Bugzilla – Bug 852847
VUL-0: CVE-2013-6404: quassel: manipulated clients can access backlog of all users on a shared core
Last modified: 2015-02-18 23:01:22 UTC
CVE-2013-6404 A Quassel core (server daemon) supports being used by multiple users, who all have independent settings, backlog and so on. The backlog is stored in a database shared by all users on a Quassel core, tagged with a user ID. However, some SQL queries didn't check for the correct user ID being provided. An authenticated malicious user with a custom client, could access backlog of all users. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6404 https://bugzilla.redhat.com/show_bug.cgi?id=1035577
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (852847) was mentioned in https://build.opensuse.org/request/show/210377 13.1 / quassel
Note that Factory already contains Quassel 0.9.2 which has this vulnerability fixed, so maybe it's easier to just update to this version.
This is an autogenerated message for OBS integration: This bug (852847) was mentioned in https://build.opensuse.org/request/show/210554 13.1 / quassel
The patch was accepted for openSUSE:13.1:Update and factory already has a fixed 0.9.2, so I'm marking this bug as resolved.
openSUSE-SU-2013:1929-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 852847 CVE References: CVE-2013-6404 Sources used: openSUSE 13.1 (src): quassel-0.9.1-8.2