mumble: CVE-2018-20743: instability and crash due to crafted message flooding

Debian Bug report logs - #919249
mumble: CVE-2018-20743: instability and crash due to crafted message flooding

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Knadle <Chris.Knadle@coredump.us>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Cc: Debian Security Team <team@security.debian.or>

Subject: security issue: instability and crash due to crafted message flooding

Date: Mon, 14 Jan 2019 04:53:14 +0000

[Message part 1 (text/plain, inline)]

Package: mumble
Version: 1.2.19-3
Severity: important
Tags: security fixed-upstream fixed-in-experimental


It is currently possible to cause mumble-server to freeze and/or crash by
sending specifically it crafted commands, leading to a denial of service.
The server usually automatically recovers, however it has been reported that
in some instances it can take up to an hour after the attack has ended.
The attack can be done remotely and does not need special permissions.

All versions of mumble 1.2.x and 1.3.0 snapshots prior to 2018-08-31 are affected.

[signature.asc (application/pgp-signature, attachment)]

Message #14 received at 919249-close@bugs.debian.org (full text, mbox, reply):

From: Christopher Knadle <Chris.Knadle@coredump.us>

To: 919249-close@bugs.debian.org

Subject: Bug#919249: fixed in mumble 1.3.0~git20190114.9fcc588+dfsg-1

Date: Tue, 15 Jan 2019 20:42:54 +0000

Source: mumble
Source-Version: 1.3.0~git20190114.9fcc588+dfsg-1

We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919249@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Knadle <Chris.Knadle@coredump.us> (supplier of updated mumble package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 15 Jan 2019 05:53:33 +0000
Source: mumble
Binary: mumble mumble-server
Architecture: source
Version: 1.3.0~git20190114.9fcc588+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Christopher Knadle <Chris.Knadle@coredump.us>
Changed-By: Christopher Knadle <Chris.Knadle@coredump.us>
Description:
 mumble     - Low latency encrypted VoIP client
 mumble-server - Low latency encrypted VoIP server
Closes: 874683 875058 915273 919249
Changes:
 mumble (1.3.0~git20190114.9fcc588+dfsg-1) unstable; urgency=medium
 .
   * New upstream git snapshot from 2019-01-14
     Fixes wishlist bug "mumble: please package a QT5 version of mumble"
     (Closes: #874683)
     Fixes "[mumble] Future Qt4 removal from Buster"
     (Closes: #875058)
     Thanks to Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
     for reporting the bug
     Fixes "mumble: sound glitches when starting mumble"
     (Closes: #915273)
     Thanks to Axel R. <at46n@t-online.de> for reporting the bug
     Fixes security issue: instability and crash due to crafted message flooding
     Thanks to "The Zom.bi Community" for reporting the bug and fixing the bug
     upstream
     (Closes: #919249)
   * debian/control:
     - Update Build-Depends to use Qt5 dependencies
     - Remove Suggests: dbus package for mumble-server
     - Add Suggests: libqt5sql5-sqlite for mumble-server
     - Update Standards-Version to 4.3.0 (no changes needed)
   * debian/copyright:
     - Add Files-Excluded section to document files removed from the upstream
       tarball for DFSG compliance.  [The removals are for draft IETF documents
       for CELT, Opus, Speex codecs that have a restrictive license.]
     - Update Source link to https://dl.mumble.info
     - Remove Files: macx/overlay/* section (code removed upstream)
     - Update copyright year for files in debian/*
   * debian/extras:
     - Add make-mumble-git-tarball.sh and murmur.ini.system.diff for
       creating a tarball from the git repository to allow verifying the
       tarball used in the package
   * debian/mumble-server.examples:
     - Update for file move in new version
   * debian/NEWS:
     - Add entry to describe new Perfect Forward Secrecy SSL support,
       tarball repack, and tarball PGP check removal
   * debian/patches:
     - Remove 05-lsb-description.diff (incorporated upstream)
     - Update 07-use-embedded-celt-baseline.diff for Mumble 1.3
     - Remove 12-mumble-server-disable-dbus-and-ice.diff,
       Add 12-disable-ice-by-default.diff to disable Ice by default
     - Remove 17-change-pulseaudio-role.diff (incorporated upstream)
     - Remove 19-move-xlib-initializtion-earlier.diff (incorporated upstream)
     - Remove 27-prevent-flooding-.xsession-errors.diff (different fix
       incorporated upstream)
     - Remove 30-Remove-flawed-MX-host-existence-check.diff
       (incorporated upstream)
     - Update 35-add-dpkg-buildflags.diff for new upstream snapshot
     - Remove 38-fix-spelling-error.diff (incorporated upstream)
     - Remove 40-make-build-reproducible.diff (incorporated upstream)
     - Remove 43-initialize-SSL.diff (similar fix incorporated upstream)
     - Update 44-add-speechd-header.diff for new upstream snapshot
     - Update 46-var-run-to-run.diff for new upstream snapshot
     - Remove 48-systemd-workaround.diff (incorporated upstream)
     - Remove 50-zeroc-ice-lib-move.diff (similar fix incorporated upstream)
     - Remove 54-fix-boost-ftbfs.diff (incorporated upstream)
   * debian/rules:
     - Enable QT_SELECT=qt5 to force use of Qt5's qmake rather than Qt4's
     - Switch qmake-qt4 to qmake in override_dh_auto_configure section
     - Add CONFIG*=dpkg-buildflags in override_dh_auto_configure section
   * debian/upstream:
     - Remove signing-key.asc due to having to repack upstream tarball
       which will cause the PGP signature check to fail
   * debian/watch:
     - Comment out all lines for now, as the source of the tarball is
       via git export of 'master' with submodules via a script
Checksums-Sha1:
 2ef1ca4f5c9c28148aa495e2bc2720fe0dbc461f 2435 mumble_1.3.0~git20190114.9fcc588+dfsg-1.dsc
 c15032e468c8e7f417a0d08fe1d7c0864e0b3b47 6954263 mumble_1.3.0~git20190114.9fcc588+dfsg.orig.tar.gz
 a159cf9c00b9975b5dd031d6d36ed9e64d4d67f7 37328 mumble_1.3.0~git20190114.9fcc588+dfsg-1.debian.tar.xz
 e7f5740818860f8ae82f0f0d552957073c5c72f3 5821 mumble_1.3.0~git20190114.9fcc588+dfsg-1_source.buildinfo
Checksums-Sha256:
 2fd8babad3bab65273e7a8863457752672dcb2ece1945ad4378beefd5649aadd 2435 mumble_1.3.0~git20190114.9fcc588+dfsg-1.dsc
 d8fabda3606ef22c48919502752dd0645ef2d40ab33ed6bb01e801cc58c033f0 6954263 mumble_1.3.0~git20190114.9fcc588+dfsg.orig.tar.gz
 f9dc9a3c2404b98f87b2c6c1f26a8cfb56b4f655e57fa338fb9e6ae14c995df5 37328 mumble_1.3.0~git20190114.9fcc588+dfsg-1.debian.tar.xz
 f23edd2229ab5459129b7f5b64e2cdaa2f1a164ca137672fe0bac55a8f4f36cb 5821 mumble_1.3.0~git20190114.9fcc588+dfsg-1_source.buildinfo
Files:
 fa6a74e71df28b647905548e0caf6363 2435 sound optional mumble_1.3.0~git20190114.9fcc588+dfsg-1.dsc
 b257eaca6193c2cda5d794d987eb9676 6954263 sound optional mumble_1.3.0~git20190114.9fcc588+dfsg.orig.tar.gz
 a18e3b29f2ac9f590f24f67ba8637e14 37328 sound optional mumble_1.3.0~git20190114.9fcc588+dfsg-1.debian.tar.xz
 7739fe75e733040cc50de1a92a0491f6 5821 sound optional mumble_1.3.0~git20190114.9fcc588+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEe1KzyGmRW/4DhtV6ieLKD9m6RHAFAlw+PEoACgkQieLKD9m6
RHDVnRAApTTqygdaNctqQ8unFhLEB8BiB7Mr8E+wa38YGySgGaUpznaqgG62MvED
XJIcVOgBTqNLQ1GSFwiqRLeO+SiqizL/gT/ktil3Sf5ESiqSt0E/MBfLLcVJB9N+
Si4kp1Y52GyRqSZ9No3thsIz0/i2rnOprNDYvKMXa+dfAtqJxwjaDTYLmSq4bOfm
y938A5uRCsvosMfq98qnmXRIl5xpyCs5+8iycPtkDp9wNb4X2F6Fq3+IvWf33y0B
lp7izrTmK8vcdN/Z9JSvu4PKHUCLUZJqtjdlaUr+cXJ0chhBL5S7WLqclJyjZnLp
tuSPCCjE1KEvZDFZdZL2mKcr/Hv16hsd7PT2UGmkqFWLxGLp5t8SfTY4xMlYYaxE
fodamr4nNpIe3seMDG3E7Fr3kZ8S4ssOOHIlgovu+jc0eJXOAXZtnZ7hEMsZYgzB
ades2as1DBz2nqv8KQnO4IA8KaFB6+fQoIMuV+qqPc8FyO0wgnG3pJGS3IGoMGuf
1l/ovU8NUVPfNZtidXCsXcNBCYDC5UxrNtdKkiLZQSu8Lp64qaM9IDtRiMxoo4WN
LT/gIZcjCeTeegGtfk8IfkUFxSOJnetqJXv4CZjgGIdi9jQHmIf6ut6TNK14FcpJ
Lzx5XgPxP4lzDy55aynfd8lqJhhpIl4V8j9OB3WWPbWazfCiWbc=
=Ioxc
-----END PGP SIGNATURE-----

Message #21 received at 919249@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Chris Knadle <Chris.Knadle@coredump.us>, 919249@bugs.debian.org

Cc: Debian Security Team <team@security.debian.or>

Subject: Re: Bug#919249: security issue: instability and crash due to crafted message flooding

Date: Fri, 25 Jan 2019 17:21:46 +0100

Hi,

On Mon, Jan 14, 2019 at 04:53:14AM +0000, Chris Knadle wrote:
> Package: mumble
> Version: 1.2.19-3
> Severity: important
> Tags: security fixed-upstream fixed-in-experimental
> 
> 
> It is currently possible to cause mumble-server to freeze and/or crash by
> sending specifically it crafted commands, leading to a denial of service.
> The server usually automatically recovers, however it has been reported that
> in some instances it can take up to an hour after the attack has ended.
> The attack can be done remotely and does not need special permissions.
> 
> All versions of mumble 1.2.x and 1.3.0 snapshots prior to 2018-08-31 are affected.

This issue has been assigned CVE-2018-20743.

Regards,
Salvatore

Send a report that this bug log contains spam.