Bug 26746 - MUMBLE : New version 1.3.1 with fix Potential exploit
Summary: MUMBLE : New version 1.3.1 with fix Potential exploit
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://www.mumble.info/blog/mumble-1...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-08 22:29 CEST by Arnaud Vacquier
Modified: 2020-06-20 14:46 CEST (History)
2 users (show)

See Also:
Source RPM: mumble-1.3.0-1.mga7.x86_64.rpm
CVE:
Status comment:


Attachments

Description Arnaud Vacquier 2020-06-08 22:29:37 CEST
Description of problem:
New version is out 1.3.1 with fix Potential exploit
Fixed: Potential exploit in the OCB2 encryption (#4227)


changelog :
https://www.mumble.info/blog/mumble-1.3.1-release-announcement/

Archive :
https://github.com/mumble-voip/mumble/releases/tag/1.3.1
Arnaud Vacquier 2020-06-08 22:30:22 CEST

Source RPM: (none) => mumble-1.3.0-1.mga7.x86_64.rpm

Comment 1 David GEIGER 2020-06-09 07:37:15 CEST
Assigning to QA,


Advisory:
========================

Updated mumble package fixes security vulnerability:


OCB2 is known to be broken under certain conditions:
https://eprint.iacr.org/2019/311

To execute the universal attacks described in the paper, an attacker needs
access to an encryption oracle that allows it to perform encryption queries with
attacker-chosen nonce. Luckily in Mumble the encryption nonce is a fixed counter
which is far too restrictive for the universal attacks to be feasible against
Mumble.

The basic attacks do not require an attacker-chosen nonce and as such are more
applicable to Mumble. They are however of limited use and do require an en- and
a decryption oracle which Mumble seemingly does not provide at the same time.

To be on the safe side, this commit implements the counter-cryptanalysis
measure described in the paper in section 9 for the sender and receiver side.
This way if either server of client are patched, their communication is almost
certainly (merely lacking formal proof) not susceptible to the attacks described
in the paper.


Fixed: Potential exploit in the OCB2 encryption (#4227)


References:
https://github.com/mumble-voip/mumble/issues/4219
https://github.com/mumble-voip/mumble/pull/4227

========================

Packages in 7/core/updates_testing:
========================
mumble-1.3.1-1.mga7.i586.rpm
mumble-protocol-plasma5-1.3.1-1.mga7.i586.rpm
mumble-plugins-1.3.1-1.mga7.i586.rpm
mumble-server-1.3.1-1.mga7.i586.rpm
mumble-server-web-1.3.1-1.mga7.i586.rpm

mumble-1.3.1-1.mga7.x86_64.rpm
mumble-protocol-plasma5-1.3.1-1.mga7.x86_64.rpm
mumble-plugins-1.3.1-1.mga7.x86_64.rpm
mumble-server-1.3.1-1.mga7.x86_64.rpm
mumble-server-web-1.3.1-1.mga7.x86_64.rpm

Source RPM: 
========================
mumble-1.3.1-1.mga7.src.rpm

Assignee: bugsquad => qa-bugs
CC: (none) => geiger.david68210

Comment 2 Herman Viaene 2020-06-20 14:46:40 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Trying to find info in older updates.
ref bug 6511
At CLI:
# systemctl restart httpd

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 14:25:39 CEST; 12s ago
 Main PID: 17266 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 27 (limit: 4915)
   Memory: 34.5M
   CGroup: /system.slice/httpd.service
           ├─17266 /usr/sbin/httpd -DFOREGROUND
           ├─17269 /usr/sbin/httpd -DFOREGROUND
           ├─17270 /usr/sbin/httpd -DFOREGROUND
           ├─17272 /usr/sbin/httpd -DFOREGROUND
           ├─17280 /usr/sbin/httpd -DFOREGROUND
           ├─17285 /usr/sbin/httpd -DFOREGROUND
           └─17290 /usr/sbin/httpd -DFOREGROUND

Jun 20 14:25:38 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Jun 20 14:25:39 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

# systemctl start mumble-server

# systemctl -l status mumble-server
● mumble-server.service - LSB: Mumble VoIP Server
   Loaded: loaded (/etc/rc.d/init.d/mumble-server; generated)
   Active: active (running) since Sat 2020-06-20 14:26:25 CEST; 28s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 20071 ExecStart=/etc/rc.d/init.d/mumble-server start (code=exited, status=0/SUCCESS)
    Tasks: 7 (limit: 4915)
   Memory: 11.2M
   CGroup: /system.slice/mumble-server.service
           └─20087 /usr/sbin/murmurd -ini /etc/mumble-server.ini

Jun 20 14:26:23 mach5.hviaene.thuis systemd[1]: Starting LSB: Mumble VoIP Server...
Jun 20 14:26:23 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session opened for user mumble-server by (uid=0)
Jun 20 14:26:25 mach5.hviaene.thuis runuser[20080]: pam_unix(runuser:session): session closed for user mumble-server
Jun 20 14:26:25 mach5.hviaene.thuis mumble-server[20071]: Starting mumble-server: [  OK  ]
Jun 20 14:26:25 mach5.hviaene.thuis systemd[1]: Started LSB: Mumble VoIP Server.

Did the updates in /etc/mumble-server.ini and then tried to connect
http://www.webserver.com/cgi-bin/mumble-server/register.cgi
gives
Yahoo Logo
Will be right back...

Thank you for your patience.

Our engineers are working quickly to resolve the issue.

and
http://localhost/cgi-bin/mumble-server/weblist.cgi (or https for that matter) gives
Object not found!

The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.

If you think this is a server error, please contact the webmaster.
Error 404

CC: (none) => herman.viaene


Note You need to log in before you can comment on or make changes to this bug.