It was discovered that mumble created its database file (~/.local/share/data/Mumble/.mumble.sqlite) with insecure world-readable permissions. If the user had (non-default) permissions on their home directory, another local user could obtain password and configuration settings from the database file [1]. This has been corrected in upstream git [2] and is reported as affecting 1.2.3 and earlier. [1] https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405 [2] https://github.com/mumble-voip/mumble/commit/5632c35d6759f5e13a7dfe78e4ee6403ff6a8e3e
This has been assigned CVE-2012-0863: http://seclists.org/oss-sec/2012/q1/433
Created mumble tracking bugs for this issue Affects: fedora-all [bug 791058]
mumble-1.2.3-5.fc16.1 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
mumble-1.2.3-4.fc15.1 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
mumble-1.2.3-7.fc17.1 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.