KVIrc security release 4.0.2 avaible

the debian maintainer has already build new packages, they await upload to unstable.

http://hg.debian.org/hg/pkg-kde/kde-extras/kvirc

http://dev.carbon-project.org/debian/kvirc/ has a singed preview of the packages until they got uploaded to debian unstable.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I can give you my debian dirs with which I compiled KVIrc for karmic and lucid, mainly I use the work of the debian guys in an older version

http://www.rzuser.uni-heidelberg.de/~xt1/ubuntu/kvirc_karmic_debiandir.tar.gz
http://www.rzuser.uni-heidelberg.de/~xt1/ubuntu/lucid/kvirc4.1.1_lucid_debiandir.tar.gz

On my page http://www.rzuser.uni-heidelberg.de/~xt1/ubuntu/ are also .deb files for lucid and karmic, but they are build without signature and some minor warnings are ignored

This bug has now been known for 7+ months and while importance is set to 'medium' it has real consequences for a lot of users. This vulnerability is being actively exploited on freenode and we're considering blocking old versions of kvirc due to the problems caused.

I hope this bug will finally be fixed so we won't have to block your users from participating on freenode.

To reiterate what Marc said in comment #2, this package is in universe and is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures.

This patch should resolve this issue. It is based on the patch applied upstream (https://svn.kvirc.de/kvirc/changeset/4693) and in Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=kvirc_3.4.0_security-team.debdiff;att=2;bug=590745). Ubuntu Maverick, Natty, and Debian already have this patch. The patch applies, and the resulting package is able to be built (https://launchpad.net/~nhandler/+archive/ppa/+sourcepub/1550219/+listing-archive-extra). I am waiting on confirmation from another member of freenode staff (or anyone else in the community) to confirm that this patched version of the package successfully resolves the vulnerability present in the current version of the package.

I have just received confirmation that the version of kvirc in my PPA (same as this debdiff) successfully resolves this bug. I am subscribing ubuntu-security-sponsors

ACK for lucid

Thanks for the debdiff! Uploaded to the security PPA and will push to the archive when it is done building.

This bug was fixed in the package kvirc - 4:4.0.0~svn3900+rc2-1ubuntu0.2

---------------
kvirc (4:4.0.0~svn3900+rc2-1ubuntu0.2) lucid-security; urgency=low

  * SECURITY UPDATE: The IRC Protocol component in KVIrc 3.x and 4.x before
    r4693 does not properly handle \ (backslash) characters, which allows
    remote authenticated users to execute arbitrary CTCP commands via vectors
    involving \r and \40 sequences, a different vulnerability than CVE-2010-2451
    and CVE-2010-2452.
    - 33_upstream_security_#858.patch
      - Patch based on upstream SVN revision 4693.
    - CVE-2010-2785:
      - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2785
    - LP: #612682
 -- Nathan Handler <email address hidden> Sat, 12 Mar 2011 20:00:18 -0600