CVEs have been issued for two security issues in Mumble today (May 15): http://openwall.com/lists/oss-security/2014/05/15/4 The issues are fixed upstream in 1.2.6. Mageia 3 and Mageia 4 are also affected. Patches are linked in the upstream advisories (linked in the message above). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Fixed in Cauldron with mumble-1.2.6-1.mga5 by David Geiger.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Patches packages uploaded for Mageia 3 and Mageia 4 by David Geiger. Assigning to QA (hopefully this is OK with you David). Advisory: ======================== Updated mumble packages fix security vulnerabilities: In Mumble before 1.2.6, the Mumble client is vulnerable to a Denial of Service attack when rendering crafted SVG files that contain references to files on the local computer, due to an issue in Qt's SVG renderer module. This issue can be triggered remotely by an entity participating in a Mumble voice chat, using text messages, channel comments, user comments and user textures/avatars (CVE-2014-3755). In Mumble before 1.2.6, The Mumble client did not properly HTML-escape some external strings before using them in a rich-text (HTML) context. In some situations, this could be abused to perform a Denial of Service attack on a Mumble client by causing it to load external files via the HTML (CVE-2014-3756). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3756 http://mumble.info/security/Mumble-SA-2014-005.txt http://mumble.info/security/Mumble-SA-2014-006.txt http://openwall.com/lists/oss-security/2014/05/15/4 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-10.1.mga3 mumble-11x-1.2.3-10.1.mga3 mumble-protocol-kde4-1.2.3-10.1.mga3 mumble-plugins-1.2.3-10.1.mga3 mumble-server-1.2.3-10.1.mga3 mumble-1.2.3-14.1.mga4 mumble-11x-1.2.3-14.1.mga4 mumble-protocol-kde4-1.2.3-14.1.mga4 mumble-plugins-1.2.3-14.1.mga4 mumble-server-1.2.3-14.1.mga4 from SRPMS: mumble-1.2.3-10.1.mga3.src.rpm mumble-1.2.3-14.1.mga4.src.rpm
CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
Yep, of course it is OK for me. :)
OpenSuSE has issued an advisory for this today (May 23): http://lists.opensuse.org/opensuse-updates/2014-05/msg00068.html
URL: (none) => http://lwn.net/Vulnerabilities/600094/
Testing mga4 64 Following previous testing here: https://bugs.mageia.org/show_bug.cgi?id=6511#c29 Configured /etc/mumble-server.ini as in that comment. Started mumble-server service and added localhost as a custom server in mumble11x with a random username and it connected to it. No public servers were listed. The log at /var/log/mumble-server/mumble-server.log showed the connection. It showed Root in the right hand panel but I wasn't able to do anything else with it. It also ran the audio wizard again when next started. Trying with mumble rather than mumble11x was a vast improvement, public servers were listed and after adding a connection to localhost it connected ok, showed connection statistics and showed the lips turn red when I made some noise. Not sure how to create a channel etc. Also connected to a public server from the list. Neither web address was reachable .. http://localhost/cgi-bin/mumble-server/weblist.cgi http://localhost/cgi-bin/mumble-server/register.cgi Both give 404 object not found.
After speaking with David on IRC this is an old unsupported version with backported patch and mumble11x is removed in later version. Cauldron is a newer version. As these issues aren't regressions, adding the OK.
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0245.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED