CVE-2013-6404

NameCVE-2013-6404
DescriptionQuassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
quassel (PTS)jessie (security), jessie1:0.10.0-2.3+deb8u4fixed
stretch1:0.12.4-2fixed
stretch (security)1:0.12.4-2+deb9u1fixed
buster, sid1:0.12.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
quasselsource(unstable)0.9.2-1low
quasselsourcewheezy0.8.0-1+deb7u1medium

Notes

[squeeze] - quassel <no-dsa> (Minor issue)
https://github.com/quassel/quassel/commit/a1a24da

Search for package or bug name: Reporting problems