Ubuntu
quassel package

Execute initDbSession() on DB reconnects

Bug #1448911 reported by Jonathan Riddell on 2015-04-27
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Steve Beattie
Utopic
Fix Released
Undecided
Steve Beattie
Vivid
Fix Released
Undecided
Unassigned
Wily
Fix Released
Undecided
Unassigned
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Bug fixed in 0.12.2 is an old CVE that re-occurred:

Previously, the initDbSession() function would only be run on the
initial connect. Since the initDbSession() code in PostgreSQL is
used to fix the CVE-2013-4422 SQL Injection bug, this means that
Quassel was still vulnerable to that CVE if the PostgreSQL server
is restarted or the connection is lost at any point while Quassel
is running.

This bug also causes the Qt5 psql timezone fix to stop working
after a reconnect.

The fix is to disable Qt's automatic reconnecting, check the
connection status ourselves, and reconnect if necessary, executing
the initDbSession() function afterward.

https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283

TEST CASE:
15:22 < mamarley> Yeah, restart PostgreSQL and do something that will cause backlog messages to be recorded. Then, restart the quasselclient and make sure those backlog messages have the correct timestamp.

See original description
Jonathan Riddell (jr) wrote :

It also Remove warning on startup due to a change in Kdelibs4ConfigMigrator by moving the code to the right place

Jonathan Riddell (jr) wrote :

Uploaded quassel_0.12.2-0ubuntu0.1 to vivid, awaiting approval from ubuntu-sru

Scott Kitterman (kitterman) wrote : Please test proposed package

Hello Jonathan, or anyone else affected,

Accepted into vivid-proposed. The package will build now and be available in a few hours in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in quassel (Ubuntu Vivid):
status: New → Fix Committed
tags: added: verification-needed
Tyler Hicks (tyhicks) wrote :

Hi Jonathan (and Scott) - This update fixes a security issue so it should go through the -security sponsoring process rather than the SRU process. The Security Team will get it sponsored to the security pocket once these steps are followed:

  https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors

Thanks!

Scott Kitterman (kitterman) wrote : Re: [Bug 1448911] Re: Execute initDbSession() on DB reconnects

On Monday, April 27, 2015 10:14:47 PM you wrote:
> Hi Jonathan (and Scott) - This update fixes a security issue so it
> should go through the -security sponsoring process rather than the SRU
> process. The Security Team will get it sponsored to the security pocket
> once these steps are followed:

I know for security it's supposed to be built against security and not
proposed/updates, but this close to release it's essentially the same thing.
Can you just pocket copy this to security?

Tyler Hicks (tyhicks) wrote :

On 2015-04-28 00:16:15, Scott Kitterman wrote:
> On Monday, April 27, 2015 10:14:47 PM you wrote:
> > Hi Jonathan (and Scott) - This update fixes a security issue so it
> > should go through the -security sponsoring process rather than the SRU
> > process. The Security Team will get it sponsored to the security pocket
> > once these steps are followed:
>
> I know for security it's supposed to be built against security and not
> proposed/updates, but this close to release it's essentially the same thing.
> Can you just pocket copy this to security?

We can do that in this case but it definitely isn't something that we
should make a habit of.

Just to be clear, do you want us to copy it from -proposed to -security
now or wait until the SRU process completes and copy it from -updates to
-security at that time?

Scott Kitterman (kitterman) wrote :

On Tuesday, April 28, 2015 05:06:57 PM you wrote:
> On 2015-04-28 00:16:15, Scott Kitterman wrote:
> > On Monday, April 27, 2015 10:14:47 PM you wrote:
> > > Hi Jonathan (and Scott) - This update fixes a security issue so it
> > > should go through the -security sponsoring process rather than the SRU
> > > process. The Security Team will get it sponsored to the security pocket
> >
> > > once these steps are followed:
> > I know for security it's supposed to be built against security and not
> > proposed/updates, but this close to release it's essentially the same
> > thing. Can you just pocket copy this to security?
>
> We can do that in this case but it definitely isn't something that we
> should make a habit of.
>
> Just to be clear, do you want us to copy it from -proposed to -security
> now or wait until the SRU process completes and copy it from -updates to
> -security at that time?

Your call on when. It's the upstream fix, so I'm confident it's correct, but we
can get someone to do verification first if you prefer.

Tyler Hicks (tyhicks) wrote :

On 2015-04-29 01:07:19, Scott Kitterman wrote:
> On Tuesday, April 28, 2015 05:06:57 PM you wrote:
> > On 2015-04-28 00:16:15, Scott Kitterman wrote:
> > > On Monday, April 27, 2015 10:14:47 PM you wrote:
> > > > Hi Jonathan (and Scott) - This update fixes a security issue so it
> > > > should go through the -security sponsoring process rather than the SRU
> > > > process. The Security Team will get it sponsored to the security pocket
> > >
> > > > once these steps are followed:
> > > I know for security it's supposed to be built against security and not
> > > proposed/updates, but this close to release it's essentially the same
> > > thing. Can you just pocket copy this to security?
> >
> > We can do that in this case but it definitely isn't something that we
> > should make a habit of.
> >
> > Just to be clear, do you want us to copy it from -proposed to -security
> > now or wait until the SRU process completes and copy it from -updates to
> > -security at that time?
>
> Your call on when. It's the upstream fix, so I'm confident it's correct, but we
> can get someone to do verification first if you prefer.

Verification is always a good thing. We can wait for that. Thanks!

Felix Geyer (debfx) wrote :

Attached are debdiffs that fix this vulnerability and CVE-2015-2778/CVE-2015-2779 in trusty and utopic.

Felix Geyer (debfx) wrote :
Jonathan Riddell (jr) on 2015-05-04
description: updated
Jonathan Riddell (jr) wrote :

As upstream advised I installed the new version from vivid-proposed, set it up to use postgresql, connected and chatted. I restarted postgresql then chatted some more. I then restarted the client and checked the timestamps which were all correctly set.

tags: added: verification-done
removed: verification-needed
Jonathan Riddell (jr) wrote :

I'll leave the security team to deal with Felix's updates for trusty and utopic

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.12.2-0ubuntu0.1

---------------
quassel (0.12.2-0ubuntu0.1) vivid; urgency=medium

  * New upstream release
  - LP: #1448911 Execute initDbSession() on DB reconnects

 -- Jonathan Riddell <email address hidden> Mon, 27 Apr 2015 10:11:13 +0200

Changed in quassel (Ubuntu Vivid):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) on 2015-05-04
Changed in quassel (Ubuntu Trusty):
status: New → In Progress
Changed in quassel (Ubuntu Utopic):
status: New → In Progress
Changed in quassel (Ubuntu Trusty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in quassel (Ubuntu Utopic):
assignee: nobody → Steve Beattie (sbeattie)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.0-0ubuntu2.2

---------------
quassel (0.10.0-0ubuntu2.2) trusty-security; urgency=medium

  * SECURITY UPDATE: stack consumption vulnerability in message splitting code
    - debian/patches/CVE-2015-2778.patch: original patch from Michael Marley,
      backported by Steinar H. Gunderson
    - CVE-2015-2778 and CVE-2015-2779
  * SECURITY UPDATE: SQL injection vulnerability in PostgreSQL backend
    - debian/patches/CVE-2015-3427.patch: upstream patch
    - CVE-2015-3427
    - original issue was CVE-2013-4422 which had an incomplete fix
    - LP: #1448911

 -- Felix Geyer <email address hidden> Fri, 01 May 2015 18:30:44 +0200

Changed in quassel (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.1-0ubuntu1.2

---------------
quassel (0.10.1-0ubuntu1.2) utopic-security; urgency=medium

  * SECURITY UPDATE: stack consumption vulnerability in message splitting code
    - debian/patches/CVE-2015-2778.patch: original patch from Michael Marley,
      backported by Steinar H. Gunderson
    - CVE-2015-2778 and CVE-2015-2779
  * SECURITY UPDATE: SQL injection vulnerability in PostgreSQL backend
    - debian/patches/CVE-2015-3427.patch: upstream patch
    - CVE-2015-3427
    - original issue was CVE-2013-4422 which had an incomplete fix
    - LP: #1448911

 -- Felix Geyer <email address hidden> Fri, 01 May 2015 18:46:52 +0200

Changed in quassel (Ubuntu Utopic):
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

quassel 0.12.2-0ubuntu0.1 was copied into wily, closing that task.

Changed in quassel (Ubuntu Wily):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers