Bug 610845 (CVE-2010-2490) - CVE-2010-2490 Mumble: Remotely exploitable DoS (murmur server termination) due QueryUsers Qt SQLite database bug
Summary: CVE-2010-2490 Mumble: Remotely exploitable DoS (murmur server termination) du...
Status: CLOSED ERRATA
Alias: CVE-2010-2490
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20100629,reported=20100701,sou...
Keywords: Security
Depends On: 691545
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-07-02 15:06 UTC by Jan Lieskovsky
Modified: 2019-06-08 13:02 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-06-08 13:07:22 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-07-02 15:06:42 UTC
Luigi Auriemma reported:
  [1] http://aluigi.altervista.org/adv/mumbleed-adv.txt

a deficiency in the way Mumble server processed malformed SQL query data.
A remote, authenticated user could use this flaw to cause denial of service
(mumble server termination) via specially-crafted QueryUsers Qt SQLite SQL query.

References:
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587713

Public PoC:
  [3] http://aluigi.org/poc/mumbleed.zip

CVE Request:
  [4] http://www.openwall.com/lists/oss-security/2010/07/02/2

Comment 2 Vincent Danen 2011-03-28 19:43:20 UTC
This is the commit that was used by Debian to fix the flaw:

https://github.com/mumble-voip/mumble/commit/6b33dda344f89e5a039b7d79eb43925040654242

The problem seems to be related to long usernames and the LIKE statement; the upstream commit message is:

"Don't crash on long usernames"

and the corresponding Debian changelog entry is:


mumble (1.2.2-4) unstable; urgency=high

  * Fix failure with SQLite with very long 'like' matches.
    Closes: #587713

This would affect all of the versions of mumble we are shipping.

Comment 3 Vincent Danen 2011-03-28 19:43:55 UTC
Created mumble tracking bugs for this issue

Affects: fedora-all [bug 691545]

Comment 4 Andreas Osowski 2011-03-28 20:05:05 UTC
Will have the fix out by tue / wed evening,
thereby updating to 1.2.3

Mh. Why didn't I see the report back in July.

Comment 5 Vincent Danen 2011-03-28 20:52:00 UTC
Not sure why you didn't see it back then, but thank you for looking after it now.

Comment 6 Andreas Osowski 2011-03-28 20:57:31 UTC
You're welcome. Mumble's been a bit neglected by me as I'm still waiting for this review #641572 
But I guess I'll just make it a subpackage or so given that mumble is the sole package needing it and we need that security fix now.

Comment 7 Andreas Osowski 2011-03-30 18:53:54 UTC
I have packaged mumble 1.2.3 locally.
I am still awaiting the celt071 review which I was told will definitely happen this weekend.

Once that package is reviewed, I will push the update -- unless you'd like me to push the upgrade first and then push the next update with the celt071 dependency.

Comment 8 Vincent Danen 2011-03-30 19:34:13 UTC
If it happens this week, waiting for that review is fine.  This issue is pretty old, so waiting another few days or week isn't going to be a big problem.

Comment 9 Stewart Adam 2011-05-14 02:06:12 UTC
Any updates on this?

Comment 10 Andreas Osowski 2011-05-14 08:23:24 UTC
Yes, I'm going to catch up on this work today.
Sorry, this last part of school has, once again, proven more work-intensive than expected.
Going to push the update later today.

Comment 11 Andreas Osowski 2011-05-14 08:23:41 UTC
Yes, I'm going to catch up on this work today.
Sorry, this last part of school has, once again, proven more work-intensive than expected.
Going to push the update later today.

Comment 12 Jan Lieskovsky 2011-06-08 12:57:35 UTC
The CVE identifier of CVE-2010-2490 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2010/07/02/11

Comment 13 Andreas Osowski 2011-06-08 13:07:22 UTC
Mumble 1.2.3 has reached stable by now.
Seems like I forgot these two bugs in the bodhi update.

Closing.

Comment 14 Jan Lieskovsky 2011-06-08 13:10:42 UTC
(In reply to comment #13)
> Mumble 1.2.3 has reached stable by now.
> Seems like I forgot these two bugs in the bodhi update.
> 
> Closing.

Thanks Andreas, will mention the relevant updates yet and change the resolution
of this bug to errata.

Comment 15 Jan Lieskovsky 2011-06-08 13:12:46 UTC
This issue has been addressed in the following updates:
1) mumble-1.2.3-2.fc15 for Fedora-15:
http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060747.html
2) mumble-1.2.3-2.fc14 for Fedora-14:
http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061217.html


Note You need to log in before you can comment on or make changes to this bug.