Security fixes from 0.12.5 require backfit to earlier releases

Bug #1767539 reported by Scott Kitterman on 2018-04-28
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Debian)
Fix Released
Unknown
quassel (Ubuntu)
High
Simon Quigley
Trusty
High
Steve Beattie
Xenial
High
Unassigned
Bionic
High
Simon Quigley
Cosmic
High
Simon Quigley

Bug Description

A recent upstream release contains two security fixes. All supported Ubuntu releases are affected.

  * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
    qdatastream
    - debian/patches/Implement_custom_deserializer.patch: Original patch from
      upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
    - CVE requested by upstream
  * SECURITY UPDATE: quasselcore, denial of service for unconfigure core
    - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
      _configured.patch: Original patch from upstream 0.12.5 release, adapted
      for non-C++ 11 systems by Felix Geyer
    - CVE requested by upstream

I'll be attaching a debdiff for Trusty, but not later releases as that is the only Ubuntu release I still have an interest in. Note that the debian/changelog doesn't have the LP bug number in it since I haven't filed it yet. The trusty fix is based on the Debian patches for Jessie (Debian 8):

https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie

I'm running the fixed version now.

CVE References

Scott Kitterman (kitterman) wrote :
Changed in quassel (Ubuntu Trusty):
status: New → Confirmed
Changed in quassel (Ubuntu Bionic):
status: Confirmed → New
tags: added: patch
Changed in quassel (Debian):
status: Unknown → Confirmed
Simon Quigley (tsimonq2) on 2018-04-28
Changed in quassel (Ubuntu Xenial):
status: New → Confirmed
Changed in quassel (Ubuntu Bionic):
status: New → Confirmed
Changed in quassel (Ubuntu Artful):
status: New → Confirmed
Changed in quassel (Ubuntu Trusty):
importance: Undecided → High
assignee: nobody → Simon Quigley (tsimonq2)
Changed in quassel (Ubuntu Artful):
importance: Undecided → High
Changed in quassel (Ubuntu Bionic):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in quassel (Ubuntu Xenial):
importance: Undecided → High
Changed in quassel (Ubuntu Bionic):
importance: Undecided → High
Changed in quassel (Ubuntu Xenial):
assignee: nobody → Simon Quigley (tsimonq2)
Changed in quassel (Ubuntu Artful):
assignee: nobody → Simon Quigley (tsimonq2)
Simon Quigley (tsimonq2) wrote :

Thanks Scott!

Subscribing the security sponsors.

Changed in quassel (Ubuntu Trusty):
assignee: Simon Quigley (tsimonq2) → Scott Kitterman (kitterman)
Steve Beattie (sbeattie) on 2018-05-02
Changed in quassel (Ubuntu Trusty):
assignee: Scott Kitterman (kitterman) → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) wrote :

Thanks Scott. I've gone ahead and built this package in the https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ; given the large amount of code around the introduced deserializer, I'd like to see a successful test report before publishing to trusty-security.

Thanks again!

On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> Thanks Scott. I've gone ahead and built this package in the
> https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ;
> given the large amount of code around the introduced deserializer, I'd
> like to see a successful test report before publishing to trusty-
> security.

I'm running a patched version now. The same patch has been released by
Debian.

Scott K

Steve Beattie (sbeattie) wrote :

On Thu, May 03, 2018 at 04:21:35AM -0000, Scott Kitterman wrote:
> On Wednesday, May 02, 2018 07:27:36 AM you wrote:
> > Thanks Scott. I've gone ahead and built this package in the
> > https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ ;
> > given the large amount of code around the introduced deserializer, I'd
> > like to see a successful test report before publishing to trusty-
> > security.
>
> I'm running a patched version now. The same patch has been released by
> Debian.

Scott, thanks for the feedback. Publishing now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.0-0ubuntu2.3

---------------
quassel (0.10.0-0ubuntu2.3) trusty-security; urgency=medium

  * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
    qdatastream (LP: #1767539)
    - debian/patches/Implement_custom_deserializer.patch: Original patch from
      upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
    - CVE-2018-1000178
  * SECURITY UPDATE: quasselcore, denial of service for unconfigured core
    (LP: #1767539)
    - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
      _configured.patch: Original patch from upstream 0.12.5 release, adapted
      for non-C++ 11 systems by Felix Geyer
    - CVE-2018-1000179

 -- Scott Kitterman <email address hidden> Fri, 27 Apr 2018 20:25:50 -0400

Changed in quassel (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in quassel (Debian):
status: Confirmed → Fix Released
Seth Arnold (seth-arnold) wrote :

Please re-subscribe ubuntu-security-sponsors when further updates are attached. Thanks.

Simon Quigley (tsimonq2) wrote :

Uploaded a merge from Debian to Cosmic fixing this: https://launchpad.net/ubuntu/+source/quassel/1:0.12.5-2ubuntu1

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 1:0.12.5-2ubuntu1

---------------
quassel (1:0.12.5-2ubuntu1) cosmic; urgency=high

  * Merge from Debian Sid (LP: #1767539). Remaining changes:
    - Dropping of (different) transitional packages since 16.04 LTS released.
    - Apparmor profile.
    - Ufw profile.
    - Change the default channel to #lubuntu.

quassel (1:0.12.5-2) unstable; urgency=high

  * Build-depend on qtwebengine5-dev only for archs where it's available.

quassel (1:0.12.5-1) unstable; urgency=high

  * New upstream release.
    - Fixes a deserialization security vulnerability.
    - Fixes a DoS while quassel is starting up.
  * Drop Fix_the_ssl_check_with_Qt_5.6_and_gcc_5.patch, applied upstream.
  * Build against Qt WebEngine instead of QtWebKit, following upstream.
  * Move git repo to salsa.debian.org

 -- Simon Quigley <email address hidden> Sun, 13 May 2018 19:52:22 -0500

Changed in quassel (Ubuntu Cosmic):
status: Confirmed → Fix Released
Simon Quigley (tsimonq2) on 2018-05-15
Changed in quassel (Ubuntu Xenial):
assignee: Simon Quigley (tsimonq2) → nobody
Simon Quigley (tsimonq2) on 2018-06-19
tags: added: community-security
Simon Quigley (tsimonq2) on 2018-07-19
no longer affects: quassel (Ubuntu Artful)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.