Bug#781024: quassel: Denial of service (no CVE yet)

[Olly Betts]

On Wed, Apr 01, 2015 at 12:07:12AM +0200, Steinar H. Gunderson wrote:
> On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> > I took the patch from upstream and backported it to the version in sid;
> > this was a fair amount of work as the patch uses C++11 lambdas heavily
> > (and the version in jessie is compiled in C++03 mode; I thought changing
> > this would be too intrusive), but not immediately tricky in itself.
> > There were also some other merge conflicts that I've fixed.
> 
> More eyes: The backported patch has been OKed by two upstream Quassel
> developers, including Michael Marley (original author of the patch).
> So all it needs is some testing from some volunteer and we should be good to
> go.

I use quassel - I'll test with the patch and NMU if it looks good (if
anyone else wants to test as well, that would be great.  Or if someone
else is particularly keen to NMU, that's fine by too - just let me
know).

Cheers,
Olly


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#781024: quassel: Denial of service (no CVE yet)

[Steinar H. Gunderson]

On Tue, Mar 31, 2015 at 11:03:01PM +0200, Steinar H. Gunderson wrote:
> I took the patch from upstream and backported it to the version in sid;
> this was a fair amount of work as the patch uses C++11 lambdas heavily
> (and the version in jessie is compiled in C++03 mode; I thought changing
> this would be too intrusive), but not immediately tricky in itself.
> There were also some other merge conflicts that I've fixed.

More eyes: The backported patch has been OKed by two upstream Quassel
developers, including Michael Marley (original author of the patch).
So all it needs is some testing from some volunteer and we should be good to
go.

/* Steinar */
-- 
Homepage: http://www.sesse.net/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#781024: quassel: Denial of service (no CVE yet)

[Steinar H. Gunderson]

tags 781024 + patch
thanks

On Tue, Mar 31, 2015 at 10:48:08AM +0200, Thomas Müller wrote:
> NMU upload is more then welcome - I lack the time to take care of this at
> the moment.

I took the patch from upstream and backported it to the version in sid;
this was a fair amount of work as the patch uses C++11 lambdas heavily
(and the version in jessie is compiled in C++03 mode; I thought changing
this would be too intrusive), but not immediately tricky in itself.
There were also some other merge conflicts that I've fixed.

The patch compiles and has had a second pair of eyes for review, but I've
never used Quassel in my life, so I can't say if it works or not. In any case
it ought to help whoever ends up doing the NMU.

/* Steinar */
-- 
Homepage: http://www.sesse.net/
>From b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8 Mon Sep 17 00:00:00 2001
From: Michael Marley 
Date: Sat, 21 Feb 2015 07:33:57 -0500
Subject: [PATCH] Improve the message-splitting algorithm for PRIVMSG and CTCP

This introduces a new message splitting algorithm based on
QTextBoundaryFinder.  It works by first starting with the entire
message to be sent, encoding it, and checking to see if it is over
the maximum message length.  If it is, it uses QTBF to find the
word boundary most immediately preceding the maximum length.  If no
suitable boundary can be found, it falls back to searching for
grapheme boundaries.  It repeats this process until the entire
message has been sent.

Unlike what it replaces, the new splitting code is not recursive
and cannot cause stack overflows.  Additionally, if it is unable
to split a string, it will give up gracefully and not crash the
core or cause a thread to run away.

This patch fixes two bugs.  The first is garbage characters caused
by accidentally splitting the string in the middle of a multibyte
character.  Since the new code splits at a character level instead
of a byte level, this will no longer be an issue.  The second is
the core crash caused by sending an overlength CTCP query ("/me")
containing only multibyte characters.  This bug was caused by the
old CTCP splitter using the byte index from lastParamOverrun() as
a character index for a QString.
---
 src/core/corebasichandler.cpp |  3 ++
 src/core/corebasichandler.h   |  1 +
 src/core/corenetwork.cpp  | 86 +++
 src/core/corenetwork.h|  5 +++
 src/core/coreuserinputhandler.cpp | 72 +++-
 src/core/coreuserinputhandler.h   |  2 +-
 src/core/ctcpparser.cpp   | 26 +++-
 7 files changed, 124 insertions(+), 71 deletions(-)

Index: quassel-0.10.0/src/core/corebasichandler.cpp
===
--- quassel-0.10.0.orig/src/core/corebasichandler.cpp
+++ quassel-0.10.0/src/core/corebasichandler.cpp
@@ -33,6 +33,9 @@ CoreBasicHandler::CoreBasicHandler(CoreN
 connect(this, SIGNAL(putCmd(QString, const QList &, const QByteArray &)),
 network(), SLOT(putCmd(QString, const QList &, const QByteArray &)));
 
+connect(this, SIGNAL(putCmd(QString, const QList > &, const QByteArray &)),
+network(), SLOT(putCmd(QString, const QList > &, const QByteArray &)));
+
 connect(this, SIGNAL(putRawLine(const QByteArray &)),
 network(), SLOT(putRawLine(const QByteArray &)));
 }
Index: quassel-0.10.0/src/core/corebasichandler.h
===
--- quassel-0.10.0.orig/src/core/corebasichandler.h
+++ quassel-0.10.0/src/core/corebasichandler.h
@@ -55,6 +55,7 @@ public:
 signals:
 void displayMsg(Message::Type, BufferInfo::Type, const QString &target, const QString &text, const QString &sender = "", Message::Flags flags = Message::None);
 void putCmd(const QString &cmd, const QList ¶ms, const QByteArray &prefix = QByteArray());
+void putCmd(const QString &cmd, const QList > ¶ms, const QByteArray &prefix = QByteArray());
 void putRawLine(const QByteArray &msg);
 
 protected:
Index: quassel-0.10.0/src/core/corenetwork.cpp
===
--- quassel-0.10.0.orig/src/core/corenetwork.cpp
+++ quassel-0.10.0/src/core/corenetwork.cpp
@@ -283,6 +283,16 @@ void CoreNetwork::putCmd(const QString &
 }
 
 
+void CoreNetwork::putCmd(const QString &cmd, const QList > ¶ms, const QByteArray &prefix)
+{
+QListIterator > i(params);
+while (i.hasNext()) {
+QList msg = i.next();
+putCmd(cmd, msg, prefix);
+}
+}
+
+
 void CoreNetwork::setChannelJoined(const QString &channel)
 {
 _autoWhoQueue.prepend(channel.toLower()); // prepend so this new chan is the first to be checked
@@ -979,3 +989,82 @@ void CoreNetwork::requestSetNetworkInfo(
 }
 }
 }
+
+
+CoreNetwork::SplitGenerator::~SplitGenerator() {}
+
+
+QList > CoreNetwork::splitMessage(const QString &cmd, const QString &message, SplitGenerator *cmdGenerator)
+{
+QString wrkMsg(message);
+QList > msgs

Bug#781024: quassel: Denial of service (no CVE yet)

[Thomas Müller]

NMU upload is more then welcome - I lack the time to take care of this at the 
moment.

Thanks a lot,

Thomas


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#781024: quassel: Denial of service (no CVE yet)

[Salvatore Bonaccorso]

Control: retitle -1 quassel: Denial of service (CVE-2015-2778 CVE-2015-2779)

Hi,

Two CVEs were assigned for issues fixed with the commit, for detail
see http://www.openwall.com/lists/oss-security/2015/03/28/3 .

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#781024: quassel: Denial of service (no CVE yet)

[Moritz Muehlenhoff]

Package: quassel
Severity: grave
Tags: security
Justification: user security hole

The following security issue was reported against quassel:
https://github.com/quassel/quassel/commit/b5e38970ffd55e2dd9f706ce75af9a8d7730b1b8

A CVE ID has been requested, but is not yet available, we'll
update the bug once available.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org