Undisclosed ctcp based DoS vulnerability

Bug #629774 reported by Scott Kitterman on 2010-09-03
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hardy Backports
Undecided
Unassigned
Jaunty Jackalope Backports
Undecided
Unassigned
Karmic Backports
Undecided
Unassigned
quassel (Ubuntu)
Undecided
Unassigned
Jaunty
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned

Bug Description

Binary package hint: quassel

The information I have is from one of the upstream developers based on a private vulnerability report they got today.

The ctcp specs allow sending multiple ctcp requests in one irc-message that in return trigger X ctcp replies. If someone sens N msgs all containing X ctcp requets, quassel will respond with N times X ctcp replies (which is correct by the spec), but that triggers quassels spam-protection and queues the messages. The potential impact is that one can block the output. Spamming such messages will delay quassels output and irc interaction. I think the worst case scenario is that quassel core will ping timeout

Upstream believes they have a relatively simple, low impact solution, but are conferring among themselves to make sure. They view this as a vulnerability that needs to be fixed, but not particularly urgent and not critical (the only risk is DoS, not any kind of escalation).

Scott Kitterman (kitterman) wrote :

FYI, sputnick is one of the upstream developers working on the issue.

Changed in quassel (Ubuntu):
status: New → Confirmed
Manuel Nickschas (sputnick) wrote :

Mail and patch sent to vendor-sec, with a proposed embargo date of Sept 21st.

Scott Kitterman (kitterman) wrote :

Upstream has released the fix, so this is public now.

Here's the Git commit for the 0.6 branch (what we have in Lucid).

http://git.quassel-irc.org/?p=quassel.git;a=commitdiff;h=a4ca568cdf68cf4a0343eb161518dc8e50cea87d

visibility: private → public
Scott Kitterman (kitterman) wrote :

quassel (0.7.1-0ubuntu1) maverick; urgency=high

  * SECURITY UPDATE:
  * References
  * Upstream Git 0f2c520a76a468d3778e031ebde2d304048e1663
    - If we receive multiple CTCP requests in one PRIVMSG we now answer with
      one packed NOTICE containing all CTCP replies. This fixes a possible
      DoS Attack rendering Quassels IRC connection useless. Upgrading is
      strongly recommended. Thanks to Jima for reporting and supporting

 -- Scott Kitterman <email address hidden> Tue, 21 Sep 2010 08:55:19 -0400

Changed in quassel (Ubuntu):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Lucid):
status: New → Confirmed
Changed in quassel (Ubuntu Karmic):
status: New → Confirmed
Changed in quassel (Ubuntu Jaunty):
status: New → Confirmed
Changed in karmic-backports:
status: New → Confirmed
Changed in jaunty-backports:
status: New → Confirmed
Changed in hardy-backports:
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.6.1-0ubuntu1.1

---------------
quassel (0.6.1-0ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 10:00:19 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.5.0-0ubuntu1.2

---------------
quassel (0.5.0-0ubuntu1.2) karmic-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 11:47:15 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.4.1-0ubuntu3.1

---------------
quassel (0.4.1-0ubuntu3.1) jaunty-security; urgency=low

  * SECURITY UPDATE: fix multiple CTCP DoS issue (LP: #629774)
    - debian/patches/10-quassel_multiple_CTCP_DoS_lp629774.patch
 -- Steve Beattie <email address hidden> Tue, 21 Sep 2010 13:46:14 -0700

Changed in quassel (Ubuntu Jaunty):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Karmic):
status: Confirmed → Fix Released
Changed in quassel (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in jaunty-backports:
status: Confirmed → Won't Fix
Changed in karmic-backports:
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers