Bug 13382 - mumble new security issues CVE-2014-3755 and CVE-2014-3756
: mumble new security issues CVE-2014-3755 and CVE-2014-3756
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/600094/
: MGA3TOO has_procedure advisory mga3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-05-15 15:55 CEST by David Walser
Modified: 2014-05-30 09:49 CEST (History)
3 users (show)

See Also:
Source RPM: mumble-1.2.5-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-05-15 15:55:06 CEST
CVEs have been issued for two security issues in Mumble today (May 15):
http://openwall.com/lists/oss-security/2014/05/15/4

The issues are fixed upstream in 1.2.6.

Mageia 3 and Mageia 4 are also affected.

Patches are linked in the upstream advisories (linked in the message above).

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-05-15 20:21:23 CEST
Fixed in Cauldron with mumble-1.2.6-1.mga5 by David Geiger.
Comment 2 David Walser 2014-05-19 19:26:36 CEST
Patches packages uploaded for Mageia 3 and Mageia 4 by David Geiger.

Assigning to QA (hopefully this is OK with you David).

Advisory:
========================

Updated mumble packages fix security vulnerabilities:

In Mumble before 1.2.6, the Mumble client is vulnerable to a Denial of
Service attack when rendering crafted SVG files that contain references to
files on the local computer, due to an issue in Qt's SVG renderer module.
This issue can be triggered remotely by an entity participating in a Mumble
voice chat, using text messages, channel comments, user comments and user
textures/avatars (CVE-2014-3755).

In Mumble before 1.2.6, The Mumble client did not properly HTML-escape some
external strings before using them in a rich-text (HTML) context. In some
situations, this could be abused to perform a Denial of Service attack on a
Mumble client by causing it to load external files via the HTML
(CVE-2014-3756).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3756
http://mumble.info/security/Mumble-SA-2014-005.txt
http://mumble.info/security/Mumble-SA-2014-006.txt
http://openwall.com/lists/oss-security/2014/05/15/4
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-10.1.mga3
mumble-11x-1.2.3-10.1.mga3
mumble-protocol-kde4-1.2.3-10.1.mga3
mumble-plugins-1.2.3-10.1.mga3
mumble-server-1.2.3-10.1.mga3
mumble-1.2.3-14.1.mga4
mumble-11x-1.2.3-14.1.mga4
mumble-protocol-kde4-1.2.3-14.1.mga4
mumble-plugins-1.2.3-14.1.mga4
mumble-server-1.2.3-14.1.mga4

from SRPMS:
mumble-1.2.3-10.1.mga3.src.rpm
mumble-1.2.3-14.1.mga4.src.rpm
Comment 3 David GEIGER 2014-05-19 19:34:52 CEST
Yep, of course it is OK for me. :)
Comment 4 David Walser 2014-05-23 21:06:13 CEST
OpenSuSE has issued an advisory for this today (May 23):
http://lists.opensuse.org/opensuse-updates/2014-05/msg00068.html
Comment 5 claire robinson 2014-05-28 17:00:54 CEST
Testing mga4 64

Following previous testing here:
https://bugs.mageia.org/show_bug.cgi?id=6511#c29

Configured /etc/mumble-server.ini as in that comment. Started mumble-server service and added localhost as a custom server in mumble11x with a random username and it connected to it. No public servers were listed. The log at /var/log/mumble-server/mumble-server.log showed the connection. It showed Root in the right hand panel but I wasn't able to do anything else with it. It also ran the audio wizard again when next started.

Trying with mumble rather than mumble11x was a vast improvement, public servers were listed and after adding a connection to localhost it connected ok, showed connection statistics and showed the lips turn red when I made some noise. Not sure how to create a channel etc. Also connected to a public server from the list.

Neither web address was reachable ..
http://localhost/cgi-bin/mumble-server/weblist.cgi
http://localhost/cgi-bin/mumble-server/register.cgi

Both give 404 object not found.
Comment 6 claire robinson 2014-05-28 20:01:42 CEST
After speaking with David on IRC this is an old unsupported version with backported patch and mumble11x is removed in later version. Cauldron is a newer version.

As these issues aren't regressions, adding the OK.
Comment 7 claire robinson 2014-05-29 14:54:45 CEST
Testing complete mga3 64
Comment 8 claire robinson 2014-05-29 15:17:10 CEST
Testing complete mga3 32
Comment 9 claire robinson 2014-05-29 15:36:45 CEST
Testing complete mga4 32
Comment 10 claire robinson 2014-05-29 15:41:56 CEST
Advisory uploaded. Validating.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 11 Thomas Backlund 2014-05-30 09:49:30 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0245.html

Note You need to log in before you can comment on or make changes to this bug.