CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption

Bug #1388333 reported by Felix Geyer on 2014-11-01
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned

Bug Description

https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138

> Check for invalid input in encrypted buffers
>
> The ECB Blowfish decryption function assumed that encrypted input would
> always come in blocks of 12 characters, as specified. However, buggy
> clients or annoying people may not adhere to that assumption, causing
> the core to crash while trying to process the invalid base64 input.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.11.0-0ubuntu1

---------------
quassel (0.11.0-0ubuntu1) vivid; urgency=medium

  * New upstream release.
  * Fix CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
    - Add debian/patches/CVE-2014-8483.patch
    - LP: #1388333
  * Simplify debian/rules a bit by using debhelper compal level 9.
  * Add a systemd service file.
 -- Felix Geyer <email address hidden> Sat, 01 Nov 2014 11:52:52 +0100

Changed in quassel (Ubuntu):
status: New → Fix Released
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Felix Geyer (debfx) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.8.0-0ubuntu1.2

---------------
quassel (0.8.0-0ubuntu1.2) precise-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: backport upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:19:33 +0100

Changed in quassel (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.1-0ubuntu1.1

---------------
quassel (0.10.1-0ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: add upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:14:49 +0100

Changed in quassel (Ubuntu Utopic):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.0-0ubuntu2.1

---------------
quassel (0.10.0-0ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: add upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:15:46 +0100

Changed in quassel (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers