Ubuntu
quassel package

Undisclosed ctcp based DoS vulnerability

Bug #629774 reported by Scott Kitterman
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hardy Backports
Won't Fix
Undecided
Unassigned
Jaunty Jackalope Backports
Won't Fix
Undecided
Unassigned
Karmic Backports
Won't Fix
Undecided
Unassigned
quassel (Ubuntu)
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: quassel

The information I have is from one of the upstream developers based on a private vulnerability report they got today.

The ctcp specs allow sending multiple ctcp requests in one irc-message that in return trigger X ctcp replies. If someone sens N msgs all containing X ctcp requets, quassel will respond with N times X ctcp replies (which is correct by the spec), but that triggers quassels spam-protection and queues the messages. The potential impact is that one can block the output. Spamming such messages will delay quassels output and irc interaction. I think the worst case scenario is that quassel core will ping timeout

Upstream believes they have a relatively simple, low impact solution, but are conferring among themselves to make sure. They view this as a vulnerability that needs to be fixed, but not particularly urgent and not critical (the only risk is DoS, not any kind of escalation).

Revision history for this message
Scott Kitterman (kitterman) wrote :

FYI, sputnick is one of the upstream developers working on the issue.

Jamie Strandboge (jdstrand)
Changed in quassel (Ubuntu):
status: New → Confirmed
Revision history for this message
Manuel Nickschas (sputnick) wrote :

Mail and patch sent to vendor-sec, with a proposed embargo date of Sept 21st.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Upstream has released the fix, so this is public now.

Here's the Git commit for the 0.6 branch (what we have in Lucid).

http://git.quassel-irc.org/?p=quassel.git;a=commitdiff;h=a4ca568cdf68cf4a0343eb161518dc8e50cea87d

visibility: private → public
Revision history for this message
Scott Kitterman (kitterman) wrote :

quassel (0.7.1-0ubuntu1) maverick; urgency=high

  * SECURITY UPDATE:
  * References
  * Upstream Git 0f2c520a76a468d3778e031ebde2d304048e1663
    - If we receive multiple CTCP requests in one PRIVMSG we now answer with
      one packed NOTICE containing all CTCP replies. This fixes a possible
      DoS Attack rendering Quassels IRC connection useless. Upgrading is
      strongly recommended. Thanks to Jima for reporting and supporting

 -- Scott Kitterman <email address hidden> Tue, 21 Sep 2010 08:55:19 -0400

Changed in quassel (Ubuntu):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Lucid):
status: New → Confirmed
Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Karmic):
status: New → Confirmed
Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Jaunty):
status: New → Confirmed
Changed in karmic-backports:
status: New → Confirmed
Changed in jaunty-backports:
status: New → Confirmed
Changed in hardy-backports:
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.6.1-0ubuntu1.1

---------------
quassel (0.6.1-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 10:00:19 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.5.0-0ubuntu1.2

---------------
quassel (0.5.0-0ubuntu1.2) karmic-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 11:47:15 -0700

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.4.1-0ubuntu3.1

---------------
quassel (0.4.1-0ubuntu3.1) jaunty-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 13:46:14 -0700

Changed in quassel (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Lucid):
status: Confirmed → Fix Released
Scott Kitterman (kitterman)
Changed in jaunty-backports:
status: Confirmed → Won't Fix
Changed in karmic-backports:
status: Confirmed → Won't Fix
Dan Streetman (ddstreet)
Changed in hardy-backports:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.