← Back to branch summary

~ubuntu-branches/ubuntu/precise/quassel/precise-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2013-6404.patch

  • Committer: Package Import Robot
  • Author(s): Felix Geyer
  • Date: 2014-01-16 21:34:52 UTC
  • Revision ID: package-import@ubuntu.com-20140116213452-mkuec7npru6qszgc
Tags: 0.8.0-0ubuntu1.1
https://launchpad.net/bugs/1255362
* SECURITY UPDATE: clients can access backlogs belonging to other users
  - debian/patches/CVE-2013-6404.patch: add upstream patch
  - CVE-2013-6404
  - LP: #1255362

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2013-6404.patch
 
1
From a1a24daa615a4e0679546c8a7a673720d0dcc60f Mon Sep 17 00:00:00 2001
 
2
From: Marcus Eggenberger <egs@quassel-irc.org>
 
3
Date: Sun, 24 Nov 2013 17:03:34 +0100
 
4
Subject: [PATCH] Make sure that clients can't access buffers belonging to
 
5
 other users
 
6
 
 
7
A manipulated, but properly authenticated client was able to retrieve
 
8
the backlog of other users on the same core in some cases by providing
 
9
an appropriate BufferID to the storage engine. Note that proper
 
10
authentication was still required, so exploiting this requires
 
11
malicious users on your core. This commit fixes this issue by ensuring
 
12
that foreign BufferIDs are off-limits.
 
13
---
 
14
 src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql | 2 +-
 
15
 src/core/SQL/PostgreSQL/16/update_network.sql      | 3 ++-
 
16
 src/core/SQL/SQLite/17/select_buffer_by_id.sql     | 2 +-
 
17
 3 files changed, 4 insertions(+), 3 deletions(-)
 
18
 
 
19
diff --git a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
 
20
index 09f202e..cccfa7c 100644
 
21
--- a/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
 
22
+++ b/src/core/SQL/PostgreSQL/16/select_buffer_by_id.sql
 
23
@@ -1,3 +1,3 @@
 
24
 SELECT bufferid, networkid, buffertype, groupid, buffername
 
25
 FROM buffer
 
26
-WHERE bufferid = :bufferid
 
27
+WHERE userid = :userid AND bufferid = :bufferid
 
28
diff --git a/src/core/SQL/PostgreSQL/16/update_network.sql b/src/core/SQL/PostgreSQL/16/update_network.sql
 
29
index a000f61..d2dea84 100644
 
30
--- a/src/core/SQL/PostgreSQL/16/update_network.sql
 
31
+++ b/src/core/SQL/PostgreSQL/16/update_network.sql
 
32
@@ -17,4 +17,5 @@ rejoinchannels = :rejoinchannels,
 
33
 usesasl = :usesasl,
 
34
 saslaccount = :saslaccount,
 
35
 saslpassword = :saslpassword
 
36
-WHERE networkid = :networkid
 
37
+WHERE userid = :userid AND networkid = :networkid
 
38
+
 
39
diff --git a/src/core/SQL/SQLite/17/select_buffer_by_id.sql b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
 
40
index 09f202e..6bd35f0 100644
 
41
--- a/src/core/SQL/SQLite/17/select_buffer_by_id.sql
 
42
+++ b/src/core/SQL/SQLite/17/select_buffer_by_id.sql
 
43
@@ -1,3 +1,3 @@
 
44
 SELECT bufferid, networkid, buffertype, groupid, buffername
 
45
 FROM buffer
 
46
-WHERE bufferid = :bufferid
 
47
+WHERE bufferid = :bufferid AND userid = :userid
 
48
-- 
 
49
1.8.5.1