Your message dated Sat, 08 Nov 2014 15:30:00 +0000
with message-id <[email protected]>
and subject line Bug#766962: fixed in quassel 1:0.10.0-2.2
has caused the Debian Bug report #766962,
regarding CVE-2014-8483: quassel: out-of-bounds read issue
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
766962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: quassel
Version: 0.10.0-2
Severity: important
Tags: security, fixed-upstream
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
http://bugs.quassel-irc.org/issues/1314
"""
Check for invalid input in encrypted buffers
The ECB Blowfish decryption function assumed that encrypted input would
always come in blocks of 12 characters, as specified. However, buggy
clients or annoying people may not adhere to that assumption, causing
the core to crash while trying to process the invalid base64 input.
With this commit we make sure that we're not overstepping the bounds of
the input string while decoding it; instead we bail out early and display
the original input. Fixes #1314.
Thanks to Tucos for finding that one!
"""
- ---
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlROCigACgkQXf6hBi6kbk9F7wCgiMXj+fPrji5W3ABkpGicRfhV
ioIAn3hTgwWppPDKcDBngyjSrUrU1FmO
=K8h6
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: quassel
Source-Version: 1:0.10.0-2.2
We believe that the bug you reported is fixed in the latest version of
quassel, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated quassel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Nov 2014 14:14:56 +0100
Source: quassel
Binary: quassel-core quassel-client quassel quassel-data quassel-client-kde4
quassel-kde4 quassel-data-kde4
Architecture: source amd64 all
Version: 1:0.10.0-2.2
Distribution: unstable
Urgency: high
Maintainer: Thomas Mueller <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
quassel - distributed IRC client - Qt-based monolithic core+client
quassel-client - distributed IRC client - Qt-based client component
quassel-client-kde4 - distributed IRC client - KDE-based client
quassel-core - distributed IRC client - core component
quassel-data - distributed IRC client - shared data (Qt version)
quassel-data-kde4 - distributed IRC client - shared data (KDE4 version)
quassel-kde4 - distributed IRC client - KDE-based monolithic core+client
Closes: 766962
Changes:
quassel (1:0.10.0-2.2) unstable; urgency=high
.
* Non-maintainer upload.
* Increment Debian revision and epoch to re-upload 0.10.0-2.1 to
unstable containing the fix for #766962 / CVE-2014-8483:
out-of-bounds read in ECB Blowfish decryption.
.
quassel (0.10.0-2.1) unstable; urgency=high
.
* Non-maintainer upload.
* Add CVE-2014-8483.patch patch.
CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
(Closes: #766962)
Checksums-Sha1:
37df0deebe7bd5417beb07772ddc4630fe659150 2358 quassel_0.10.0-2.2.dsc
0404d8d9b882bed8b0933d01645955e3c1870e32 17176 quassel_0.10.0-2.2.debian.tar.xz
d586bee4384298d9ff14788febdd296fb37e9916 22606 quassel-data_0.10.0-2.2_all.deb
fac76078cc59c1a31b5948b5b6654f055e069f34 625518
quassel-data-kde4_0.10.0-2.2_all.deb
Checksums-Sha256:
f89604115f9822a657dfbc93af5c4baff0fcdd3303304df74f2738280ebbbf28 2358
quassel_0.10.0-2.2.dsc
004f6f14c0d113ed6e625bedb2b5293c7c1aed5e8745fecb7009c46e7abc6229 17176
quassel_0.10.0-2.2.debian.tar.xz
25c678a2a5bb0134d650e1f985da75acde1944ce21ea642fee7b6d8e330694af 22606
quassel-data_0.10.0-2.2_all.deb
36cd61eaa8000141b7a060074e45a008464120f2582a8ad2b8e98e2e31d5e519 625518
quassel-data-kde4_0.10.0-2.2_all.deb
Files:
1790eb7cbdc4de4992934967c67eceb9 2358 net optional quassel_0.10.0-2.2.dsc
63ba80e8d0d96e028a9bec2a1f460644 17176 net optional
quassel_0.10.0-2.2.debian.tar.xz
a1dc72d9705091b22228f60c1257a871 22606 net optional
quassel-data_0.10.0-2.2_all.deb
6473fba4bbb759460fc956aad2d0a2e2 625518 net optional
quassel-data-kde4_0.10.0-2.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUXiB2AAoJEAVMuPMTQ89E1mgP/0Sa+rNN2UNReEfBSuqPTanr
7/aW75DluzcE6PT3VhKIr5mWKu8/lskyUPcRJck98xD34BjO9ZOVlEMdgGafrxDJ
3JrehPj+nAIrckUTeVuMqZa/loMB2FrmXhtyF+cHnXsXZ7IdKUFj3xdmMY0TiBQ9
2Dpht8NwJES56O6k0P5PKOU/LEvfoY1t19/QYlsszzEmyajkR9ebOeOIoas2jLH0
uZ7sbhmTSYHxLiJcftROdgV0KuC47ajQ831LRhEKAFqc4RFm+Dji67cVCxFXogCd
T4im1Yksifb7vyANaP4WTPpnMg006CbGdOKVH7N42ituOf+/hF4hvBpl/ynfQUSo
PIgnnF9sMMBn7W9PG0ltOgbzzLKVIpLmJcbo174a+HrXzyQRh4PhP6b7O3jg2o7q
vG5vhV3n2j0QIZ2j9dYYekE6nAxiQkWG6TO1prx/zvFqkdM1SieGBYZXmKE2sViH
rQPnHugnEHrtSYByWt+DcAsAHfrBE6Hvfej1NpV4tUGEAKCnHPLcfl7ST7zS80/s
jVB8B72atcAvTkivDJ52wJH/5zfkMrvIC+/Xikc6r+sTgrXFcF9P776njpz5XQSX
OMRCzJaEv8hxvq8knZfGLCAPUd91j+9p4fX88nhIx1nwrHNPXfJX1MEBfGthXt5S
DaS+qwsNhK/tfYlxkJ34
=dHSG
-----END PGP SIGNATURE-----
--- End Message ---
