IRC-Junkie.org – IRC News

All about Internet Relay Chat

Quassel IRC client updated to 0.6.1

Developer Sputnick of the Quassel project just posted an announcement for version 0.6.1 of their IRC client.

Quassel IRC client Logo

Quassel IRC client Logo

In case you wonder where the announcement of 0.6.0 went, he writes that they skipped it because “shortly after tagging, we’ve discovered two serious bugs in that version. One could make the monolithic client try to select the PostgreSQL backend rather than SQlite; the other would lead to a crash on startup in some setups”.

In the announcement, he cites the following as the most notable new features:

  • Completely reworked client/core connection featuring the long-awaited reconnection and Solid support as well as a streamlined UI
  • Support for the new DBus-based system tray of KDE and, in some distros, Gnome (StatusNotifier spec)
  • Improved notification handling
  • Support for inputting formatted (colored/bold/…) text
  • SASL auth support (replaces NickServ e.g. in Freenode)
  • Several new languages and improved translations for already existing ones
  • Build system improvements

Version 0.7.x is already in development but he says that they will “maintain the 0.6.x branch in feature and string freeze at least until 0.7.0 is released” which means they’ll backport bugfixes where it makes sense but won’t introduce new features in the 0.6.x branch to “make packagers of freeze-loving distros happy”.

The complete changelog can be found here and the download can be obtained from here.

  Copyright secured by Digiprove

Quassel IRC client releases version 0.5.2

The Quassel IRC project – “a modern, cross-platform, distributed IRC client based on the Qt4 framework” – has released a bugfix release of their IRC client which is now available as version 0.5.2.

This bugfix release mainly contains “build system fixes for recent versions of KDE and Qt” and “some issues with netsplit handling have also been fixed”. A bug that made the menu-bar vanish has been fixed and if you are affected you now can “use the context menu on the chatview to re-enable it”.

Due to the recent floodings of mass CTCPs to channels on freenode they added an option that allows you to forbid replys to certain CTCP types for the network you choose.

Developer Sput writes that “Since Freenode has fixed the problem the other day, using this should no longer be necessary for now” which is not entirely true – the fix itself is the addition of a channelmode that doesn’t allow channel-wide CTCPs (+C) which however has to be enabled to come into effect.

The download can be found here.

Quassel IRC v0.4.0 Released

Today, Quassel announced their release of version 0.4.0:

The Kubuntu-supported client’s 0.4 branch has a number of major upgrades, including:

KDE Integration: Quassel can now be integrated into KDE4, allowing for your style and color schemes to be picked up by Quassel correctly.

UI and Feature Overhaul: Plenty of minor improvements here, such as context menus, URL hyperlinks, colored nicknames, paste warnings and much more.

Streamlined Monolithic Client: Big improvement over the original core + client combined binary.

Facelift: Quassel are happy to brag that they have a complete makeover appearance-wise, courtesy of Nuno Pinheiro (from Oxygen).

Quassel weren’t able to implement everything they wanted to with the 0.4.0 release. Because Kubuntu is now using Quassel as their default IRC client, Quassel have been working to try and meet Kubuntu’s deadline, which means things such as translations into other languages have been put on hold until the 0.4.1 release.

The full article can be found here.

The Feature log and Git history can be found here and here respectively.

Give it a spin and tell us what you think!

Quassel IRC CTCP Command Injection Vulnerability

Another day, another IRC client vulnerability…

Researchers have found a remotely exploitable vulnerability in the Quassel IRC client.

Quoted from the projects homepage:

Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).

Details on the vulnerability are provided on the webpage of the exploits author:

A CTCP ping where the value contains a CTCP quoted newline (’20′ + ‘n’) will let the Quassel core reply with a message containing an unquoted newline (‘\n’). The IRC server interprets this as a command separator.

Having a newline seperator injected in your IRC session means that anybody that sends a carefully crafted, malicious CTCP ping to your vulnerable client will be able to add an arbitrary command to it that will be executed with your privileges by the client – just as if you had typed it yourself.

The vulnerability is patched in version 0.3.0.3 which is available for download here.

As noted on the homepage, some distributions already have the new version available in their package repositories, other should update manually.

Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.