Bug 928728 (CVE-2015-3427) - VUL-0: CVE-2015-3427: quassel: incomplete fix for CVE-2013-4422 sql injection due to reconnection behaviour
Summary: VUL-0: CVE-2015-3427: quassel: incomplete fix for CVE-2013-4422 sql injection...
Status: RESOLVED FIXED
Alias: CVE-2015-3427
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2013-4422
  Show dependency treegraph
 
Reported: 2015-04-27 11:10 UTC by Andreas Stieger
Modified: 2015-05-24 15:05 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
upstream commit 6605882f41331c80f7ac3a6992650a702ec71283 (2.40 KB, patch)
2015-04-27 11:10 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-27 11:10:23 UTC 
Created attachment 632455 [details]
upstream commit 6605882f41331c80f7ac3a6992650a702ec71283

via oss-sec http://seclists.org/oss-sec/2015/q2/290

> It's been found that in Quassel, the CVE-2013-4422 was incorrectly
> fixed and that core was still vulnerable to SQL injection on reconnection.
> 
> This has been fixed with commit:
> https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283
> 
> The incomplete bugfix had been released with Quassel 0.9.1:
> http://quassel-irc.org/node/120

No upstream lelease with the completed fix yet.
13.1, 13.2, Factory affected.

(In reply to Tomas Chvatal from bug 845511 comment #3)
> Hey, I am not the maintainer ;-)

Who is it? :-P Let the security team know if a bug is assigned to you that you don't want to or won't fix, or someone in CC can feel free to pick it up.
Comment 1 Andreas Stieger 2015-04-27 11:11:18 UTC 
openSUSE only.
Comment 2 Swamp Workflow Management 2015-04-27 22:00:48 UTC 
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-04-28 07:22:43 UTC 
CVE-2015-3427 assigned http://seclists.org/oss-sec/2015/q2/291
Comment 4 Tomáš Chvátal 2015-04-28 10:32:13 UTC 
I set myself in the meantime as maintainer, so no worries. It was spelicke before, but he is no longer active in community it seems since he left SUSE.

I will fix this during the conference or after :)
Comment 5 Tomáš Chvátal 2015-05-06 11:34:32 UTC 
Sec update sent to 13.1 and 13.2 and version bump sent to Factory.
Comment 6 Bernhard Wiedemann 2015-05-06 12:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (928728) was mentioned in
https://build.opensuse.org/request/show/305558 Factory / quassel
Comment 7 Swamp Workflow Management 2015-05-24 15:05:44 UTC 
openSUSE-SU-2015:0933-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 928728
CVE References: CVE-2015-3427
Sources used:
openSUSE 13.2 (src):    quassel-0.10.0-3.10.1
openSUSE 13.1 (src):    quassel-0.9.2-22.1