| Name | CVE-2013-4422 |
| Description | SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| quassel (PTS) | bullseye | 1:0.13.1-5 | fixed |
| bookworm | 1:0.14.0-1 | fixed |
| sid, trixie | 1:0.14.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| quassel | source | squeeze | (not affected) | | | |
| quassel | source | (unstable) | 0.9.1-1 | | | |
Notes
[wheezy] - quassel <no-dsa> (Issue only relevant if the Qt 4.8.5 fix would be backported)
[squeeze] - quassel <not-affected> (qt4-x11 is too old)
Issue when used with Qt >= 4.8.5 and PostgreSQL >= 8.2
http://quassel-irc.org/node/120
http://bugs.quassel-irc.org/issues/1244
https://github.com/quassel/quassel/commit/aa1008be162cb27da938cce93ba533f54d228869
Caused by a change in Qt's postgres driver:
https://bugreports.qt-project.org/browse/QTBUG-30076
https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a