CVE-2013-6404

NameCVE-2013-6404
DescriptionQuassel core (server daemon) in Quassel IRC before 0.9.2 does not properly verify the user ID when accessing user backlogs, which allows remote authenticated users to read other users' backlogs via the bufferid in (1) 16/select_buffer_by_id.sql, (2) 16/select_buffer_by_id.sql, and (3) 16/select_buffer_by_id.sql in core/SQL/PostgreSQL/.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
quassel (PTS)bullseye1:0.13.1-5fixed
bookworm1:0.14.0-1fixed
sid, trixie1:0.14.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
quasselsourcewheezy0.8.0-1+deb7u1
quasselsource(unstable)0.9.2-1low

Notes

[squeeze] - quassel <no-dsa> (Minor issue)
https://github.com/quassel/quassel/commit/a1a24da
Search for package or bug name: Reporting problems