Debian Bug report logs -
#737739
mumble: CVE-2014-0044 CVE-2014-0045
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 5 Feb 2014 15:15:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version mumble/1.2.3-349-g315b5f5-2.2
Fixed in versions mumble/1.2.3-349-g315b5f5-2.2+deb7u1, mumble/1.2.4-0.2
Done: Christopher Knadle <Chris.Knadle@coredump.us>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble.
(Wed, 05 Feb 2014 15:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ron Lee <ron@debian.org>.
(Wed, 05 Feb 2014 15:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: mumble
Version: 1.2.3-349-g315b5f5-2.2
Severity: grave
Tags: security upstream fixed-upstream
Hi
Mumble has released a new upstream version fixing CVE-2014-0044 and
CVE-2014-0045. See upstream commits at:
https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d98429e4f9ba7
https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b040ea4d0b079
Upstream announces at
http://mumble.info/security/Mumble-SA-2014-001.txt
http://mumble.info/security/Mumble-SA-2014-002.txt
Regards,
Salvatore
Marked as fixed in versions mumble/1.2.3-349-g315b5f5-2.2+deb7u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Feb 2014 15:51:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble.
(Wed, 05 Feb 2014 16:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris.Knadle@coredump.us:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>.
(Wed, 05 Feb 2014 16:12:05 GMT) (full text, mbox, link).
Message #12 received at 737739@bugs.debian.org (full text, mbox, reply):
On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> Source: mumble
> Version: 1.2.3-349-g315b5f5-2.2
> Severity: grave
> Tags: security upstream fixed-upstream
>
> Hi
>
> Mumble has released a new upstream version fixing CVE-2014-0044 and
> CVE-2014-0045. See upstream commits at:
>
> https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d984
> 29e4f9ba7
> https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b04
> 0ea4d0b079
>
> Upstream announces at
>
> http://mumble.info/security/Mumble-SA-2014-001.txt
> http://mumble.info/security/Mumble-SA-2014-002.txt
>
> Regards,
> Salvatore
Thanks for fixing this.
As these commits were authored only 5 days ago I'd think the current 1.2.4-0.1
package in Sid and Jessie have this issue too, unless there's some other
mitigating factor with the stable 1.2.4 version.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
Information forwarded
to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble.
(Wed, 05 Feb 2014 21:18:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>.
(Wed, 05 Feb 2014 21:18:13 GMT) (full text, mbox, link).
Message #17 received at 737739@bugs.debian.org (full text, mbox, reply):
Hi Chris,
On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > Source: mumble
> > Version: 1.2.3-349-g315b5f5-2.2
> > Severity: grave
> > Tags: security upstream fixed-upstream
> >
> > Hi
> >
> > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > CVE-2014-0045. See upstream commits at:
> >
> > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72d984
> > 29e4f9ba7
> > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b04
> > 0ea4d0b079
> >
> > Upstream announces at
> >
> > http://mumble.info/security/Mumble-SA-2014-001.txt
> > http://mumble.info/security/Mumble-SA-2014-002.txt
> >
> > Regards,
> > Salvatore
>
> Thanks for fixing this.
>
> As these commits were authored only 5 days ago I'd think the current 1.2.4-0.1
> package in Sid and Jessie have this issue too, unless there's some other
> mitigating factor with the stable 1.2.4 version.
Yes it is also as it's supporting Opus; reason is that I concentrated
first on the wheezy-security upload.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble.
(Wed, 05 Feb 2014 21:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris.Knadle@coredump.us:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>.
(Wed, 05 Feb 2014 21:33:05 GMT) (full text, mbox, link).
Message #22 received at 737739@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote:
> Hi Chris,
>
> On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > > Source: mumble
> > > Version: 1.2.3-349-g315b5f5-2.2
> > > Severity: grave
> > > Tags: security upstream fixed-upstream
> > >
> > > Hi
> > >
> > > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > > CVE-2014-0045. See upstream commits at:
> > >
> > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72
> > > d984 29e4f9ba7
> > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327
> > > b04
> > > 0ea4d0b079
> > >
> > > Upstream announces at
> > >
> > > http://mumble.info/security/Mumble-SA-2014-001.txt
> > > http://mumble.info/security/Mumble-SA-2014-002.txt
> > >
> > > Regards,
> > > Salvatore
> >
> > Thanks for fixing this.
> >
> > As these commits were authored only 5 days ago I'd think the current
> > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's
> > some other mitigating factor with the stable 1.2.4 version.
>
> Yes it is also as it's supporting Opus; reason is that I concentrated
> first on the wheezy-security upload.
Okay. Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed
with the -9 upload once it's finished being built; I have to wait for that
before we can upload a new 1.2.4 mumble package fixes. I've got both of the
CVE patches queued for the next upload which I'm looking to do this weekend,
but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9
build go ahead and do so.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
[12-Mumble-SA-2014-001.patch (text/x-patch, attachment)]
[14-Mumble-SA-2014-002.patch (text/x-patch, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ron Lee <ron@debian.org>:
Bug#737739; Package src:mumble.
(Wed, 05 Feb 2014 21:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ron Lee <ron@debian.org>.
(Wed, 05 Feb 2014 21:45:04 GMT) (full text, mbox, link).
Message #27 received at 737739@bugs.debian.org (full text, mbox, reply):
Hi Chris,
On Wed, Feb 05, 2014 at 04:31:07PM -0500, Chris Knadle wrote:
> On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote:
> > Hi Chris,
> >
> > On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> > > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > > > Source: mumble
> > > > Version: 1.2.3-349-g315b5f5-2.2
> > > > Severity: grave
> > > > Tags: security upstream fixed-upstream
> > > >
> > > > Hi
> > > >
> > > > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > > > CVE-2014-0045. See upstream commits at:
> > > >
> > > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72
> > > > d984 29e4f9ba7
> > > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327
> > > > b04
> > > > 0ea4d0b079
> > > >
> > > > Upstream announces at
> > > >
> > > > http://mumble.info/security/Mumble-SA-2014-001.txt
> > > > http://mumble.info/security/Mumble-SA-2014-002.txt
> > > >
> > > > Regards,
> > > > Salvatore
> > >
> > > Thanks for fixing this.
> > >
> > > As these commits were authored only 5 days ago I'd think the current
> > > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's
> > > some other mitigating factor with the stable 1.2.4 version.
> >
> > Yes it is also as it's supporting Opus; reason is that I concentrated
> > first on the wheezy-security upload.
>
> Okay. Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed
> with the -9 upload once it's finished being built; I have to wait for that
> before we can upload a new 1.2.4 mumble package fixes. I've got both of the
> CVE patches queued for the next upload which I'm looking to do this weekend,
> but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9
> build go ahead and do so.
Thanks for the update. So then I will stop preparing also the packages
for unstable now!
Thanks for working on it!
Salvatore
Reply sent
to Christopher Knadle <Chris.Knadle@coredump.us>:
You have taken responsibility.
(Thu, 06 Feb 2014 21:27:39 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Feb 2014 21:27:39 GMT) (full text, mbox, link).
Message #32 received at 737739-close@bugs.debian.org (full text, mbox, reply):
Source: mumble
Source-Version: 1.2.4-0.2
We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher Knadle <Chris.Knadle@coredump.us> (supplier of updated mumble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Feb 2014 12:07:05 -0500
Source: mumble
Binary: mumble mumble-server mumble-dbg
Architecture: source amd64
Version: 1.2.4-0.2
Distribution: unstable
Urgency: high
Maintainer: Ron Lee <ron@debian.org>
Changed-By: Christopher Knadle <Chris.Knadle@coredump.us>
Description:
mumble - Low latency VoIP client
mumble-dbg - Low latency VoIP client (debugging symbols)
mumble-server - Low latency VoIP server
Closes: 737739
Changes:
mumble (1.2.4-0.2) unstable; urgency=high
.
* Non-maintainer upload.
* debian/patches
- Add 12-Mumble-SA-2014-001.patch, 14-Mumble-SA-2014-002.patch
to fix CVE-2014-0044, CVE-2014-0045. Closes: #737739
Checksums-Sha1:
3c48eae5d826604ae70f1a685b44d05601773430 2477 mumble_1.2.4-0.2.dsc
f564dd88f84908e52a218fdf1a596aa98dd1223f 31156 mumble_1.2.4-0.2.debian.tar.xz
b48fc34b9f7366baff8e40a86098288a5ee9b28c 2574840 mumble_1.2.4-0.2_amd64.deb
ebecd9c7966be982a93c4846cf9235dd3a2e593b 739172 mumble-server_1.2.4-0.2_amd64.deb
ffa7c9d369e184919ef51c42bb09572b27df71a2 15594512 mumble-dbg_1.2.4-0.2_amd64.deb
Checksums-Sha256:
14ba942367ebfef99dca4f4cd0dfabae59cd900bc7fef49620a4344a181a35f8 2477 mumble_1.2.4-0.2.dsc
1798bbbeb019b223815456838e63bcd45033eeeb22c829ed38a3f57cd0f9c2ee 31156 mumble_1.2.4-0.2.debian.tar.xz
ba0bade4cac2cd4df015e97b644312f12ddd5116f1945d79113480dfd930900f 2574840 mumble_1.2.4-0.2_amd64.deb
946cbc02178113306fc2e2c1119788b68751334729a5fc3ab09698c8277b1661 739172 mumble-server_1.2.4-0.2_amd64.deb
3fb89b03fae2e1942d208ee8fb56c62628f3a797d08e37ffbb5dd37ab7619f0f 15594512 mumble-dbg_1.2.4-0.2_amd64.deb
Files:
58a1119c62a9bd4e7ee1d8ad3556b03d 2477 sound optional mumble_1.2.4-0.2.dsc
c88ebb774e94e16f80fd2e5755bb0d86 31156 sound optional mumble_1.2.4-0.2.debian.tar.xz
717699bf3d1467ba6532c6a95f2625b4 2574840 sound optional mumble_1.2.4-0.2_amd64.deb
561ef01b66ac4ab2bbfb54e02bd330b5 739172 sound optional mumble-server_1.2.4-0.2_amd64.deb
859d402d1b6771aca28ebf11c24456ef 15594512 debug extra mumble-dbg_1.2.4-0.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJrBAEBCgBVBQJS8/JpThSAAAAAAB0AKGlzc3Vlci1mcHJAZ3BnLmNvbW9kby5w
cml2LmF0RDFFMTMxNkU5M0E3NjBBODEwNEQ4NUZBQkIzQTY4MDE4NjQ5QUEwNgAK
CRC7OmgBhkmqBm2qD/9DypEl+rPm9TxMCS01E4xw9EX+f0JW3N70g+Svi6aqIq4L
jovXDvuEYL5nJ9GuptzViRk4nl3h7U/SxUA9w/zZ1JWq0LISun0dLmU2lksugUjt
vLLiwBvBdaLuWlf++qFbDvhwMUoX6TmuJzuKxZ65LS5HxuOF59Y3rVvBEzUWLG1F
7WhJc7wVOMzbnBmjvRhlx8tH2zhyQPoRG7b+34k3J58r86cNLGcSF6iskdbeXiaI
8lrwLiht+N46NVf2zp7VHrao5BnDQPuz0/UYqCXaKyCYmhBc17J2sLB+cW8WYE0r
VKMaBVWZgP3lXn5Ew7qnn6VenD0ayL7mQ5CqGoZCOk36adQ6Bo5N+1CJIaFNDGq/
mWsBwFW/Ba15vaYZNgOphYPpRmeyLV431+5IrRlMuKvdrYssh43uNq8fOh/cNQHt
EWHyrYLEwoMZ3PLAFxXAQxe0R/PG3Qb+DR2IxfckMlh6QwosM0n3teTeZzaIfUUq
M+e5tgwHSq7nRSsphY9QpOLL88+CEW1cCiK8pUBVRaH5IKvPxbOgBif2Ark3Zckr
R8nlRrrsG5Tv2R6nzq4v/axQWvtxQfo2VENZEu0OXm2vIl1sWvHU/AfEtAo3x9S7
YRbrr8ib0y8p9J5g08FP7bGjJPmunsfbk089E7kT/tlbXaxNz2rMzK+sHaNzFQ==
=q6Lr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 05 May 2014 07:29:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:02:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon