUEcOyDi9Yr2slgkF
mQafe/AC/awtTYjyd1hDZFMMFeLG6HtqWbviDnpzCMN0/FNfjraKPpXR142wZFLN
OCQl6217H/2kBxXG+S6TfGZOeMyw1aATqfUCNx4qQ9MCLwtA6UKZwDO91I44dhAc
Ermw/IoYKmEHUR8M3SUpt6QGFcIjWnEtMlcMgFjfZp6PURX+HYp8RkR1SEBB7tGo
7aKh094MxfI0xfAGqKupQolcMT+xbdI6o2cKeB2XHlXJK60E4/dFC4IQRU281IrO
FlR68y1iXovnNJ4GbcpDwh2y0eb3L/Qjayjz9SxidFGi0KWWxlRhKQIXzB+mhrVe
bNgd2o5Hp0aO4rJ9AyUObts6osFC1XAOcIVlDGYwCByCOlJLAUkVYek2bcvF3njq
GGhom2BzNASEoBAc4mqFBuzGtvUH20zqmXc7287cXYFs8hGi15s70lBG7kn8y6dA
9OUXEL6ImY/gkOIJDdx8
=zVeJ
-----END PGP SIGNATURE-----
--- End Message ---
