Debian has issued an advisory on February 19: http://www.debian.org/security/2012/dsa-2411 Fedora has also issued an advisory for this on June 7: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082507.html Not sure about the Debian update, but the Fedora update fixes several other bugs as well. Mageia 1 and Mageia 2 are also affected.
CC: (none) => jani.valimaaWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => cazzaniga.sandro
CC: (none) => mageia
Patch merged and pushed in latest MGA2 testing build. Some other minor tidyups but none of the other fedora fixes were needed in our package.
Security patch merged and pushed to MGA1 testing. I don't know about the celt library issues there, so I've not poked about too much with that in MGA1. QA People: See also #6581 which has advisory text for the CELT issues in MGA2. I'd advise closing one or other of the bugs (this or that) and incorporating them into one. Unless there are any issue, I'll step out now :) Cheers
Assignee: bugsquad => qa-bugs
Thanks Colin. Since the Mageia 2 update addresses additional issues, it's probably best to keep the bugs separate. Let's use this bug for the Mageia 1 update and Bug 6581 for the Mageia 2 update. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-1.1.mga1 mumble-11x-1.2.3-1.1.mga1 mumble-protocol-kde4-1.2.3-1.1.mga1 mumble-plugins-1.2.3-1.1.mga1 mumble-server-1.2.3-1.1.mga1 mumble-server-web-1.2.3-1.1.mga1 from mumble-1.2.3-1.1.mga1.src.rpm
Version: Cauldron => 1Depends on: (none) => 6581Whiteboard: MGA2TOO, MGA1TOO => (none)
Whoops, copy-paste failed. Trying again. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-1.1.mga1 mumble-11x-1.2.3-1.1.mga1 mumble-protocol-kde4-1.2.3-1.1.mga1 mumble-plugins-1.2.3-1.1.mga1 mumble-server-1.2.3-1.1.mga1 mumble-server-web-1.2.3-1.1.mga1 from mumble-1.2.3-1.1.mga1.src.rpm
Testing complete on Mageia 1 i586 $ ll .local/share/data/Mumble/Mumble/.mumble.sqlite -rw------- 1 dave dave 27648 Jun 26 18:52 .local/share/data/Mumble/Mumble/.mumble.sqlite
CC: (none) => davidwhodgins
Whiteboard: (none) => mga1-32-OK
Summary: mumble new security issue CVE-2012-0863 => mumble new security issue CVE-2012-0863 [mga1]
Before ------ $ ll .local/share/data/Mumble/Mumble/.mumble.sqlite -rw-r--r-- 1 claire claire 35840 Jul 1 22:15 .local/share/data/Mumble/Mumble/.mumble.sqlite After ----- # urpmi mumble-server-web A requested package cannot be installed: mumble-server-web-1.2.3-1.1.mga1.x86_64 (due to unsatisfied pear(Murmur.php)) Appears to have an incorrect require Colin. This is affected by bug 2317 so adding a depends, just as well I checked! Most packages require these.. ---------------------------------------- The following packages will require linking: notification-daemon-0.5.0-2.mga1 (Core 32bit Release) notification-daemon-0.5.0-2.mga1 (Core Release) xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release) xfce4-notifyd-0.2.1-3.mga1 (Core Release) mumble-server-web requires these also.. ---------------------------------------- sendmail-8.14.4-4.mga1 (Core 32bit Release) sendmail-8.14.4-4.mga1 (Core Release)
Depends on: (none) => 2317
$ ll .local/share/data/Mumble/Mumble/.mumble.sqlite -rw------- 1 claire claire 34816 Jul 1 22:34 .local/share/data/Mumble/Mumble/.mumble.sqlite It does fix the CVE though.
There are two new dependencies in mumble-server-web pear(Ice.php) pear(Murmur.php) I can't find any packages the provide either requires. If the requires are not really needed, they should be removed. If they really are required, then new packages are needed, to provide them.
Whiteboard: mga1-32-OK => (none)
Reassigning back to Colint to take a look at comments 6 and 8.
CC: (none) => qa-bugsAssignee: qa-bugs => mageia
I don't really know about the mumble package but we no longer build the mumble-server-web subpackage. Spec has: %define build_web 0 but it was disabled a while back by dmorgan: http://svnweb.mageia.org/packages?view=revision&revision=144150 So I guess it being enabled it on mga1 is a problem... That said, I don't know where such files would be needed... I'll have a quick look.
OK, so those two PHP files are only needed with php-ice >= 3.4 but we only have 3.3.1 in all versions, so I can just patch that out the way. The php bits in our -web package for mga1 was never working anyway as the .ice file was apparently not installed so it's never worked to the best of my knowledge (although I've never used it and don't know anything about php-ice extension, so hard to say). I've backported the relevant fixes and I'll see how the build fairs in mga2 with enabling ice support. If not I'll disable Ice, but enable -web part (it just won't include the .php files which may cripple it but meh - likely better than nothing)
OK, so the mga1 package now builds and I've been able to re-enable ice support. The mga2 package *should* build with the -web and ice parts re-enabled but the repos are messed up with something relating to Qt, so it will have to wait. cauldron won't build with -web and ice parts as new gcc breaks it. All fun and games.
Indeed, qt4-common is missing from the mirrors in updates_testing. Probably just resubmitting the build of qt4 would suffice (after deleting from mirrors or bumping subrel).
CC: (none) => balcaen.john
Built so far: mumble-1.2.3-1.2.mga1 mumble-11x-1.2.3-1.2.mga1 mumble-protocol-kde4-1.2.3-1.2.mga1 mumble-plugins-1.2.3-1.2.mga1 mumble-server-1.2.3-1.2.mga1 mumble-server-web-1.2.3-1.2.mga1 from mumble-1.2.3-1.2.mga1.src.rpm Pending: Build for Mageia 2 once qt4 in updates_testing is fixed
Colin does anything need to be added to the advisories for the latest changes made to the packages?
Thanks Colin. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-1.2.mga1 mumble-11x-1.2.3-1.2.mga1 mumble-protocol-kde4-1.2.3-1.2.mga1 mumble-plugins-1.2.3-1.2.mga1 mumble-server-1.2.3-1.2.mga1 mumble-server-web-1.2.3-1.2.mga1 from mumble-1.2.3-1.2.mga1.src.rpm
CC: qa-bugs => (none)Assignee: mageia => qa-bugs
Testing x86_64
For bug 2317 ---------------------------------------- Running checks for "mumble-server-web" using media "Core Release" and "Core Updates Testing". ---------------------------------------- Mageia release 1 (Official) for x86_64 Latest version found in "Core Release" is mumble-server-web-1.2.2-3.mga1 Latest version found in "Core Updates Testing" is mumble-server-web-1.2.3-1.2.mga1 ---------------------------------------- The following packages will require linking: ice-3.3.1-4.mga1 (Core 32bit Release) ice-3.3.1-4.mga1 (Core Release) lib64dbcxx4.8-4.8.30-5.mga1 (Core Release) lib64ice33-3.3.1-4.mga1 (Core Release) php-ice-3.3.1-4.mga1 (Core 32bit Release) php-ice-3.3.1-4.mga1 (Core Release) ---------------------------------------- Done. Checked the other packages too, they don't add anything extra.
With the 4 packages from comment 18 installed.. The following 6 packages are going to be installed: - mumble-1.2.3-1.2.mga1.x86_64 - mumble-11x-1.2.3-1.2.mga1.x86_64 - mumble-plugins-1.2.3-1.2.mga1.x86_64 - mumble-protocol-kde4-1.2.3-1.2.mga1.x86_64 - mumble-server-1.2.3-1.2.mga1.x86_64 - mumble-server-web-1.2.3-1.2.mga1.x86_64 # service mumble-server restart Shutting down mumble-server: [ OK ] Starting mumble-server: [ OK ] Restarted httpd too and combinations of the two. When I browse to http://localhost/cgi-bin/mumble-server/weblist.cgi I see the error below.. Error - http://localhost/cgi-bin/mumble-server/weblist.cgi The page 'http://localhost/cgi-bin/mumble-server/weblist.cgi' couldn't be loaded. Cannot connect to destination (localhost) Checking /var/log/httpd/error.log /usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice" #include <Ice/SliceChecksumDict.ice> 1 error in preprocessor. PHP Fatal error: Unable to start ice module in Unknown on line 0
I'm not sure what is normal here but with Mumble I the server browser lists various servers and picking one at random I can connect to one. Using Mumble-11x it goes through steps to configure the audio devices but the server browser doesn't list any servers. I have to confess I didn't try this one before installing the update so not sure if it's a regression.
s/Mumble I/Mumble/
Colin, what do you think of the error met by Claire in comment #19, regarding Ice?
CC: (none) => stormi
Oh sorry, I missed this. I've no idea really. I suspect strongly that the ice support in Mageia packages has never worked, so I think it's not really a regression as such. But I've only personally used mubmle client once and never used the server so I really have no idea.
I just tested, mumble-server-web from release media doesn't have this problem, so I think you should rebuild mumble without ICE support so that we can validate the security update, and we'll open another bug report for the ICE pb. Unless you or someone wants to investigate the error now :)
This seems the same error as bug 6581. It's just a path error in the Murmur.ice file from mumble-server. Could you take another look at this Colin please. I left details on the other bug.
Hardware: i586 => AllWhiteboard: (none) => feedback
CC: jani.valimaa => (none)
mumble-1.2.3-1.3.mga1 should fix the php-ice issue
Whiteboard: feedback => (none)
Thanks Samuel. Updating the advisory again. Advisory: ======================== Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 ======================== Updated packages in core/updates_testing: ======================== mumble-1.2.3-1.3.mga1 mumble-11x-1.2.3-1.3.mga1 mumble-protocol-kde4-1.2.3-1.3.mga1 mumble-plugins-1.2.3-1.3.mga1 mumble-server-1.2.3-1.3.mga1 mumble-server-web-1.2.3-1.3.mga1 from mumble-1.2.3-1.3.mga1.src.rpm
Re-testing i586
Started httpd and mumble-server, seems ok now. Added localhost as a new server in mumble and connected to it I can see myself connected to the root at http://localhost/cgi-bin/mumble-server/weblist.cgi Browsing to register.cgi initially gives an error.. Software error: Missing configuration. Please edit either /etc/mumble-server.ini for systemwide installations, or murmur.pl for a personal one. at /usr/share/mumble-server-web/www/register.cgi line 98 After editing /etc/mumble-server.ini to add an email address and uncomment these lines & setting to localhost: registerName=Mumble Server registerPassword=secret registerUrl=http://localhost/ register.cgi now shows a registration page Testing complete Mageia 1 i586
Testing complete x86_64, same procedure A question before validating though.. (Note: linking in comment 18 when it is) This appears to suffer from the celt library problems in the same way as mga2 version does. I'm not entirely sure whether this is working as expected. Running it under strace.. $ strace -o strace.out mumble $ grep celt strace.out | grep -v such ..returns nothing. It does search for several versions though, the newest of which appears to be 2.0.0 When connecting to localhost it shows a message "Unable to find matching CELT codecs with other clients. You will not be able to talk to all users." I am the only user so there just may not be any other clients. It appears on some public servers too and I seem to hear one side of the conversation. Is this something that can/should be fixed for mga1 or should this now be validated?
Whiteboard: mga1-32-OK => mga1-32-OK mga1-64-OK
Whiteboard: mga1-32-OK mga1-64-OK => mga1-32-OK mga1-64-OK feedback
Adding Colin to CC. Colin could you please see comment 31 and let us know how you'd like us to proceed. Thanks!
Hi Claire. Apologies for the late reply. Not really sure about this one. All I know is that the library names on mga1 are fine and thus don't need the same mangling as mga2. I have no idea why it wouldn't even try and load the libraries on mga1. My only thought is that perhaps the bundled celt library stuff is not working. The mga2 spec has a "rm -rf celt*" in the %prep section to remove folders that might get in the way. That would be my only guess, but I have no mga1 machines to be able to test this theory.
Thanks Colin. Would you like us to validate this one or do you want to look into it further?
Whiteboard: mga1-32-OK mga1-64-OK feedback => mga1-32-OK mga1-64-OK
Validating the update. Could someone from the sysadmin team push the srpm mumble-1.2.3-1.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates and link the following rpm packages from Core Release to Core Updates ice-3.3.1-4.mga1 (Core 32bit Release (distrib31)) ice-3.3.1-4.mga1 (Core Release (distrib1)) lib64dbcxx4.8-4.8.30-5.mga1 (Core Release (distrib1)) lib64ice33-3.3.1-4.mga1 (Core Release (distrib1)) php-ice-3.3.1-4.mga1 (Core 32bit Release (distrib31)) php-ice-3.3.1-4.mga1 (Core Release (distrib1)) Advisory: Updated mumble packages fix security vulnerability: Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file (CVE-2012-0863). Additionally, ICE support has been enabled. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863 http://www.debian.org/security/2012/dsa-2411 https://bugs.mageia.org/show_bug.cgi?id=6511
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0247
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED