mumble: CVE-2014-3755 CVE-2014-3756

Debian Bug report logs - #748189
mumble: CVE-2014-3755 CVE-2014-3756

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: mumble: CVE-2014-3755 CVE-2014-3756

Date: Thu, 15 May 2014 08:55:05 +0200

Source: mumble
Severity: important
Tags: security upstream fixed-upstream

Hi

There are two mumble security advisories released, see details in [1]
and [2]. CVEs were already assigned for these issues[3]. When you fix
the package, could you please reference these in your changelog?

 [1] http://mumble.info/security/Mumble-SA-2014-005.txt
 [2] http://mumble.info/security/Mumble-SA-2014-006.txt
 [3] http://www.openwall.com/lists/oss-security/2014/05/15/4

Regards,
Salvatore

Message #10 received at 748189@bugs.debian.org (full text, mbox, reply):

From: Chris Knadle <Chris.Knadle@coredump.us>

To: Salvatore Bonaccorso <carnil@debian.org>, 748189@bugs.debian.org

Subject: Re: Bug#748189: mumble: CVE-2014-3755 CVE-2014-3756

Date: Thu, 15 May 2014 16:58:06 -0400

On Thursday, May 15, 2014 08:55:05 Salvatore Bonaccorso wrote:
> Source: mumble
> Severity: important
> Tags: security upstream fixed-upstream
> 
> Hi
> 
> There are two mumble security advisories released, see details in [1]
> and [2]. CVEs were already assigned for these issues[3]. When you fix
> the package, could you please reference these in your changelog?

Will do.

Unfortunately the available Mumble-SA-2014-006.patch for CVE-2014-3756 will 
not apply to 1.2.3-349-g315b5f5 in Wheezy and will require backporting to fix. 
I've reported this to Mumble upstream.

I'm currently working on a release of mumble-1.2.6 for Unstable.

>  [1] http://mumble.info/security/Mumble-SA-2014-005.txt
>  [2] http://mumble.info/security/Mumble-SA-2014-006.txt
>  [3] http://www.openwall.com/lists/oss-security/2014/05/15/4
> 
> Regards,
> Salvatore

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

Message #15 received at 748189-close@bugs.debian.org (full text, mbox, reply):

From: Christopher Knadle <Chris.Knadle@coredump.us>

To: 748189-close@bugs.debian.org

Subject: Bug#748189: fixed in mumble 1.2.6-1

Date: Fri, 16 May 2014 07:48:56 +0000

Source: mumble
Source-Version: 1.2.6-1

We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 748189@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Knadle <Chris.Knadle@coredump.us> (supplier of updated mumble package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 15 May 2014 19:20:55 -0400
Source: mumble
Binary: mumble mumble-server mumble-dbg
Architecture: source amd64
Version: 1.2.6-1
Distribution: unstable
Urgency: high
Maintainer: Christopher Knadle <Chris.Knadle@coredump.us>
Changed-By: Christopher Knadle <Chris.Knadle@coredump.us>
Description: 
 mumble     - Low latency encrypted VoIP client
 mumble-dbg - Low latency encrypted VoIP client (debugging symbols)
 mumble-server - Low latency encrypted VoIP server
Closes: 744733 746882 748189
Changes: 
 mumble (1.2.6-1) unstable; urgency=high
 .
   * New upstream snapshot from 2014-05-15
   * This version contains two new security fixes.  Closes: 748189
       - Mumble-SA-2014-005   CVE-2014-3755
            http://mumble.info/security/Mumble-SA-2014-005.txt
         SVG images with local file references could trigger client DoS
       - Mumble-SA-2014-006   CVE-2014-3756
            http://mumble.info/security/Mumble-SA-2014-006.txt
         The Mumble client did not properly HTML-escape some external strings
         before using them in a rich-text (HTML) context.
       - Thanks to Mikkel Krautz <mikkel@krautz.dk> for reporting the bug,
         thanks to Salvatore Bonaccorso <carnil@debian.org> for reporting
         the bug in Debian.
   * debian/rules:
       - Update to remove libmumble.so.1.2.6 via rm of libmumble.so.1.*
   * debian/patches
       - Add 17-change-pulseaudio-role.diff
         Change role from "phone" to "game" to stop PulseAudio muting
         applications in the "music" and "video" roles
         (reported in #mumble in IRC on irc.freenode.net)
       - Add 19-move-xlib-initializtion-earlier.diff
         Move Xlib initialization earlier to fix crashing when setting a
         push-to-talk key.  Closes: #744733
         Thanks to RedOmen <redomen@nwi.net> for reporting the bug, and
         Bas Wijnen <wijnen@debian.org> for finding a fix and creating a patch.
       - Add 21-fix-compile-with-gcc-4.9.diff
         Fixes FTBFS with gcc-4.9.  Closes: 746882
         Thanks to Matthias Klose <doko@debian.org> for reporting the bug
         and to Dimitri John Ledkov <dimitri.ledkov@canonical.com> for
         submitting the patch from Christian Krause <chkr@plauener.de>
Checksums-Sha1: 
 bcdb0ed14a5b5d4ca193cc07df187d22b341d988 2305 mumble_1.2.6-1.dsc
 b53eaa5724a3ff68852e905ceea20b40f3c1e50a 3201577 mumble_1.2.6.orig.tar.gz
 bcb95cd0c493603d30dffafda82c96d7280d1e96 34936 mumble_1.2.6-1.debian.tar.xz
 eb9667c8f6de8ac97722ac6515f416febdff1abc 2575374 mumble_1.2.6-1_amd64.deb
 8eb94d8e7f0f0b42b55bccdb045a4e68a744afb2 739568 mumble-server_1.2.6-1_amd64.deb
 987fba5a91dde2797a08750769053fb3dba7c2d6 15589014 mumble-dbg_1.2.6-1_amd64.deb
Checksums-Sha256: 
 16f8f5f752cb27a771ec04a73a54beac669736115b6307019b225ae6d5819394 2305 mumble_1.2.6-1.dsc
 876cdecfb89798ab45020cdae0d64bd0fa899a9a97c2c7f4a6e706d4165fb6ff 3201577 mumble_1.2.6.orig.tar.gz
 6a29658271e5170acb4e1d15ecc9b02c6863802d6ecd00cb59dadec84f9b9e22 34936 mumble_1.2.6-1.debian.tar.xz
 b58e75220448c9bfcaf769f5b3d194b338867973aa7ca563a6e5c6aeba208802 2575374 mumble_1.2.6-1_amd64.deb
 a551a72bf042853c6921047c7d6cb34935000928b1fba82f981be0d0272c9504 739568 mumble-server_1.2.6-1_amd64.deb
 78adf81a8d9ec19109d95f4beb1fd739e32c0f3d54b8a58423adbd6cb3fbb732 15589014 mumble-dbg_1.2.6-1_amd64.deb
Files: 
 ae60aa5afe0eaafd81ac7821767905c7 2575374 sound optional mumble_1.2.6-1_amd64.deb
 ba67d5273290e1ae8a9818dac9a1a554 739568 sound optional mumble-server_1.2.6-1_amd64.deb
 90c8845e39130a2d1dc3ee18a2c0018c 15589014 debug extra mumble-dbg_1.2.6-1_amd64.deb
 3c4941bc48786c1c699cb68314e544f2 2305 sound optional mumble_1.2.6-1.dsc
 32b37ff426863d7abeb1b7c1938652ff 3201577 sound optional mumble_1.2.6.orig.tar.gz
 cadd2bb7e00568e91ed9f554afd1e2b7 34936 sound optional mumble_1.2.6-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJTdcGPAAoJEBLZsEqQy9jktwsP/AovYVlupHhsYgyaLUWKUzyb
ZTO3C13h4uB3O7xQPZr6h44OPqqqHpCPmVnjKixp3S5+1cAfImLOqGoXVBiV6gdk
wsox3a05ye/7XecHdw1GJfKVmnRoUfGM9r2S6TZMVKduvvr/B+fjtXC3t+xEIe9F
csU4j477fVMki9z7IIYrVg4WtyyUdjhHmYY2BGnSZCza7YV1nZCVbhDalZD7/nPR
1jjRR4GCkPLKpzR4DqJh43hdgRXx77RTbhZwCLMC3DUaAEFf6dWILZFApVpYTFeo
ELA7bzycB5cBI8NPnAOLzNtVvQyYE5kFNDZU9hFNBNrDNW9Nafy0l6wUGF6fZJVR
0yIh4YL2UXF0zWaH5NpfReLMaMU5c9ixYkLKQYZY9cQ6sd0u7K2v0HJjbyXYJBpG
+f7kKcp203shF2kt902rzrVHafTdHWfk0rrfo4UXuzogzzWqrIZapDE/XyxWoL/y
1BayDtBvZHOcV/CdXbDfvDCogBmJE+LMNJRisTRxVDbn70tfHYm4qzbiSj6Tg8uU
OVNlmiF+gXhpO94DTOPwFB4Evtt1MjcbaosPrjstGCfaMS6ZIAZLoFLENajNNIYi
CUhzyct2eRCOwNdq6N31VVSGv3tS5Ggv0qObczMzSFAJ/wbXyfINx/kOUszYO79G
yY88UDAeqzmE8sMk7oSo
=PG+Q
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.