mailing list archives
Re: CVE Request: Quassel IRC - manipulated clients can access backlog of all users on a shared core
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 28 Nov 2013 01:05:39 -0700
-----BEGIN PGP SIGNED MESSAGE-----
On 11/27/2013 02:37 PM, Manuel Nickschas wrote:
I'd like to request a CVE for the following vulnerability in
Affected versions: all versions prior to 0.9.2 (released
A Quassel core (server daemon) supports being used by multiple
users, who all have independent settings, backlog and so on. The
backlog is stored in a database shared by all users on a Quassel
core, tagged with a user ID. However, some SQL queries didn't check
for the correct user ID being provided.
This has the undesired effect that the Quassel core can be tricked
into providing the backlog for an IRC channel or query that does
not belong to the user session requesting it. Doing this requires a
manipulated client sending appropriately crafted requests to the
core. This client also needs to be properly authenticated, i.e. to
have supplied valid user credentials for one of the users on the
Credit for finding this issue goes to Andrew Hampe.
Fix  has been released in 0.9.2 .
This patch can be cleanly applied to any version starting from
0.6.0, and easily backported to even older versions by adapting the
schema version number.
Thanks, ~ Manuel Nickschas (Sput)
 <https://github.com/quassel/quassel/commit/a1a24da> 
Please use CVE-2013-6404 for this issue.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
-----END PGP SIGNATURE-----