Bug 928728 - (CVE-2015-3427) VUL-0: CVE-2015-3427: quassel: incomplete fix for CVE-2013-4422 sql injection due to reconnection behaviour
(CVE-2015-3427)
VUL-0: CVE-2015-3427: quassel: incomplete fix for CVE-2013-4422 sql injection...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks: CVE-2013-4422
  Show dependency treegraph
 
Reported: 2015-04-27 11:10 UTC by Andreas Stieger
Modified: 2015-05-24 15:05 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream commit 6605882f41331c80f7ac3a6992650a702ec71283 (2.40 KB, patch)
2015-04-27 11:10 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-27 11:10:23 UTC
Created attachment 632455 [details]
upstream commit 6605882f41331c80f7ac3a6992650a702ec71283

via oss-sec http://seclists.org/oss-sec/2015/q2/290

> It's been found that in Quassel, the CVE-2013-4422 was incorrectly
> fixed and that core was still vulnerable to SQL injection on reconnection.
> 
> This has been fixed with commit:
> https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283
> 
> The incomplete bugfix had been released with Quassel 0.9.1:
> http://quassel-irc.org/node/120

No upstream lelease with the completed fix yet.
13.1, 13.2, Factory affected.

(In reply to Tomas Chvatal from bug 845511 comment #3)
> Hey, I am not the maintainer ;-)

Who is it? :-P Let the security team know if a bug is assigned to you that you don't want to or won't fix, or someone in CC can feel free to pick it up.
Comment 1 Andreas Stieger 2015-04-27 11:11:18 UTC
openSUSE only.
Comment 2 Swamp Workflow Management 2015-04-27 22:00:48 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-04-28 07:22:43 UTC
CVE-2015-3427 assigned http://seclists.org/oss-sec/2015/q2/291
Comment 4 Tomáš Chvátal 2015-04-28 10:32:13 UTC
I set myself in the meantime as maintainer, so no worries. It was spelicke before, but he is no longer active in community it seems since he left SUSE.

I will fix this during the conference or after :)
Comment 5 Tomáš Chvátal 2015-05-06 11:34:32 UTC
Sec update sent to 13.1 and 13.2 and version bump sent to Factory.
Comment 6 Bernhard Wiedemann 2015-05-06 12:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (928728) was mentioned in
https://build.opensuse.org/request/show/305558 Factory / quassel
Comment 7 Swamp Workflow Management 2015-05-24 15:05:44 UTC
openSUSE-SU-2015:0933-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 928728
CVE References: CVE-2015-3427
Sources used:
openSUSE 13.2 (src):    quassel-0.10.0-3.10.1
openSUSE 13.1 (src):    quassel-0.9.2-22.1