Ubuntu
quassel package

2-4 security vulnerabilities discovered on April 2018 got never fixed

Bug #1796435 reported by Oliver
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Ubuntu)
New
Undecided
Unassigned

Bug Description

According to the githubs changelog there were 2 security vulnerabilities fixed in 0.12.5 in April 2018

https://github.com/quassel/quassel/blob/0.12.5/ChangeLog#L16

But Ubuntu 16.04 did never get an update or security fix.
The last update was according to xenials changelog on May 2015.
http://changelogs.ubuntu.com/changelogs/pool/universe/q/quassel/quassel_0.12.2-0ubuntu1/changelog

The security fixes are also not in Ubuntu 18.04 bionic.
The last change was on February 2018:
http://changelogs.ubuntu.com/changelogs/pool/universe/q/quassel/quassel_0.12.4-3ubuntu1/changelog

But Debian SID got these security fixes in April 2018:
https://metadata.ftp-master.debian.org/changelogs/main/q/quassel/quassel_0.12.5-2_changelog

Thus we can conclude, the vulnerabilities were never fixed. Neither in Ubuntu 16.04 LTS nor in Ubuntu 18.04 LTS.

BTW, Debian stable (stretch) got these fixes in April 2018 too:
https://metadata.ftp-master.debian.org/changelogs/main/q/quassel/quassel_0.12.4-2+deb9u1_changelog

The changelog entry in debian stable has the following entry:
"Backport upstream commit to implement a custom deserializer.
    Fixes possible remote code execution. (Closes: #896914)
  * Backport upstream commit to reject client logins before the core is
    configured. Fixes a DoS vulnerability. (Closes: #896915)
  * Backport upstream commit to fix OpenSSL detection with Qt 5.6 and GCC 5."

Also keep in mind, that webkit which quassel 12.2 is linked to might also have some vulnerability issues because of lack of maintenance. That's why the developer of quassel dropped the use of webkit for quassel in 12.5.
In Debian SID they stopped using Webkit with the quassel version update of 0.12.5-1.
The changelog entry does have the following text for this:
"Build against Qt WebEngine instead of QtWebKit, following upstream."

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
Revision history for this message
Oliver (euro-cent) wrote :

I will read the link you gave me, but i do not promise anything.
I also wonder why you don't have for the field "importance" a value for critical security vulnerabilities:
https://wiki.ubuntu.com/Bugs/Importance

The importance field only seems to care if the software works.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.