Clients may be able to access buffers belonging to other users

Bug #1255362 reported by Scott Kitterman on 2013-11-27
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Ubuntu)
High
Scott Kitterman
Lucid
High
Scott Kitterman
Precise
High
Scott Kitterman
Quantal
High
Scott Kitterman
Raring
High
Scott Kitterman
Saucy
High
Scott Kitterman
Trusty
High
Scott Kitterman

Bug Description

A manipulated, but properly authenticated client was able to retrieve
the backlog of other users on the same core in some cases by providing
an appropriate BufferID to the storage engine. Note that proper
authentication was still required, so exploiting this requires
malicious users on your core.

Fixed upstream in 0.9.2.

Changed in quassel (Ubuntu):
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
status: New → Triaged
Changed in quassel (Ubuntu Lucid):
status: New → Triaged
Changed in quassel (Ubuntu Precise):
status: New → Triaged
Changed in quassel (Ubuntu Quantal):
status: New → Triaged
Changed in quassel (Ubuntu Raring):
status: New → Triaged
Changed in quassel (Ubuntu Saucy):
status: New → Triaged
Changed in quassel (Ubuntu Lucid):
importance: Undecided → High
Changed in quassel (Ubuntu Precise):
importance: Undecided → High
Changed in quassel (Ubuntu Quantal):
importance: Undecided → High
Changed in quassel (Ubuntu Raring):
importance: Undecided → High
Changed in quassel (Ubuntu Saucy):
importance: Undecided → High
Changed in quassel (Ubuntu Lucid):
assignee: nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Precise):
assignee: nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Quantal):
assignee: nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Raring):
assignee: nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Saucy):
assignee: nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Trusty):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.9.2-0ubuntu1

---------------
quassel (0.9.2-0ubuntu1) trusty; urgency=low

  * New upstream release
    - Includes fix for cross-user data exposure in the core (LP: #1255362)
 -- Scott Kitterman <email address hidden> Tue, 26 Nov 2013 19:56:06 -0500

Changed in quassel (Ubuntu Trusty):
status: In Progress → Fix Released
Felix Geyer (debfx) wrote :

CVE-2013-6404 has been assigned to this vulnerability.

Felix Geyer (debfx) wrote :

Scott, any news on this?
Do you want me to take over preparing the updates?

Felix Geyer (debfx) wrote :

I've prepared and tested updates for precise, quantal and saucy.

Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs, they are currently building and will be released once done.

Thanks!

Changed in quassel (Ubuntu Lucid):
status: Triaged → Won't Fix
Changed in quassel (Ubuntu Raring):
status: Triaged → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.8.0-0ubuntu2.1

---------------
quassel (0.8.0-0ubuntu2.1) quantal-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
 -- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:44:27 +0100

Changed in quassel (Ubuntu Quantal):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.9.1-0ubuntu1.1

---------------
quassel (0.9.1-0ubuntu1.1) saucy-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
 -- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:46:04 +0100

Changed in quassel (Ubuntu Saucy):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.8.0-0ubuntu1.1

---------------
quassel (0.8.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
 -- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:34:52 +0100

Changed in quassel (Ubuntu Precise):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers