Bug 1017437 - (CVE-2013-4422) CVE-2013-4422 quassel: potential SQL injection flaw
CVE-2013-4422 quassel: potential SQL injection flaw
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1017438
  Show dependency treegraph
Reported: 2013-10-09 17:18 EDT by Vincent Danen
Modified: 2015-07-31 03:11 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-02-27 11:11:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-10-09 17:18:02 EDT
The following was reported [1] on the oss-security mailing list.  A proposed patch is noted in that report.

Quassel IRC is vulnerable to SQL injection on all current versions
(0.9.0 being the latest at the time of writing), if used with Qt 4.8.5
(the vulnerability is caused by a change in its postgres driver[2,3])
and PostgreSQL 8.2 or later with standard_conforming_strings enabled
(which is the default in those versions). The vulnerability allows
anyone to trick the core into executing SQL queries, which includes
cascade deleting the entire database. It is tracked upstream in bug
#1244 [4]. It was firstly noticed by due to minor issues with
migration to postgres and problems with certain messages, a simple
test with an unmodified installation of postgres and quassel showed
that it was indeed possible to drop tables.

No upstream fix is available at this time, although the below patch
does fix the current issue.

[1] http://www.openwall.com/lists/oss-security/2013/10/09/7
[2] https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a
[3] https://bugreports.qt-project.org/browse/QTBUG-30076
[4] http://bugs.quassel-irc.org/issues/1244
Comment 1 Vincent Danen 2013-10-09 17:19:06 EDT
Created quassel tracking bugs for this issue:

Affects: fedora-all [bug 1017438]
Comment 2 Murray McAllister 2013-10-13 23:14:38 EDT
From http://seclists.org/oss-sec/2013/q4/82

For completeness sake, upstream fixed it [1] and announced a new
release (0.9.1 [2]).

[1] https://github.com/quassel/quassel/commit/aa1008be162cb27da938cce93ba533f54d228869
[2] http://quassel-irc.org/node/120

Note that [2] warns of possible data corruption when using certain package versions due to the changes in string escaping.
Comment 3 Fedora Update System 2014-02-26 08:46:02 EST
quassel-0.9.2-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2014-02-26 09:03:26 EST
quassel-0.9.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.