Luigi Auriemma reported: [1] http://aluigi.altervista.org/adv/mumbleed-adv.txt a deficiency in the way Mumble server processed malformed SQL query data. A remote, authenticated user could use this flaw to cause denial of service (mumble server termination) via specially-crafted QueryUsers Qt SQLite SQL query. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587713 Public PoC: [3] http://aluigi.org/poc/mumbleed.zip CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/07/02/2
This is the commit that was used by Debian to fix the flaw: https://github.com/mumble-voip/mumble/commit/6b33dda344f89e5a039b7d79eb43925040654242 The problem seems to be related to long usernames and the LIKE statement; the upstream commit message is: "Don't crash on long usernames" and the corresponding Debian changelog entry is: mumble (1.2.2-4) unstable; urgency=high * Fix failure with SQLite with very long 'like' matches. Closes: #587713 This would affect all of the versions of mumble we are shipping.
Created mumble tracking bugs for this issue Affects: fedora-all [bug 691545]
Will have the fix out by tue / wed evening, thereby updating to 1.2.3 Mh. Why didn't I see the report back in July.
Not sure why you didn't see it back then, but thank you for looking after it now.
You're welcome. Mumble's been a bit neglected by me as I'm still waiting for this review #641572 But I guess I'll just make it a subpackage or so given that mumble is the sole package needing it and we need that security fix now.
I have packaged mumble 1.2.3 locally. I am still awaiting the celt071 review which I was told will definitely happen this weekend. Once that package is reviewed, I will push the update -- unless you'd like me to push the upgrade first and then push the next update with the celt071 dependency.
If it happens this week, waiting for that review is fine. This issue is pretty old, so waiting another few days or week isn't going to be a big problem.
Any updates on this?
Yes, I'm going to catch up on this work today. Sorry, this last part of school has, once again, proven more work-intensive than expected. Going to push the update later today.
The CVE identifier of CVE-2010-2490 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/07/02/11
Mumble 1.2.3 has reached stable by now. Seems like I forgot these two bugs in the bodhi update. Closing.
(In reply to comment #13) > Mumble 1.2.3 has reached stable by now. > Seems like I forgot these two bugs in the bodhi update. > > Closing. Thanks Andreas, will mention the relevant updates yet and change the resolution of this bug to errata.
This issue has been addressed in the following updates: 1) mumble-1.2.3-2.fc15 for Fedora-15: http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060747.html 2) mumble-1.2.3-2.fc14 for Fedora-14: http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061217.html