CtcpParser::packedReply in src/core/ctcpparser.cpp in Quassel does not process certain CTCP requests correctly, allowing a remote attacker connected to the same IRC network as the victim to cause a Denial of Service condition by sending specially crafted CTCP requests. This flaw is fixed in git [1] and affects current Fedora releases. [1] http://git.quassel-irc.org/?p=quassel.git;a=commit;h=da215fcb9cd3096a3e223c87577d5d4ab8f8518b
Created quassel tracking bugs for this issue Affects: fedora-all [bug 736869]
This was assigned the name CVE-2011-3354.
I am currently attempting to request maintainership of the Quassel package since it seems the current maintainer has been MIA (according to zodbot on irc) for over 20 weeks. See bug 736874 for the request. Additionally, here is a Koji scratch build of Quassel 0.7.3: http://koji.fedoraproject.org/koji/taskinfo?taskID=3343840 No modification needed to the .spec file beyond bumping the version, if a provenpackager wants to push the update.
Trever, thanks for heads-up, I used my provenpacker foo and updates for all Fedora's are submitted to Bodhi.
This can be closed as the fix is out for a long time.