CVEs have been issued for two security issues in Mumble today (May 15):
The issues are fixed upstream in 1.2.6.
Mageia 3 and Mageia 4 are also affected.
Patches are linked in the upstream advisories (linked in the message above).
Steps to Reproduce:
Fixed in Cauldron with mumble-1.2.6-1.mga5 by David Geiger.
Patches packages uploaded for Mageia 3 and Mageia 4 by David Geiger.
Assigning to QA (hopefully this is OK with you David).
Updated mumble packages fix security vulnerabilities:
In Mumble before 1.2.6, the Mumble client is vulnerable to a Denial of
Service attack when rendering crafted SVG files that contain references to
files on the local computer, due to an issue in Qt's SVG renderer module.
This issue can be triggered remotely by an entity participating in a Mumble
voice chat, using text messages, channel comments, user comments and user
In Mumble before 1.2.6, The Mumble client did not properly HTML-escape some
external strings before using them in a rich-text (HTML) context. In some
situations, this could be abused to perform a Denial of Service attack on a
Mumble client by causing it to load external files via the HTML
Updated packages in core/updates_testing:
Yep, of course it is OK for me. :)
OpenSuSE has issued an advisory for this today (May 23):
Testing mga4 64
Following previous testing here:
Configured /etc/mumble-server.ini as in that comment. Started mumble-server service and added localhost as a custom server in mumble11x with a random username and it connected to it. No public servers were listed. The log at /var/log/mumble-server/mumble-server.log showed the connection. It showed Root in the right hand panel but I wasn't able to do anything else with it. It also ran the audio wizard again when next started.
Trying with mumble rather than mumble11x was a vast improvement, public servers were listed and after adding a connection to localhost it connected ok, showed connection statistics and showed the lips turn red when I made some noise. Not sure how to create a channel etc. Also connected to a public server from the list.
Neither web address was reachable ..
Both give 404 object not found.
After speaking with David on IRC this is an old unsupported version with backported patch and mumble11x is removed in later version. Cauldron is a newer version.
As these issues aren't regressions, adding the OK.
Testing complete mga3 64
Testing complete mga3 32
Testing complete mga4 32
Advisory uploaded. Validating.
Could sysadmin please push to 3 & 4 updates