Bug 610845 - (CVE-2010-2490) CVE-2010-2490 Mumble: Remotely exploitable DoS (murmur server termination) due QueryUsers Qt SQLite database bug
CVE-2010-2490 Mumble: Remotely exploitable DoS (murmur server termination) du...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100629,reported=20100701,sou...
: Security
Depends On: 691545
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-02 11:06 EDT by Jan Lieskovsky
Modified: 2011-06-08 09:32 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-08 09:07:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2010-07-02 11:06:42 EDT
Luigi Auriemma reported:
  [1] http://aluigi.altervista.org/adv/mumbleed-adv.txt

a deficiency in the way Mumble server processed malformed SQL query data.
A remote, authenticated user could use this flaw to cause denial of service
(mumble server termination) via specially-crafted QueryUsers Qt SQLite SQL query.

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587713

Public PoC:
  [3] http://aluigi.org/poc/mumbleed.zip

CVE Request:
  [4] http://www.openwall.com/lists/oss-security/2010/07/02/2
Comment 2 Vincent Danen 2011-03-28 15:43:20 EDT
This is the commit that was used by Debian to fix the flaw:

https://github.com/mumble-voip/mumble/commit/6b33dda344f89e5a039b7d79eb43925040654242

The problem seems to be related to long usernames and the LIKE statement; the upstream commit message is:

"Don't crash on long usernames"

and the corresponding Debian changelog entry is:


mumble (1.2.2-4) unstable; urgency=high

  * Fix failure with SQLite with very long 'like' matches.
    Closes: #587713

This would affect all of the versions of mumble we are shipping.
Comment 3 Vincent Danen 2011-03-28 15:43:55 EDT
Created mumble tracking bugs for this issue

Affects: fedora-all [bug 691545]
Comment 4 Andreas Osowski 2011-03-28 16:05:05 EDT
Will have the fix out by tue / wed evening,
thereby updating to 1.2.3

Mh. Why didn't I see the report back in July.
Comment 5 Vincent Danen 2011-03-28 16:52:00 EDT
Not sure why you didn't see it back then, but thank you for looking after it now.
Comment 6 Andreas Osowski 2011-03-28 16:57:31 EDT
You're welcome. Mumble's been a bit neglected by me as I'm still waiting for this review #641572 
But I guess I'll just make it a subpackage or so given that mumble is the sole package needing it and we need that security fix now.
Comment 7 Andreas Osowski 2011-03-30 14:53:54 EDT
I have packaged mumble 1.2.3 locally.
I am still awaiting the celt071 review which I was told will definitely happen this weekend.

Once that package is reviewed, I will push the update -- unless you'd like me to push the upgrade first and then push the next update with the celt071 dependency.
Comment 8 Vincent Danen 2011-03-30 15:34:13 EDT
If it happens this week, waiting for that review is fine.  This issue is pretty old, so waiting another few days or week isn't going to be a big problem.
Comment 9 Stewart Adam 2011-05-13 22:06:12 EDT
Any updates on this?
Comment 10 Andreas Osowski 2011-05-14 04:23:24 EDT
Yes, I'm going to catch up on this work today.
Sorry, this last part of school has, once again, proven more work-intensive than expected.
Going to push the update later today.
Comment 11 Andreas Osowski 2011-05-14 04:23:41 EDT
Yes, I'm going to catch up on this work today.
Sorry, this last part of school has, once again, proven more work-intensive than expected.
Going to push the update later today.
Comment 12 Jan Lieskovsky 2011-06-08 08:57:35 EDT
The CVE identifier of CVE-2010-2490 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2010/07/02/11
Comment 13 Andreas Osowski 2011-06-08 09:07:22 EDT
Mumble 1.2.3 has reached stable by now.
Seems like I forgot these two bugs in the bodhi update.

Closing.
Comment 14 Jan Lieskovsky 2011-06-08 09:10:42 EDT
(In reply to comment #13)
> Mumble 1.2.3 has reached stable by now.
> Seems like I forgot these two bugs in the bodhi update.
> 
> Closing.

Thanks Andreas, will mention the relevant updates yet and change the resolution
of this bug to errata.
Comment 15 Jan Lieskovsky 2011-06-08 09:12:46 EDT
This issue has been addressed in the following updates:
1) mumble-1.2.3-2.fc15 for Fedora-15:
http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060747.html
2) mumble-1.2.3-2.fc14 for Fedora-14:
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061217.html

Note You need to log in before you can comment on or make changes to this bug.