Bug#766962: marked as done (CVE-2014-8483: quassel: out-of-bounds read issue)

Thu, 06 Nov 2014 09:09:31 -0800 

Your message dated Thu, 06 Nov 2014 17:05:47 +0000
with message-id <[email protected]>
and subject line Bug#766962: fixed in quassel 0.8.0-1+deb7u3
has caused the Debian Bug report #766962,
regarding CVE-2014-8483: quassel: out-of-bounds read issue
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
766962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: quassel
Version: 0.10.0-2
Severity: important
Tags: security, fixed-upstream

https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
http://bugs.quassel-irc.org/issues/1314

"""
 Check for invalid input in encrypted buffers

 The ECB Blowfish decryption function assumed that encrypted input would
 always come in blocks of 12 characters, as specified. However, buggy
 clients or annoying people may not adhere to that assumption, causing
 the core to crash while trying to process the invalid base64 input.

 With this commit we make sure that we're not overstepping the bounds of
 the input string while decoding it; instead we bail out early and display
 the original input. Fixes #1314.

 Thanks to Tucos for finding that one!
"""

- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlROCigACgkQXf6hBi6kbk9F7wCgiMXj+fPrji5W3ABkpGicRfhV
ioIAn3hTgwWppPDKcDBngyjSrUrU1FmO
=K8h6
-----END PGP SIGNATURE-----

--- End Message ---
--- Begin Message --- 
Source: quassel
Source-Version: 0.8.0-1+deb7u3

We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated quassel package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 28 Oct 2014 17:10:53 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4 
quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 0.8.0-1+deb7u3
Distribution: wheezy-security
Urgency: high
Maintainer: Thomas Mueller <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description: 
 quassel    - distributed IRC client - Qt-based monolithic core+client
 quassel-client - distributed IRC client - Qt-based client component
 quassel-client-kde4 - distributed IRC client - KDE-based client
 quassel-core - distributed IRC client - core component
 quassel-data - distributed IRC client - shared data (Qt version)
 quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
 quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes: 
 quassel (0.8.0-1+deb7u3) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-8483.patch patch.
     CVE-2014-8483: out-of-bounds read on a heap-allocated array.
     (Closes: #766962)
Checksums-Sha1: 
 6a8edeed9893f85f8bb8d7facce015f51c912cc3 2347 quassel_0.8.0-1+deb7u3.dsc
 b74967fa9f19b5d7c708279075cc0ef3a3dbbe8b 2663465 quassel_0.8.0.orig.tar.bz2
 13abdf229f1fe027776a22614b6437d2614965dd 19739 
quassel_0.8.0-1+deb7u3.debian.tar.gz
 61695cdd47a46e945535f89ba3a6ab95ea064686 1615764 
quassel-core_0.8.0-1+deb7u3_amd64.deb
 cef13261567a10e0dd6e1e849e6a9646317c6371 2563012 
quassel-client_0.8.0-1+deb7u3_amd64.deb
 8d3b9474e28f812067ca2517f9e8c5ad8a447d14 3037680 
quassel_0.8.0-1+deb7u3_amd64.deb
 696ab808e6a1408b95b4e2a5bf2c0262275f8593 19490 
quassel-data_0.8.0-1+deb7u3_all.deb
 03f8137c82304f7776d440e806e1473469850085 910918 
quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 af599a044803719f659393946b6ec4228e2350d7 1176952 
quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 9796b87ae6b6fae33f1822c2f1e90e7bb5073923 1047556 
quassel-data-kde4_0.8.0-1+deb7u3_all.deb
Checksums-Sha256: 
 3c89ef81e3002b1806ee7e97524a09102cc2f240624f1b0143ddd9691823bc82 2347 
quassel_0.8.0-1+deb7u3.dsc
 a3515bd18e2b100eb9a72480e76b1faefaa5e84cdb236b6af1f05b477a1e9071 2663465 
quassel_0.8.0.orig.tar.bz2
 e9bf33f7e37fc448ef24509174874206992789d69c32772901531f69d5166484 19739 
quassel_0.8.0-1+deb7u3.debian.tar.gz
 93c68a115a557eea51455a77703a0cff17431f983888ad95ca0ec6709dce3377 1615764 
quassel-core_0.8.0-1+deb7u3_amd64.deb
 a7817129f52aced4b0dc71c63925de536f9d5a355fb0017f1d4bc7e4731f97aa 2563012 
quassel-client_0.8.0-1+deb7u3_amd64.deb
 222ff2b476c0e8dba0f21d18c4da3c644743794f6efda8ed52fdcf023eff4922 3037680 
quassel_0.8.0-1+deb7u3_amd64.deb
 0605834f71e631e7f4555b8a6af1ce852b79b3464b00dea95e18010cc088007c 19490 
quassel-data_0.8.0-1+deb7u3_all.deb
 c7e859b7dc7685593fc933d92295d386b773c5076e7194a1ff2388afa72e17ce 910918 
quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 fd63f36397aef15842f2e094a1e4e3e0601165ef2d125f24d6241d8f57cb8a38 1176952 
quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 050bbdcc3d4d21a6859b0af2d171b514f86546f1504654cdd2270d0c88f449a8 1047556 
quassel-data-kde4_0.8.0-1+deb7u3_all.deb
Files: 
 97cabb01c3ebc933cfe56f286db5f24f 2347 net optional quassel_0.8.0-1+deb7u3.dsc
 546e2a950f44c4c0262c09d48f14e998 2663465 net optional 
quassel_0.8.0.orig.tar.bz2
 2593832712a00e658b9c9027f9f1bbc2 19739 net optional 
quassel_0.8.0-1+deb7u3.debian.tar.gz
 cbe9d42fc216cccb877b9a8289efbb14 1615764 net optional 
quassel-core_0.8.0-1+deb7u3_amd64.deb
 19ac65cfc7eafcf1393f225cf922731d 2563012 net optional 
quassel-client_0.8.0-1+deb7u3_amd64.deb
 76e85988ad6213d787fc734b77927273 3037680 net optional 
quassel_0.8.0-1+deb7u3_amd64.deb
 4944ce516e1d6227e22311bd40444d2b 19490 net optional 
quassel-data_0.8.0-1+deb7u3_all.deb
 7c80953a154871bba42c3d2447e2f0d0 910918 net optional 
quassel-client-kde4_0.8.0-1+deb7u3_amd64.deb
 58c2ccda86215ba56368fd136656aca2 1176952 net optional 
quassel-kde4_0.8.0-1+deb7u3_amd64.deb
 cbefbedd79c71f578a0539f8a4caf62b 1047556 net optional 
quassel-data-kde4_0.8.0-1+deb7u3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUT8MvAAoJEAVMuPMTQ89Es+wQAIL2q0W76D9ukrHQWCz9RSt7
FnF3tzPiK9cEd2ueoGBNG8qPAs+D/QwNFomxYkf15AlogSwlok/iMAP9BH9CdMvr
zeHuW/xGO0PVgFW6Z/1vk6qT7t2dRucVS/Upg4jAT6JQTI07ROHZjcJSIBa/yUqD
5kANITsjhOO5mME0XAAbCmxFLvT+k3lXx41VhDe7UvUf9/aNYDSUVtHF3ARj/31p
GVKJhDok5YHj9HwVn8ekZDnMS/dOxpsLNue+G2MJtmfJu0wURh+1jEQCCfzRUzCh
5Mr4kuaYuNmT2+hmmEivc2+AS4H5rMDYgEEaffAld+HFyrr4JPXXI2gf83gSKvtW
9GM0CcDSECE04PSGwo9Vp66xEe82Pp9laOG63iABlVrxe5HdSuiTw5lHwpw0UIJJ
USjqYDzwaQF8VYI6r7PMJJer4Ahkaa/RgJ3LAqozbwGn99N5oO9LgEccRcU6qCCN
RhAUcNPHrhUtvS/Vkxobm1xLP6JliDfcUg/0Yl/1VYdoIBLI49Dq6xqz8wcq4fcd
xjeZwN7CgLBMkNs/fYxx8XHccGB0UVLUEf7k0iIq84XyUWoHbF1qisZV6FWMVhbe
iMsRsCMQ8UvdrPzST4tdJqBkImqlDutF1KgbCoO5gCSuV+G83QOtpp3cOMpVDYx5
toKiIboRV7LCh5wMEMf6
=GyfJ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to