Your message dated Sat, 17 Sep 2016 13:08:06 +0100
with message-id <1474114086.2011.126.ca...@adam-barratt.org.uk>
and subject line Closing p-u bugs for updates in 8.6
has caused the Debian Bug report #826429,
regarding jessie-pu: package quassel/1:0.10.0-2.3+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
826429: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=826429
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Dear all,
A security issue was found in quassel-core (CVE-2016-4414), allowing an
unauthenticated remote client to cause a denial of service.
Given the fact that Quassel isn't widely used in the client/server model
nowadays, the Debian Security Team has asked the issue to be fixed with the
next Jessie point release.
You'll find attached the dsc and the debdiff for the proposed upload against
Jessie.
Cheers
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2015-12-28 20:54:21.000000000 +0100
+++ quassel-0.10.0/debian/changelog 2016-06-05 12:54:55.000000000 +0200
@@ -1,3 +1,12 @@
+quassel (1:0.10.0-2.3+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2016-4414: remote DoS in quassel core with invalid handshake data.
+ (Closes: #826402)
+ - Add debian/patches/CVE-2016-4414.patch, cherry-picked from upstream.
+
+ -- Pierre Schweitzer <pie...@reactos.org> Sun, 05 Jun 2016 12:41:35 +0200
+
quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
* Non-maintainer upload.
diff -Nru quassel-0.10.0/debian/patches/CVE-2016-4414.patch quassel-0.10.0/debian/patches/CVE-2016-4414.patch
--- quassel-0.10.0/debian/patches/CVE-2016-4414.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2016-4414.patch 2016-06-05 12:55:03.000000000 +0200
@@ -0,0 +1,40 @@
+From e67887343c433cc35bc26ad6a9392588f427e746 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputn...@quassel-irc.org>
+Date: Sun, 24 Apr 2016 21:59:15 +0200
+Subject: [PATCH] Handle invalid handshake data properly in the core
+
+Clients sending invalid handshake data could make the core crash
+due to an unchecked pointer. This commit fixes this issue by having
+the core close the socket if a peer could not be created.
+
+Thanks to Bas Pape (Tucos) for finding this one!
+---
+ src/core/coreauthhandler.cpp | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/src/core/coreauthhandler.cpp b/src/core/coreauthhandler.cpp
+index e380924..34fc222 100644
+--- a/src/core/coreauthhandler.cpp
++++ b/src/core/coreauthhandler.cpp
+@@ -81,7 +81,7 @@ void CoreAuthHandler::onReadyRead()
+ }
+
+ // read the list of protocols supported by the client
+- while (socket()->bytesAvailable() >= 4) {
++ while (socket()->bytesAvailable() >= 4 && _supportedProtos.size() < 16) { // sanity check
+ quint32 data;
+ socket()->read((char*)&data, 4);
+ data = qFromBigEndian<quint32>(data);
+@@ -98,6 +98,12 @@ void CoreAuthHandler::onReadyRead()
+ level = Compressor::NoCompression;
+
+ RemotePeer *peer = PeerFactory::createPeer(_supportedProtos, this, socket(), level, this);
++ if (!peer) {
++ qWarning() << "Received invalid handshake data from client" << socket()->peerAddress().toString();
++ close();
++ return;
++ }
++
+ if (peer->protocol() == Protocol::LegacyProtocol) {
+ _legacy = true;
+ connect(peer, SIGNAL(protocolVersionMismatch(int,int)), SLOT(onProtocolVersionMismatch(int,int)));
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2015-12-28 20:54:21.000000000 +0100
+++ quassel-0.10.0/debian/patches/series 2016-06-05 12:55:18.000000000 +0200
@@ -3,3 +3,4 @@
CVE-2015-2778.patch
CVE-2015-3427.patch
CVE-2015-8547.patch
+CVE-2016-4414.patch
Format: 3.0 (quilt)
Source: quassel
Binary: quassel-core, quassel-client, quassel, quassel-data,
quassel-client-kde4, quassel-kde4, quassel-data-kde4
Architecture: any all
Version: 1:0.10.0-2.3+deb8u3
Maintainer: Thomas Mueller <thomas.muel...@tmit.eu>
Homepage: http://www.quassel-irc.org
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9.20120417), libqt4-dev, cmake,
libfontconfig1-dev, libfreetype6-dev, libpng-dev, libsm-dev, libice-dev,
libxi-dev, libxrandr-dev, libxrender-dev, zlib1g-dev, libssl-dev,
libdbus-1-dev, pkg-kde-tools, kdelibs5-dev, libqca2-dev, qt4-dev-tools,
libqtwebkit-dev, libindicate-qt-dev, libdbusmenu-qt-dev
Package-List:
quassel deb net optional arch=any
quassel-client deb net optional arch=any
quassel-client-kde4 deb net optional arch=any
quassel-core deb net optional arch=any
quassel-data deb net optional arch=all
quassel-data-kde4 deb net optional arch=all
quassel-kde4 deb net optional arch=any
Checksums-Sha1:
305d56774b1af2a891775a5637174d9048d875a7 2873233 quassel_0.10.0.orig.tar.bz2
295c3381f66c26389a71a17aaf96bf4d5d4ceef0 23684
quassel_0.10.0-2.3+deb8u3.debian.tar.xz
Checksums-Sha256:
68228ce23aa3a992add3d00cb1e8b4863d8ca64bea99c881edf6d16ff9ec7c23 2873233
quassel_0.10.0.orig.tar.bz2
926f4944e6d64e5410e3357d410f172d1266e428585331d3cd91257d901d77cb 23684
quassel_0.10.0-2.3+deb8u3.debian.tar.xz
Files:
382466a7790979c172b7d7edf10a2981 2873233 quassel_0.10.0.orig.tar.bz2
ee244e047e4c961bd811970270a6ccfc 23684 quassel_0.10.0-2.3+deb8u3.debian.tar.xz
--- End Message ---
--- Begin Message ---
Version: 8.6
The updates referred to in each of these bugs were included in today's
stable point release.
Regards,
Adam
--- End Message ---
