[Bug 1767539] [NEW] Security fixes from 0.12.5 require backfit to earlier releases

Scott Kitterman ubuntu at kitterman.com
Sat Apr 28 00:43:06 UTC 2018 

*** This bug is a security vulnerability ***

Public security bug reported:

A recent upstream release contains two security fixes.  All supported
Ubuntu releases are affected.

  * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
    qdatastream
    - debian/patches/Implement_custom_deserializer.patch: Original patch from
      upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
    - CVE requested by upstream
  * SECURITY UPDATE: quasselcore, denial of service for unconfigure core
    - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
      _configured.patch: Original patch from upstream 0.12.5 release, adapted
      for non-C++ 11 systems by Felix Geyer
    - CVE requested by upstream

I'll be attaching a debdiff for Trusty, but not later releases as that
is the only Ubuntu release I still have an interest in.  Note that the
debian/changelog doesn't have the LP bug number in it since I haven't
filed it yet.  The trusty fix is based on the Debian patches for Jessie
(Debian 8):

https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie

I'm running the fixed version now.

** Affects: quassel (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: quassel (Ubuntu Trusty)
     Importance: Undecided
         Status: Confirmed

** Affects: quassel (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: quassel (Ubuntu Artful)
     Importance: Undecided
         Status: New

** Affects: quassel (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: quassel (Debian)
     Importance: Unknown
         Status: Unknown


** Tags: patch

** Patch added: "Trusty fix"
   https://bugs.launchpad.net/bugs/1767539/+attachment/5129007/+files/quassel.security.debdiff

** Also affects: quassel (Ubuntu Bionic)
   Importance: Undecided
       Status: Confirmed

** Also affects: quassel (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: quassel (Ubuntu Artful)
   Importance: Undecided
       Status: New

** Also affects: quassel (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: quassel (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: quassel (Ubuntu Bionic)
       Status: Confirmed => New

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to quassel in Ubuntu.
https://bugs.launchpad.net/bugs/1767539

Title:
  Security fixes from 0.12.5 require backfit to earlier releases

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions

More information about the kubuntu-bugs mailing list