Debian Bug report logs - #737739
mumble: CVE-2014-0044 CVE-2014-0045

version graph

Package: src:mumble; Maintainer for src:mumble is Christopher Knadle <Chris.Knadle@coredump.us>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 5 Feb 2014 15:15:02 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Found in version mumble/1.2.3-349-g315b5f5-2.2

Fixed in versions mumble/1.2.3-349-g315b5f5-2.2+deb7u1, mumble/1.2.4-0.2

Done: Christopher Knadle <Chris.Knadle@coredump.us>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble. (Wed, 05 Feb 2014 15:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ron Lee <ron@debian.org>. (Wed, 05 Feb 2014 15:15:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mumble: CVE-2014-0044 CVE-2014-0045
Date: Wed, 05 Feb 2014 16:10:36 +0100
Source: mumble
Version: 1.2.3-349-g315b5f5-2.2
Severity: grave
Tags: security upstream fixed-upstream

Hi

Mumble has released a new upstream version fixing CVE-2014-0044 and
CVE-2014-0045. See upstream commits at:

https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d98429e4f9ba7
https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b040ea4d0b079

Upstream announces at

http://mumble.info/security/Mumble-SA-2014-001.txt
http://mumble.info/security/Mumble-SA-2014-002.txt

Regards,
Salvatore



Marked as fixed in versions mumble/1.2.3-349-g315b5f5-2.2+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 05 Feb 2014 15:51:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble. (Wed, 05 Feb 2014 16:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris.Knadle@coredump.us:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Wed, 05 Feb 2014 16:12:05 GMT) Full text and rfc822 format available.

Message #12 received at 737739@bugs.debian.org (full text, mbox):

From: Chris Knadle <Chris.Knadle@coredump.us>
To: Salvatore Bonaccorso <carnil@debian.org>, 737739@bugs.debian.org
Subject: Re: Bug#737739: mumble: CVE-2014-0044 CVE-2014-0045
Date: Wed, 05 Feb 2014 11:09 -0500
On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> Source: mumble
> Version: 1.2.3-349-g315b5f5-2.2
> Severity: grave
> Tags: security upstream fixed-upstream
> 
> Hi
> 
> Mumble has released a new upstream version fixing CVE-2014-0044 and
> CVE-2014-0045. See upstream commits at:
> 
> https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d984
> 29e4f9ba7
> https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b04
> 0ea4d0b079
> 
> Upstream announces at
> 
> http://mumble.info/security/Mumble-SA-2014-001.txt
> http://mumble.info/security/Mumble-SA-2014-002.txt
> 
> Regards,
> Salvatore

Thanks for fixing this.

As these commits were authored only 5 days ago I'd think the current 1.2.4-0.1 
package in Sid and Jessie have this issue too, unless there's some other 
mitigating factor with the stable 1.2.4 version.

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us



Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble. (Wed, 05 Feb 2014 21:18:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Wed, 05 Feb 2014 21:18:13 GMT) Full text and rfc822 format available.

Message #17 received at 737739@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Chris.Knadle@coredump.us, 737739@bugs.debian.org
Subject: Re: Bug#737739: mumble: CVE-2014-0044 CVE-2014-0045
Date: Wed, 5 Feb 2014 22:16:32 +0100
Hi Chris,

On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > Source: mumble
> > Version: 1.2.3-349-g315b5f5-2.2
> > Severity: grave
> > Tags: security upstream fixed-upstream
> > 
> > Hi
> > 
> > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > CVE-2014-0045. See upstream commits at:
> > 
> > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d984
> > 29e4f9ba7
> > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b04
> > 0ea4d0b079
> > 
> > Upstream announces at
> > 
> > http://mumble.info/security/Mumble-SA-2014-001.txt
> > http://mumble.info/security/Mumble-SA-2014-002.txt
> > 
> > Regards,
> > Salvatore
> 
> Thanks for fixing this.
> 
> As these commits were authored only 5 days ago I'd think the current 1.2.4-0.1 
> package in Sid and Jessie have this issue too, unless there's some other 
> mitigating factor with the stable 1.2.4 version.

Yes it is also as it's supporting Opus; reason is that I concentrated
first on the wheezy-security upload.

Regards,
Salvatore



Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble. (Wed, 05 Feb 2014 21:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris.Knadle@coredump.us:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Wed, 05 Feb 2014 21:33:05 GMT) Full text and rfc822 format available.

Message #22 received at 737739@bugs.debian.org (full text, mbox):

From: Chris Knadle <Chris.Knadle@coredump.us>
To: Salvatore Bonaccorso <carnil@debian.org>, 737739@bugs.debian.org
Subject: Re: Bug#737739: mumble: CVE-2014-0044 CVE-2014-0045
Date: Wed, 05 Feb 2014 16:31:07 -0500
[Message part 1 (text/plain, inline)]
On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote:
> Hi Chris,
> 
> On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > > Source: mumble
> > > Version: 1.2.3-349-g315b5f5-2.2
> > > Severity: grave
> > > Tags: security upstream fixed-upstream
> > > 
> > > Hi
> > > 
> > > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > > CVE-2014-0045. See upstream commits at:
> > > 
> > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72
> > > d984 29e4f9ba7
> > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327
> > > b04
> > > 0ea4d0b079
> > > 
> > > Upstream announces at
> > > 
> > > http://mumble.info/security/Mumble-SA-2014-001.txt
> > > http://mumble.info/security/Mumble-SA-2014-002.txt
> > > 
> > > Regards,
> > > Salvatore
> > 
> > Thanks for fixing this.
> > 
> > As these commits were authored only 5 days ago I'd think the current
> > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's
> > some other mitigating factor with the stable 1.2.4 version.
> 
> Yes it is also as it's supporting Opus; reason is that I concentrated
> first on the wheezy-security upload.

Okay.  Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed 
with the -9 upload once it's finished being built; I have to wait for that 
before we can upload a new 1.2.4 mumble package fixes.  I've got both of the 
CVE patches queued for the next upload which I'm looking to do this weekend, 
but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9 
build go ahead and do so.

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us
[12-Mumble-SA-2014-001.patch (text/x-patch, attachment)]
[14-Mumble-SA-2014-002.patch (text/x-patch, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble. (Wed, 05 Feb 2014 21:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>. (Wed, 05 Feb 2014 21:45:04 GMT) Full text and rfc822 format available.

Message #27 received at 737739@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Chris Knadle <Chris.Knadle@coredump.us>
Cc: 737739@bugs.debian.org
Subject: Re: Bug#737739: mumble: CVE-2014-0044 CVE-2014-0045
Date: Wed, 5 Feb 2014 22:42:12 +0100
Hi Chris,

On Wed, Feb 05, 2014 at 04:31:07PM -0500, Chris Knadle wrote:
> On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote:
> > Hi Chris,
> > 
> > On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> > > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > > > Source: mumble
> > > > Version: 1.2.3-349-g315b5f5-2.2
> > > > Severity: grave
> > > > Tags: security upstream fixed-upstream
> > > > 
> > > > Hi
> > > > 
> > > > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > > > CVE-2014-0045. See upstream commits at:
> > > > 
> > > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72
> > > > d984 29e4f9ba7
> > > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327
> > > > b04
> > > > 0ea4d0b079
> > > > 
> > > > Upstream announces at
> > > > 
> > > > http://mumble.info/security/Mumble-SA-2014-001.txt
> > > > http://mumble.info/security/Mumble-SA-2014-002.txt
> > > > 
> > > > Regards,
> > > > Salvatore
> > > 
> > > Thanks for fixing this.
> > > 
> > > As these commits were authored only 5 days ago I'd think the current
> > > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's
> > > some other mitigating factor with the stable 1.2.4 version.
> > 
> > Yes it is also as it's supporting Opus; reason is that I concentrated
> > first on the wheezy-security upload.
> 
> Okay.  Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed 
> with the -9 upload once it's finished being built; I have to wait for that 
> before we can upload a new 1.2.4 mumble package fixes.  I've got both of the 
> CVE patches queued for the next upload which I'm looking to do this weekend, 
> but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9 
> build go ahead and do so.

Thanks for the update. So then I will stop preparing also the packages
for unstable now!

Thanks for working on it!

Salvatore



Reply sent to Christopher Knadle <Chris.Knadle@coredump.us>:
You have taken responsibility. (Thu, 06 Feb 2014 21:27:39 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 06 Feb 2014 21:27:39 GMT) Full text and rfc822 format available.

Message #32 received at 737739-close@bugs.debian.org (full text, mbox):

From: Christopher Knadle <Chris.Knadle@coredump.us>
To: 737739-close@bugs.debian.org
Subject: Bug#737739: fixed in mumble 1.2.4-0.2
Date: Thu, 06 Feb 2014 21:22:37 +0000
Source: mumble
Source-Version: 1.2.4-0.2

We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 737739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Knadle <Chris.Knadle@coredump.us> (supplier of updated mumble package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 06 Feb 2014 12:07:05 -0500
Source: mumble
Binary: mumble mumble-server mumble-dbg
Architecture: source amd64
Version: 1.2.4-0.2
Distribution: unstable
Urgency: high
Maintainer: Ron Lee <ron@debian.org>
Changed-By: Christopher Knadle <Chris.Knadle@coredump.us>
Description: 
 mumble     - Low latency VoIP client
 mumble-dbg - Low latency VoIP client (debugging symbols)
 mumble-server - Low latency VoIP server
Closes: 737739
Changes: 
 mumble (1.2.4-0.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/patches
       - Add 12-Mumble-SA-2014-001.patch, 14-Mumble-SA-2014-002.patch
         to fix CVE-2014-0044, CVE-2014-0045.  Closes: #737739
Checksums-Sha1: 
 3c48eae5d826604ae70f1a685b44d05601773430 2477 mumble_1.2.4-0.2.dsc
 f564dd88f84908e52a218fdf1a596aa98dd1223f 31156 mumble_1.2.4-0.2.debian.tar.xz
 b48fc34b9f7366baff8e40a86098288a5ee9b28c 2574840 mumble_1.2.4-0.2_amd64.deb
 ebecd9c7966be982a93c4846cf9235dd3a2e593b 739172 mumble-server_1.2.4-0.2_amd64.deb
 ffa7c9d369e184919ef51c42bb09572b27df71a2 15594512 mumble-dbg_1.2.4-0.2_amd64.deb
Checksums-Sha256: 
 14ba942367ebfef99dca4f4cd0dfabae59cd900bc7fef49620a4344a181a35f8 2477 mumble_1.2.4-0.2.dsc
 1798bbbeb019b223815456838e63bcd45033eeeb22c829ed38a3f57cd0f9c2ee 31156 mumble_1.2.4-0.2.debian.tar.xz
 ba0bade4cac2cd4df015e97b644312f12ddd5116f1945d79113480dfd930900f 2574840 mumble_1.2.4-0.2_amd64.deb
 946cbc02178113306fc2e2c1119788b68751334729a5fc3ab09698c8277b1661 739172 mumble-server_1.2.4-0.2_amd64.deb
 3fb89b03fae2e1942d208ee8fb56c62628f3a797d08e37ffbb5dd37ab7619f0f 15594512 mumble-dbg_1.2.4-0.2_amd64.deb
Files: 
 58a1119c62a9bd4e7ee1d8ad3556b03d 2477 sound optional mumble_1.2.4-0.2.dsc
 c88ebb774e94e16f80fd2e5755bb0d86 31156 sound optional mumble_1.2.4-0.2.debian.tar.xz
 717699bf3d1467ba6532c6a95f2625b4 2574840 sound optional mumble_1.2.4-0.2_amd64.deb
 561ef01b66ac4ab2bbfb54e02bd330b5 739172 sound optional mumble-server_1.2.4-0.2_amd64.deb
 859d402d1b6771aca28ebf11c24456ef 15594512 debug extra mumble-dbg_1.2.4-0.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJrBAEBCgBVBQJS8/JpThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBm2qD/9DypEl+rPm9TxMCS01E4xw9EX+f0JW3N70g+Svi6aqIq4L
jovXDvuEYL5nJ9GuptzViRk4nl3h7U/SxUA9w/zZ1JWq0LISun0dLmU2lksugUjt
vLLiwBvBdaLuWlf++qFbDvhwMUoX6TmuJzuKxZ65LS5HxuOF59Y3rVvBEzUWLG1F
7WhJc7wVOMzbnBmjvRhlx8tH2zhyQPoRG7b+34k3J58r86cNLGcSF6iskdbeXiaI
8lrwLiht+N46NVf2zp7VHrao5BnDQPuz0/UYqCXaKyCYmhBc17J2sLB+cW8WYE0r
VKMaBVWZgP3lXn5Ew7qnn6VenD0ayL7mQ5CqGoZCOk36adQ6Bo5N+1CJIaFNDGq/
mWsBwFW/Ba15vaYZNgOphYPpRmeyLV431+5IrRlMuKvdrYssh23uNq8fOh/cNQHt
EWHyrYLEwoMZ3PLAFxXAQxe0R/PG3Qb+DR2IxfckMlh6QwosM0n3teTeZzaIfUUq
M+e5tgwHSq7nRSsphY9QpOLL88+CEW1cCiK8pUBVRaH5IKvPxbOgBif2Ark3Zckr
R8nlRrrsG5Tv2R6nzq4v/axQWvtxQfo2VENZEu0OXm2vIl1sWvHU/AfEtAo3x9S7
YRbrr8ib0y8p9J5g08FP7bGjJPmunsfbk089E7kT/tlbXaxNz2rMzK+sHaNzFQ==
=q6Lr
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 08:01:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.