Bug 636942 (CVE-2010-3443) - CVE-2010-3443 quassel: multiple CTCP requests may lead to DoS
Summary: CVE-2010-3443 quassel: multiple CTCP requests may lead to DoS
Status: CLOSED ERRATA
Alias: CVE-2010-3443
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100921,reported=20100923,sou...
Keywords: Security
Depends On: 636944
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-23 18:15 UTC by Vincent Danen
Modified: 2011-06-14 17:05 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-06-14 17:05:17 UTC


Attachments (Terms of Use)

Description Vincent Danen 2010-09-23 18:15:11 UTC
Quassel is vulnerable to a denial of service if it receives multiple CTCP requests in one PRIVMSG.  The new version of Quassel (0.6.3 and 0.7) now answer with one packed NOTICE response containing all CTCP replies.

This affects Quassel as provided by Fedora.

References:

[1] http://quassel-irc.org/node/115
[2] http://bugs.quassel-irc.org/issues/1024
[3] http://bugs.quassel-irc.org/projects/quassel-irc/repository/revisions/fdec4a88742d1586a5fdfad767151c72a4a82af2/diff

Comment 1 Vincent Danen 2010-09-23 18:16:21 UTC
Created quassel tracking bugs for this issue

Affects: fedora-all [bug 636944]

Comment 2 Vincent Danen 2010-10-01 19:59:26 UTC
This has been assigned the name CVE-2010-3443.

Comment 3 Joonas Sarajärvi 2010-10-25 06:51:23 UTC
This was reported over a month ago, and there is a bugfix release available that claims to fix this. Could the updated version be made available at least in Fedora 13 updates-testing?

Comment 4 Vincent Danen 2011-06-14 17:05:17 UTC
Fixed in Fedora, 20111107, via quassel-0.7.1-1.fc* (new upstream version)


Note You need to log in before you can comment on or make changes to this bug.