Re: CVE Request - Quassel IRC SQL injection

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/09/2013 10:48 AM, Bas Pape wrote:
> Hi all,
>
> Please assign a CVE to the following issue: Quassel IRC is
> vulnerable to SQL injection on all current versions (0.9.0 being
> the latest at the time of writing), if used with Qt 4.8.5 (the
> vulnerability is caused by a change in its postgres driver[1,2]) 
> and PostgreSQL 8.2 or later with standard_conforming_strings
> enabled (which is the default in those versions). The vulnerability
> allows anyone to trick the core into executing SQL queries, which
> includes cascade deleting the entire database. It is tracked
> upstream in bug #1244 [3]. It was firstly noticed by due to minor
> issues with migration to postgres and problems with certain
> messages, a simple test with an unmodified installation of postgres
> and quassel showed that it was indeed possible to drop tables.
>
> No upstream fix is available at this time, although the below
> patch does fix the current issue.
>
> Regards, Bas Pape (Tucos)
>
> [1]
> https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a
[2] https://bugreports.qt-project.org/browse/QTBUG-30076
> [3] http://bugs.quassel-irc.org/issues/1244
>
> commit 7c64ed0d05718d907770d11a38436aa4ed65f2bb Author: Bas Pape
> <baspape () gmail com> Date:   Mon Oct 7 19:51:52 2013 +0200
>
> Detect the need for standard_conforming_strings.
>
> diff --git a/src/core/postgresqlstorage.cpp
> b/src/core/postgresqlstorage.cpp index 3965704..70bf894 100644 ---
> a/src/core/postgresqlstorage.cpp +++
> b/src/core/postgresqlstorage.cpp @@ -101,6 +101,15 @@ void
> PostgreSqlStorage::initDbSession(QSqlDatabase &db) // this blows...
> but unfortunately Qt's PG driver forces us to this... db.exec("set
> standard_conforming_strings = off"); db.exec("set
> escape_string_warning = off"); + +    // Fortunately things can
> always blow more. Refer to the commit message for +    // the juicy
> details, tread lightly. +    // First standard_conforming_strings
> are turned off, because that's what used +    // to be necessary,
> here the actual behaviour is tested. +    QSqlQuery query =
> db.exec("SELECT '\\\\' x"); +    if (query.first()) +        if
> (query.value(0).toString() == "\\") +            db.exec("set
> standard_conforming_strings = on"); }

Please use CVE-2013-4422 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSV49iAAoJEBYNRVNeJnmTp7wQANne6+eEaU2fT88CbBKhj0d9
agw3qF7QCsFN7qURQhZ3ilj+DJp7HEmS6X21tbrnJaNrIZKTjho1P1J64YlBLXbm
NClN3M1olKF6LLElL6cyf5WzjQ/m4mLhD0h74+c6libRXKui2oG+3fQCyYHo8MV/
f5GGBGQ0i2eiNrFCVz2r4/G0VpFUkbbcopFR/vQXJPp+/qvP9IZLkAFowfTBHL+c
k65XsdF4mXAZU/wIrHLKqgEta5T1mXixt2O8aGSJrlQBDDkEJ8Z90bRQs8Va+QKd
yGle+kjpA6/9j3xHdbUZ52MnMO/PApkFR1R8mZUEakWcYOKuCqgtyaTsN+GkivNi
fMySRBR5pCBX2u6JxL+JqOIgR4si0zGUa7z0TwFDyhg/YE5tYQLBLNHCeWK8N910
zmwEC8jUg4sjh12tBau2rIQsaPi0LFOc7X0zaIQrMPlw5ask+seOXNFm5Zx5nBf7
0ePjvmOPf0hDaityrK2ej/RMq++dxTFmUwVtGxT9s92AuO6+DF9XtoeOe68GQC2y
BZeOV/gzlk4FP71Or77r/0hNxyNcJ59gZ+gYMfc9do7A+NnSrkzXlAqk5hI3W1cG
+1yuW/+8IDeAjVhOBaq4s4ZbxwnnnkwpLj+49c2+gGGhPsUpdFpVS9n/tEucmEDg
Cez/bUHjWWLRKeZh03Dp
=/nNu
-----END PGP SIGNATURE-----