Your submission was sent successfully! Close

CVE-2013-4422

Published: 23 October 2013

SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message.

Priority

Medium

Status

Package Release Status
quassel
Launchpad, Ubuntu, Debian
Upstream Needs triage

Patches:
Upstream: https://github.com/quassel/quassel/commit/27f6692cfc3bd2e873e01096e1197e1dca07b36a

Notes

AuthorNote
jdstrand
per upstream, "This bug was a introduced due to a bugfix in Qt 4.8.5
disables slash escaping when binding queries:
https://bugreports.qt-project.org/browse/QTBUG-30076
Ubuntu 13.04 and earlier do not have Qt 4.8.5

References

Bugs