Security fixes from 0.12.5 require backfit to earlier releases

Thanks Scott!

Subscribing the security sponsors.

Thanks Scott. I've gone ahead and built this package in the https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ; given the large amount of code around the introduced deserializer, I'd like to see a successful test report before publishing to trusty-security.

Thanks again!

On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> Thanks Scott. I've gone ahead and built this package in the
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ;
> given the large amount of code around the introduced deserializer, I'd
> like to see a successful test report before publishing to trusty-
> security.

I'm running a patched version now. The same patch has been released by
Debian.

Scott K

On Thu, May 03, 2018 at 04:21:35AM -0000, Scott Kitterman wrote:
> On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> > Thanks Scott. I've gone ahead and built this package in the
> > https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ;
> > given the large amount of code around the introduced deserializer, I'd
> > like to see a successful test report before publishing to trusty-
> > security.
>
> I'm running a patched version now. The same patch has been released by
> Debian.

Scott, thanks for the feedback. Publishing now.

This bug was fixed in the package quassel - 0.10.0-0ubuntu2.3

---------------
quassel (0.10.0-0ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
    qdatastream (LP: #1767539)
    - debian/patches/Implement_custom_deserializer.patch: Original patch from
      upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
    - CVE-2018-1000178
  * SECURITY UPDATE: quasselcore, denial of service for unconfigured core
    (LP: #1767539)
    - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
      _configured.patch: Original patch from upstream 0.12.5 release, adapted
      for non-C++ 11 systems by Felix Geyer
    - CVE-2018-1000179

 -- Scott Kitterman <email address hidden> Fri, 27 Apr 2018 20:25:50 -0400

Please re-subscribe ubuntu-security-sponsors when further updates are attached. Thanks.

Uploaded a merge from Debian to Cosmic fixing this: https://launchpad.net/ubuntu/+source/quassel/1:0.12.5-2ubuntu1

This bug was fixed in the package quassel - 1:0.12.5-2ubuntu1

---------------
quassel (1:0.12.5-2ubuntu1) cosmic; urgency=high

  * Merge from Debian Sid (LP: #1767539). Remaining changes:
    - Dropping of (different) transitional packages since 16.04 LTS released.
    - Apparmor profile.
    - Ufw profile.
    - Change the default channel to #lubuntu.

quassel (1:0.12.5-2) unstable; urgency=high

  * Build-depend on qtwebengine5-dev only for archs where it's available.

quassel (1:0.12.5-1) unstable; urgency=high

  * New upstream release.
    - Fixes a deserialization security vulnerability.
    - Fixes a DoS while quassel is starting up.
  * Drop Fix_the_ssl_check_with_Qt_5.6_and_gcc_5.patch, applied upstream.
  * Build against Qt WebEngine instead of QtWebKit, following upstream.
  * Move git repo to salsa.debian.org

 -- Simon Quigley <email address hidden> Sun, 13 May 2018 19:52:22 -0500