Ubuntu
quassel package

Clients may be able to access buffers belonging to other users

Lucid (10.04)
Bug #1255362

Bug #1255362 reported by Scott Kitterman on 2013-11-27

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	quassel (Ubuntu)	Fix Released	High	Scott Kitterman
	Lucid	Won't Fix	High	Scott Kitterman
	Precise	Fix Released	High	Scott Kitterman
	Quantal	Fix Released	High	Scott Kitterman
	Raring	Won't Fix	High	Scott Kitterman
	Saucy	Fix Released	High	Scott Kitterman
	Trusty	Fix Released	High	Scott Kitterman

Bug Description

A manipulated, but properly authenticated client was able to retrieve
the backlog of other users on the same core in some cases by providing
an appropriate BufferID to the storage engine. Note that proper
authentication was still required, so exploiting this requires
malicious users on your core.

Fixed upstream in 0.9.2.

Related branches

lp:~ubuntu-dev/quassel/ubuntu

lp:ubuntu/trusty-proposed/quassel

lp:ubuntu/precise-security/quassel

lp:ubuntu/quantal-security/quassel

lp:ubuntu/saucy-security/quassel

CVE References

2013-6404

Scott Kitterman (kitterman) on 2013-11-27

Changed in quassel (Ubuntu):
assignee:	nobody → Scott Kitterman (kitterman)
importance:	Undecided → High
status:	New → Triaged
Changed in quassel (Ubuntu Lucid):
status:	New → Triaged
Changed in quassel (Ubuntu Precise):
status:	New → Triaged
Changed in quassel (Ubuntu Quantal):
status:	New → Triaged
Changed in quassel (Ubuntu Raring):
status:	New → Triaged
Changed in quassel (Ubuntu Saucy):
status:	New → Triaged
Changed in quassel (Ubuntu Lucid):
importance:	Undecided → High
Changed in quassel (Ubuntu Precise):
importance:	Undecided → High
Changed in quassel (Ubuntu Quantal):
importance:	Undecided → High
Changed in quassel (Ubuntu Raring):
importance:	Undecided → High
Changed in quassel (Ubuntu Saucy):
importance:	Undecided → High
Changed in quassel (Ubuntu Lucid):
assignee:	nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Precise):
assignee:	nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Quantal):
assignee:	nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Raring):
assignee:	nobody → Scott Kitterman (kitterman)
Changed in quassel (Ubuntu Saucy):
assignee:	nobody → Scott Kitterman (kitterman)

Scott Kitterman (kitterman) on 2013-11-27

Changed in quassel (Ubuntu Trusty):
status:	Triaged → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-11-27:

#1

This bug was fixed in the package quassel - 0.9.2-0ubuntu1

---------------
quassel (0.9.2-0ubuntu1) trusty; urgency=low

* New upstream release
- Includes fix for cross-user data exposure in the core (LP: #1255362)
-- Scott Kitterman <email address hidden> Tue, 26 Nov 2013 19:56:06 -0500

Changed in quassel (Ubuntu Trusty):
status:	In Progress → Fix Released

Revision history for this message

Felix Geyer (debfx) wrote on 2013-11-28:

#2

CVE-2013-6404 has been assigned to this vulnerability.

Revision history for this message

Felix Geyer (debfx) wrote on 2014-01-04:

#3

Scott, any news on this?
Do you want me to take over preparing the updates?

Revision history for this message

Felix Geyer (debfx) wrote on 2014-01-16:

#4

I've prepared and tested updates for precise, quantal and saucy.

Revision history for this message

Felix Geyer (debfx) wrote on 2014-01-16:

#5

quassel_0.8.0-0ubuntu1.1.debdiff Edit (3.5 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2014-01-16:

#6

quassel_0.8.0-0ubuntu2.1.debdiff Edit (3.5 KiB, text/plain)

Revision history for this message

Felix Geyer (debfx) wrote on 2014-01-16:

#7

quassel_0.9.1-0ubuntu1.1.debdiff Edit (3.4 KiB, text/plain)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2014-01-17:

#8

ACK on the debdiffs, they are currently building and will be released once done.

Thanks!

Changed in quassel (Ubuntu Lucid):
status:	Triaged → Won't Fix
Changed in quassel (Ubuntu Raring):
status:	Triaged → Won't Fix

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-20:

#9

This bug was fixed in the package quassel - 0.8.0-0ubuntu2.1

---------------
quassel (0.8.0-0ubuntu2.1) quantal-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
-- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:44:27 +0100

Changed in quassel (Ubuntu Quantal):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-20:

#10

This bug was fixed in the package quassel - 0.9.1-0ubuntu1.1

---------------
quassel (0.9.1-0ubuntu1.1) saucy-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
-- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:46:04 +0100

Changed in quassel (Ubuntu Saucy):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2014-01-20:

#11

This bug was fixed in the package quassel - 0.8.0-0ubuntu1.1

---------------
quassel (0.8.0-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: clients can access backlogs belonging to other users
    - debian/patches/CVE-2013-6404.patch: add upstream patch
    - CVE-2013-6404
    - LP: #1255362
-- Felix Geyer <email address hidden> Thu, 16 Jan 2014 21:34:52 +0100

Changed in quassel (Ubuntu Precise):
status:	Triaged → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.