CVE-2013-4422
Published: 23 October 2013
SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message.
Notes
Author | Note |
---|---|
jdstrand | per upstream, "This bug was a introduced due to a bugfix in Qt 4.8.5 disables slash escaping when binding queries: https://bugreports.qt-project.org/browse/QTBUG-30076 Ubuntu 13.04 and earlier do not have Qt 4.8.5 |
Priority
Status
Package | Release | Status |
---|---|---|
quassel Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Not vulnerable
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
upstream |
Needs triage
|
|
Patches: upstream: https://github.com/quassel/quassel/commit/27f6692cfc3bd2e873e01096e1197e1dca07b36a |