Public bug reported: Bug fixed in 0.12.2 is an old CVE that re-occurred:
Previously, the initDbSession() function would only be run on the initial connect. Since the initDbSession() code in PostgreSQL is used to fix the CVE-2013-4422 SQL Injection bug, this means that Quassel was still vulnerable to that CVE if the PostgreSQL server is restarted or the connection is lost at any point while Quassel is running. This bug also causes the Qt5 psql timezone fix to stop working after a reconnect. The fix is to disable Qt's automatic reconnecting, check the connection status ourselves, and reconnect if necessary, executing the initDbSession() function afterward. https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 ** Affects: quassel (Ubuntu) Importance: Undecided Status: New ** Affects: quassel (Ubuntu Vivid) Importance: Undecided Status: New ** Affects: quassel (Ubuntu W-series) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1448911 Title: Execute initDbSession() on DB reconnects To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1448911/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
