Ubuntu
quassel package

CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption

Bug #1388333 reported by Felix Geyer
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
quassel (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned

Bug Description

https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138

> Check for invalid input in encrypted buffers
>
> The ECB Blowfish decryption function assumed that encrypted input would
> always come in blocks of 12 characters, as specified. However, buggy
> clients or annoying people may not adhere to that assumption, causing
> the core to crash while trying to process the invalid base64 input.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.11.0-0ubuntu1

---------------
quassel (0.11.0-0ubuntu1) vivid; urgency=medium

  * New upstream release.
  * Fix CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
    - Add debian/patches/CVE-2014-8483.patch
    - LP: #1388333
  * Simplify debian/rules a bit by using debhelper compal level 9.
  * Add a systemd service file.
 -- Felix Geyer <email address hidden> Sat, 01 Nov 2014 11:52:52 +0100

Changed in quassel (Ubuntu):
status: New → Fix Released
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Felix Geyer (debfx) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.8.0-0ubuntu1.2

---------------
quassel (0.8.0-0ubuntu1.2) precise-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: backport upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:19:33 +0100

Changed in quassel (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.1-0ubuntu1.1

---------------
quassel (0.10.1-0ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: add upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:14:49 +0100

Changed in quassel (Ubuntu Utopic):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package quassel - 0.10.0-0ubuntu2.1

---------------
quassel (0.10.0-0ubuntu2.1) trusty-security; urgency=medium

  * SECURITY UPDATE: out-of-bounds read in ECB Blowfish decryption
    - debian/patches/CVE-2014-8483.patch: add upstream patch
    - CVE-2014-8483
    - LP: #1388333
 -- Felix Geyer <email address hidden> Tue, 04 Nov 2014 18:15:46 +0100

Changed in quassel (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.