Re: [Pkg-kde-extras] Sponsoring for upload CVE-2016-4414

2016-06-05 Thread Pierre Schweitzer 
Hi Salvatore,

Thanks for your answer.

For the record, I created the bug report #826429 for the stable upload.

Cheers,
Pierre

Le 05/06/2016 14:49, Salvatore Bonaccorso a écrit :
> Hi Pierre,
> 
> On Sun, Jun 05, 2016 at 01:34:53PM +0200, Pierre Schweitzer wrote:
>> Dear all,
>>
>> The CVE 2016-4414 was identified earlier in Quassel, which allows an
>> unauthenticated remote DoS in quassel-core. Its associated bug report in
>> Debian BTS is: #826402.
>> Please find attached a debdiff & dsc that address the backport for
>> fixing the vulnerability in Jessie.
>> Please, note that due 'compilation' issues (Quassel build for jessie
>> isn't C++11 ready), I removed cosmetic change from the cherrypicked
>> commit (return 0 -> return nullptr) and only kept functional changes.
>> Would you be able to sponsor the upload, as I can't?
>> Thanks for your help.
> 
> Thanks for preparing the update. As the issue is 'no-dsa', you first
> need to get an ack from the stable release managers. There is
> documentation here, hope it helps:
> 
> https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
> 
> Hope then someone of the maintainers of src:quassel can sponsor your
> upload (preferred), if not please let me know.
> 
> Regards and thanks!
> Salvatore
> 


-- 
Pierre Schweitzer 
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.



signature.asc
Description: OpenPGP digital signature
___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

Re: [Pkg-kde-extras] Sponsoring for upload CVE-2016-4414

2016-06-05 Thread Salvatore Bonaccorso 
Hi Pierre,

On Sun, Jun 05, 2016 at 01:34:53PM +0200, Pierre Schweitzer wrote:
> Dear all,
> 
> The CVE 2016-4414 was identified earlier in Quassel, which allows an
> unauthenticated remote DoS in quassel-core. Its associated bug report in
> Debian BTS is: #826402.
> Please find attached a debdiff & dsc that address the backport for
> fixing the vulnerability in Jessie.
> Please, note that due 'compilation' issues (Quassel build for jessie
> isn't C++11 ready), I removed cosmetic change from the cherrypicked
> commit (return 0 -> return nullptr) and only kept functional changes.
> Would you be able to sponsor the upload, as I can't?
> Thanks for your help.

Thanks for preparing the update. As the issue is 'no-dsa', you first
need to get an ack from the stable release managers. There is
documentation here, hope it helps:

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Hope then someone of the maintainers of src:quassel can sponsor your
upload (preferred), if not please let me know.

Regards and thanks!
Salvatore

___
pkg-kde-extras mailing list
pkg-kde-extras@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras

[Pkg-kde-extras] Sponsoring for upload CVE-2016-4414

2016-06-05 Thread Pierre Schweitzer 
Dear all,

The CVE 2016-4414 was identified earlier in Quassel, which allows an
unauthenticated remote DoS in quassel-core. Its associated bug report in
Debian BTS is: #826402.
Please find attached a debdiff & dsc that address the backport for
fixing the vulnerability in Jessie.
Please, note that due 'compilation' issues (Quassel build for jessie
isn't C++11 ready), I removed cosmetic change from the cherrypicked
commit (return 0 -> return nullptr) and only kept functional changes.
Would you be able to sponsor the upload, as I can't?
Thanks for your help.

Cheers,
-- 
Pierre Schweitzer 
System & Network Administrator
Senior Kernel Developer
ReactOS Deutschland e.V.
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog	2015-12-28 20:54:21.0 +0100
+++ quassel-0.10.0/debian/changelog	2016-06-05 12:54:55.0 +0200
@@ -1,3 +1,12 @@
+quassel (1:0.10.0-2.3+deb8u3) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-4414: remote DoS in quassel core with invalid handshake data.
+(Closes: #826402)
+- Add debian/patches/CVE-2016-4414.patch, cherry-picked from upstream.
+
+ -- Pierre Schweitzer   Sun, 05 Jun 2016 12:41:35 +0200
+
 quassel (1:0.10.0-2.3+deb8u2) jessie; urgency=high
 
   * Non-maintainer upload.
diff -Nru quassel-0.10.0/debian/patches/CVE-2016-4414.patch quassel-0.10.0/debian/patches/CVE-2016-4414.patch
--- quassel-0.10.0/debian/patches/CVE-2016-4414.patch	1970-01-01 01:00:00.0 +0100
+++ quassel-0.10.0/debian/patches/CVE-2016-4414.patch	2016-06-05 12:55:03.0 +0200
@@ -0,0 +1,40 @@
+From e67887343c433cc35bc26ad6a9392588f427e746 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas 
+Date: Sun, 24 Apr 2016 21:59:15 +0200
+Subject: [PATCH] Handle invalid handshake data properly in the core
+
+Clients sending invalid handshake data could make the core crash
+due to an unchecked pointer. This commit fixes this issue by having
+the core close the socket if a peer could not be created.
+
+Thanks to Bas Pape (Tucos) for finding this one!
+---
+ src/core/coreauthhandler.cpp | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/src/core/coreauthhandler.cpp b/src/core/coreauthhandler.cpp
+index e380924..34fc222 100644
+--- a/src/core/coreauthhandler.cpp
 b/src/core/coreauthhandler.cpp
+@@ -81,7 +81,7 @@ void CoreAuthHandler::onReadyRead()
+ }
+ 
+ // read the list of protocols supported by the client
+-while (socket()->bytesAvailable() >= 4) {
++while (socket()->bytesAvailable() >= 4 && _supportedProtos.size() < 16) { // sanity check
+ quint32 data;
+ socket()->read((char*)&data, 4);
+ data = qFromBigEndian(data);
+@@ -98,6 +98,12 @@ void CoreAuthHandler::onReadyRead()
+ level = Compressor::NoCompression;
+ 
+ RemotePeer *peer = PeerFactory::createPeer(_supportedProtos, this, socket(), level, this);
++if (!peer) {
++qWarning() << "Received invalid handshake data from client" << socket()->peerAddress().toString();
++close();
++return;
++}
++
+ if (peer->protocol() == Protocol::LegacyProtocol) {
+ _legacy = true;
+ connect(peer, SIGNAL(protocolVersionMismatch(int,int)), SLOT(onProtocolVersionMismatch(int,int)));
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series	2015-12-28 20:54:21.0 +0100
+++ quassel-0.10.0/debian/patches/series	2016-06-05 12:55:18.0 +0200
@@ -3,3 +3,4 @@
 CVE-2015-2778.patch
 CVE-2015-3427.patch
 CVE-2015-8547.patch
+CVE-2016-4414.patch
Format: 3.0 (quilt)
Source: quassel
Binary: quassel-core, quassel-client, quassel, quassel-data, 
quassel-client-kde4, quassel-kde4, quassel-data-kde4
Architecture: any all
Version: 1:0.10.0-2.3+deb8u3
Maintainer: Thomas Mueller 
Homepage: http://www.quassel-irc.org
Standards-Version: 3.9.5
Build-Depends: debhelper (>= 9.20120417), libqt4-dev, cmake, 
libfontconfig1-dev, libfreetype6-dev, libpng-dev, libsm-dev, libice-dev, 
libxi-dev, libxrandr-dev, libxrender-dev, zlib1g-dev, libssl-dev, 
libdbus-1-dev, pkg-kde-tools, kdelibs5-dev, libqca2-dev, qt4-dev-tools, 
libqtwebkit-dev, libindicate-qt-dev, libdbusmenu-qt-dev
Package-List:
 quassel deb net optional arch=any
 quassel-client deb net optional arch=any
 quassel-client-kde4 deb net optional arch=any
 quassel-core deb net optional arch=any
 quassel-data deb net optional arch=all
 quassel-data-kde4 deb net optional arch=all
 quassel-kde4 deb net optional arch=any
Checksums-Sha1:
 305d56774b1af2a891775a5637174d9048d875a7 2873233 quassel_0.10.0.orig.tar.bz2
 295c3381f66c26389a71a17aaf96bf4d5d4ceef0 23684 
quassel_0.10.0-2.3+deb8u3.debian.tar.xz
Checksums-Sha256:
 68228ce23aa3a992add3d00cb1e8b4863d8ca64bea99c881edf6d16ff9ec7c23 2873233 
quassel_0.10.0.orig.tar.bz2
 926f4944e6d64e5410e3357d410f172d1266e428585331d3cd