Security fixes from 0.12.5 require backfit to earlier releases
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| quassel (Debian) |
Fix Released
|
Unknown
|
||
| quassel (Ubuntu) |
High
|
Unassigned | ||
| Trusty |
High
|
Steve Beattie | ||
| Xenial |
High
|
Unassigned | ||
| Bionic |
High
|
Unassigned | ||
| Cosmic |
High
|
Unassigned |
Bug Description
A recent upstream release contains two security fixes. All supported Ubuntu releases are affected.
* SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
qdatastream
- debian/
upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
* SECURITY UPDATE: quasselcore, denial of service for unconfigure core
- debian/
_
for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
I'll be attaching a debdiff for Trusty, but not later releases as that is the only Ubuntu release I still have an interest in. Note that the debian/changelog doesn't have the LP bug number in it since I haven't filed it yet. The trusty fix is based on the Debian patches for Jessie (Debian 8):
https:/
I'm running the fixed version now.
CVE References
Scott Kitterman (kitterman) wrote : | #1 |
Changed in quassel (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in quassel (Ubuntu Bionic): | |
status: | Confirmed → New |
tags: | added: patch |
Changed in quassel (Debian): | |
status: | Unknown → Confirmed |
Changed in quassel (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in quassel (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in quassel (Ubuntu Artful): | |
status: | New → Confirmed |
Changed in quassel (Ubuntu Trusty): | |
importance: | Undecided → High |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in quassel (Ubuntu Artful): | |
importance: | Undecided → High |
Changed in quassel (Ubuntu Bionic): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in quassel (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in quassel (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in quassel (Ubuntu Xenial): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Changed in quassel (Ubuntu Artful): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
Simon Quigley (tsimonq2) wrote : | #2 |
Changed in quassel (Ubuntu Trusty): | |
assignee: | Simon Quigley (tsimonq2) → Scott Kitterman (kitterman) |
Changed in quassel (Ubuntu Trusty): | |
assignee: | Scott Kitterman (kitterman) → Steve Beattie (sbeattie) |
Steve Beattie (sbeattie) wrote : | #3 |
Thanks Scott. I've gone ahead and built this package in the https:/
Thanks again!
Scott Kitterman (kitterman) wrote : Re: [Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases | #4 |
On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> Thanks Scott. I've gone ahead and built this package in the
> https:/
> given the large amount of code around the introduced deserializer, I'd
> like to see a successful test report before publishing to trusty-
> security.
I'm running a patched version now. The same patch has been released by
Debian.
Scott K
Steve Beattie (sbeattie) wrote : | #6 |
On Thu, May 03, 2018 at 04:21:35AM -0000, Scott Kitterman wrote:
> On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> > Thanks Scott. I've gone ahead and built this package in the
> > https:/
> > given the large amount of code around the introduced deserializer, I'd
> > like to see a successful test report before publishing to trusty-
> > security.
>
> I'm running a patched version now. The same patch has been released by
> Debian.
Scott, thanks for the feedback. Publishing now.
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package quassel - 0.10.0-0ubuntu2.3
---------------
quassel (0.10.0-0ubuntu2.3) trusty-security; urgency=medium
* SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
qdatastream (LP: #1767539)
- debian/
upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
- CVE-2018-1000178
* SECURITY UPDATE: quasselcore, denial of service for unconfigured core
(LP: #1767539)
- debian/
_
for non-C++ 11 systems by Felix Geyer
- CVE-2018-1000179
-- Scott Kitterman <email address hidden> Fri, 27 Apr 2018 20:25:50 -0400
Changed in quassel (Ubuntu Trusty): | |
status: | Confirmed → Fix Released |
Changed in quassel (Debian): | |
status: | Confirmed → Fix Released |
Seth Arnold (seth-arnold) wrote : | #7 |
Please re-subscribe ubuntu-
Simon Quigley (tsimonq2) wrote : | #8 |
Uploaded a merge from Debian to Cosmic fixing this: https:/
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package quassel - 1:0.12.5-2ubuntu1
---------------
quassel (1:0.12.5-2ubuntu1) cosmic; urgency=high
* Merge from Debian Sid (LP: #1767539). Remaining changes:
- Dropping of (different) transitional packages since 16.04 LTS released.
- Apparmor profile.
- Ufw profile.
- Change the default channel to #lubuntu.
quassel (1:0.12.5-2) unstable; urgency=high
* Build-depend on qtwebengine5-dev only for archs where it's available.
quassel (1:0.12.5-1) unstable; urgency=high
* New upstream release.
- Fixes a deserialization security vulnerability.
- Fixes a DoS while quassel is starting up.
* Drop Fix_the_
* Build against Qt WebEngine instead of QtWebKit, following upstream.
* Move git repo to salsa.debian.org
-- Simon Quigley <email address hidden> Sun, 13 May 2018 19:52:22 -0500
Changed in quassel (Ubuntu Cosmic): | |
status: | Confirmed → Fix Released |
Changed in quassel (Ubuntu Xenial): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
tags: | added: community-security |
no longer affects: | quassel (Ubuntu Artful) |
Changed in quassel (Ubuntu): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in quassel (Ubuntu Cosmic): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Changed in quassel (Ubuntu Bionic): | |
assignee: | Simon Quigley (tsimonq2) → nobody |
Thanks Scott!
Subscribing the security sponsors.