Patch merged and pushed in latest MGA2 testing build.

Some other minor tidyups but none of the other fedora fixes were needed in our package.

Security patch merged and pushed to MGA1 testing.

I don't know about the celt library issues there, so I've not poked about too much with that in MGA1.

QA People: See also #6581 which has advisory text for the CELT issues in MGA2. I'd advise closing one or other of the bugs (this or that) and incorporating them into one.

Unless there are any issue, I'll step out now :)

Cheers

Assignee: bugsquad => qa-bugs

Thanks Colin.  Since the Mageia 2 update addresses additional issues, it's probably best to keep the bugs separate.  Let's use this bug for the Mageia 1 update and Bug 6581 for the Mageia 2 update.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863

========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-1.1.mga1
mumble-11x-1.2.3-1.1.mga1
mumble-protocol-kde4-1.2.3-1.1.mga1
mumble-plugins-1.2.3-1.1.mga1
mumble-server-1.2.3-1.1.mga1
mumble-server-web-1.2.3-1.1.mga1

from mumble-1.2.3-1.1.mga1.src.rpm

Version: Cauldron => 1
Depends on: (none) => 6581
Whiteboard: MGA2TOO, MGA1TOO => (none)

Whoops, copy-paste failed.  Trying again.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-1.1.mga1
mumble-11x-1.2.3-1.1.mga1
mumble-protocol-kde4-1.2.3-1.1.mga1
mumble-plugins-1.2.3-1.1.mga1
mumble-server-1.2.3-1.1.mga1
mumble-server-web-1.2.3-1.1.mga1

from mumble-1.2.3-1.1.mga1.src.rpm

Testing complete on Mageia 1 i586

$ ll .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw------- 1 dave dave 27648 Jun 26 18:52 .local/share/data/Mumble/Mumble/.mumble.sqlite

CC: (none) => davidwhodgins

Before
------

$ ll .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw-r--r-- 1 claire claire 35840 Jul  1 22:15 .local/share/data/Mumble/Mumble/.mumble.sqlite

After
-----
# urpmi mumble-server-web
A requested package cannot be installed:
mumble-server-web-1.2.3-1.1.mga1.x86_64 (due to unsatisfied pear(Murmur.php))

Appears to have an incorrect require Colin.


This is affected by bug 2317 so adding a depends, just as well I checked!


Most packages require these..
----------------------------------------
The following packages will require linking:

notification-daemon-0.5.0-2.mga1 (Core 32bit Release)
notification-daemon-0.5.0-2.mga1 (Core Release)
xfce4-notifyd-0.2.1-3.mga1 (Core 32bit Release)
xfce4-notifyd-0.2.1-3.mga1 (Core Release)

mumble-server-web requires these also..
----------------------------------------
sendmail-8.14.4-4.mga1 (Core 32bit Release)
sendmail-8.14.4-4.mga1 (Core Release)

Depends on: (none) => 2317

$ ll .local/share/data/Mumble/Mumble/.mumble.sqlite
-rw------- 1 claire claire 34816 Jul  1 22:34 .local/share/data/Mumble/Mumble/.mumble.sqlite

It does fix the CVE though.

There are two new dependencies in mumble-server-web
pear(Ice.php)
pear(Murmur.php)

I can't find any packages the provide either requires.

If the requires are not really needed, they should be removed.

If they really are required, then new packages are needed, to
provide them.

Reassigning back to Colint to take a look at comments 6 and 8.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia

I don't really know about the mumble package but we no longer build the mumble-server-web subpackage. Spec has:

%define build_web       0

but it was disabled a while back by dmorgan:

http://svnweb.mageia.org/packages?view=revision&revision=144150

So I guess it being enabled it on mga1 is a problem... That said, I don't know where such files would be needed... I'll have a quick look.

OK, so those two PHP files are only needed with php-ice >= 3.4 but we only have 3.3.1 in all versions, so I can just patch that out the way.

The php bits in our -web package for mga1 was never working anyway as the .ice file was apparently not installed so it's never worked to the best of my knowledge (although I've never used it and don't know anything about php-ice extension, so hard to say).

I've backported the relevant fixes and I'll see how the build fairs in mga2 with enabling ice support. If not I'll disable Ice, but enable -web part (it just won't include the .php files which may cripple it but meh - likely better than nothing)

OK, so the mga1 package now builds and I've been able to re-enable ice support.

The mga2 package *should* build with the -web and ice parts re-enabled but the repos are messed up with something relating to Qt, so it will have to wait.

cauldron won't build with -web and ice parts as new gcc breaks it.

All fun and games.

Indeed, qt4-common is missing from the mirrors in updates_testing.  Probably just resubmitting the build of qt4 would suffice (after deleting from mirrors or bumping subrel).

CC: (none) => balcaen.john

Built so far:
mumble-1.2.3-1.2.mga1
mumble-11x-1.2.3-1.2.mga1
mumble-protocol-kde4-1.2.3-1.2.mga1
mumble-plugins-1.2.3-1.2.mga1
mumble-server-1.2.3-1.2.mga1
mumble-server-web-1.2.3-1.2.mga1

from mumble-1.2.3-1.2.mga1.src.rpm

Pending:
Build for Mageia 2 once qt4 in updates_testing is fixed

Colin does anything need to be added to the advisories for the latest changes made to the packages?

Thanks Colin.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-1.2.mga1
mumble-11x-1.2.3-1.2.mga1
mumble-protocol-kde4-1.2.3-1.2.mga1
mumble-plugins-1.2.3-1.2.mga1
mumble-server-1.2.3-1.2.mga1
mumble-server-web-1.2.3-1.2.mga1

from mumble-1.2.3-1.2.mga1.src.rpm

CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

Testing x86_64

For bug 2317

----------------------------------------
Running checks for "mumble-server-web" using media
"Core Release" and "Core Updates Testing".
----------------------------------------
Mageia release 1 (Official) for x86_64
Latest version found in "Core Release" is mumble-server-web-1.2.2-3.mga1
Latest version found in "Core Updates Testing" is mumble-server-web-1.2.3-1.2.mga1
----------------------------------------
The following packages will require linking:

ice-3.3.1-4.mga1 (Core 32bit Release)
ice-3.3.1-4.mga1 (Core Release)
lib64dbcxx4.8-4.8.30-5.mga1 (Core Release)
lib64ice33-3.3.1-4.mga1 (Core Release)
php-ice-3.3.1-4.mga1 (Core 32bit Release)
php-ice-3.3.1-4.mga1 (Core Release)
----------------------------------------
Done.

Checked the other packages too, they don't add anything extra.

With the 4 packages from comment 18 installed..

The following 6 packages are going to be installed:

- mumble-1.2.3-1.2.mga1.x86_64
- mumble-11x-1.2.3-1.2.mga1.x86_64
- mumble-plugins-1.2.3-1.2.mga1.x86_64
- mumble-protocol-kde4-1.2.3-1.2.mga1.x86_64
- mumble-server-1.2.3-1.2.mga1.x86_64
- mumble-server-web-1.2.3-1.2.mga1.x86_64

# service mumble-server restart
Shutting down mumble-server:                                   [  OK  ]
Starting mumble-server:                                        [  OK  ]

Restarted httpd too and combinations of the two.

When I browse to http://localhost/cgi-bin/mumble-server/weblist.cgi
I see the error below..

Error - http://localhost/cgi-bin/mumble-server/weblist.cgi
The page 'http://localhost/cgi-bin/mumble-server/weblist.cgi' couldn't be loaded.
Cannot connect to destination (localhost)

Checking /var/log/httpd/error.log

/usr/share/slice/Murmur.ice:9: error: Can't open include file "Ice/SliceChecksumDict.ice"
    #include <Ice/SliceChecksumDict.ice>
1 error in preprocessor.
PHP Fatal error:  Unable to start ice module in Unknown on line 0

I'm not sure what is normal here but with Mumble I the server browser lists various servers and picking one at random I can connect to one.

Using Mumble-11x it goes through steps to configure the audio devices but the server browser doesn't list any servers. I have to confess I didn't try this one before installing the update so not sure if it's a regression.

s/Mumble I/Mumble/

Colin, what do you think of the error met by Claire in comment #19, regarding Ice?

CC: (none) => stormi

Oh sorry, I missed this.

I've no idea really. I suspect strongly that the ice support in Mageia packages has never worked, so I think it's not really a regression as such.

But I've only personally used mubmle client once and never used the server so I really have no idea.

I just tested, mumble-server-web from release media doesn't have this problem, so I think you should rebuild mumble without ICE support so that we can validate the security update, and we'll open another bug report for the ICE pb. Unless you or someone wants to investigate the error now :)

This seems the same error as bug 6581. It's just a path error in the Murmur.ice file from mumble-server.

Could you take another look at this Colin please. I left details on the other bug.

Hardware: i586 => All
Whiteboard: (none) => feedback

mumble-1.2.3-1.3.mga1 should fix the php-ice issue

Whiteboard: feedback => (none)

Thanks Samuel.  Updating the advisory again.

Advisory:
========================

Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411
========================

Updated packages in core/updates_testing:
========================
mumble-1.2.3-1.3.mga1
mumble-11x-1.2.3-1.3.mga1
mumble-protocol-kde4-1.2.3-1.3.mga1
mumble-plugins-1.2.3-1.3.mga1
mumble-server-1.2.3-1.3.mga1
mumble-server-web-1.2.3-1.3.mga1

from mumble-1.2.3-1.3.mga1.src.rpm

Re-testing i586

Started httpd and mumble-server, seems ok now.

Added localhost as a new server in mumble and connected to it

I can see myself connected to the root at 
http://localhost/cgi-bin/mumble-server/weblist.cgi

Browsing to register.cgi initially gives an error..

Software error:

Missing configuration.
  Please edit either /etc/mumble-server.ini for systemwide installations,
  or murmur.pl for a personal one.
   at /usr/share/mumble-server-web/www/register.cgi line 98


After editing /etc/mumble-server.ini to add an email address and uncomment these lines & setting to localhost:

registerName=Mumble Server
registerPassword=secret
registerUrl=http://localhost/

register.cgi now shows a registration page

Testing complete Mageia 1 i586

Testing x86_64

Testing complete x86_64, same procedure

A question before validating though.. 

(Note: linking in comment 18 when it is)

This appears to suffer from the celt library problems in the same way as mga2 version does.

I'm not entirely sure whether this is working as expected.

Running it under strace..

$ strace -o strace.out mumble
$ grep celt strace.out | grep -v such

..returns nothing. It does search for several versions though, the newest of which appears to be 2.0.0

When connecting to localhost it shows a message 

"Unable to find matching CELT codecs with other clients. You will not be able to talk to all users."

I am the only user so there just may not be any other clients. It appears on some public servers too and I seem to hear one side of the conversation.

Is this something that can/should be fixed for mga1 or should this now be validated?

Adding Colin to CC.

Colin could you please see comment 31 and let us know how you'd like us to proceed. Thanks!

Hi Claire. Apologies for the late reply.

Not really sure about this one. All I know is that the library names on mga1 are fine and thus don't need the same mangling as mga2. I have no idea why it wouldn't even try and load the libraries on mga1.

My only thought is that perhaps the bundled celt library stuff is not working. The mga2 spec has a "rm -rf celt*" in the %prep section to remove folders that might get in the way. That would be my only guess, but I have no mga1 machines to be able to test this theory.

Thanks Colin.

Would you like us to validate this one or do you want to look into it further?

Whiteboard: mga1-32-OK mga1-64-OK feedback => mga1-32-OK mga1-64-OK

Validating the update.

Could someone from the sysadmin team push the srpm
mumble-1.2.3-1.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates and
link the following rpm packages from Core Release to Core Updates
ice-3.3.1-4.mga1 (Core 32bit Release (distrib31))
ice-3.3.1-4.mga1 (Core Release (distrib1))
lib64dbcxx4.8-4.8.30-5.mga1 (Core Release (distrib1))
lib64ice33-3.3.1-4.mga1 (Core Release (distrib1))
php-ice-3.3.1-4.mga1 (Core 32bit Release (distrib31))
php-ice-3.3.1-4.mga1 (Core Release (distrib1))

Advisory: Updated mumble packages fix security vulnerability:

Mumble 1.2.3 and earlier uses world-readable permissions for
.local/share/data/Mumble/.mumble.sqlite files in home directories,
which might allow local users to obtain a cleartext password and
configuration data by reading a file (CVE-2012-0863).

Additionally, ICE support has been enabled.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0863
http://www.debian.org/security/2012/dsa-2411

https://bugs.mageia.org/show_bug.cgi?id=6511

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Packages linked and update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0247

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED