Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 403939 (CVE-2012-0863) - <media-sound/mumble-1.2.3-r2 : Database File Insecure Permissions (CVE-2012-0863)
Summary: <media-sound/mumble-1.2.3-r2 : Database File Insecure Permissions (CVE-2012-0...
Status: RESOLVED FIXED
Alias: CVE-2012-0863
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47951/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-15 19:32 UTC by Agostino Sarubbo
Modified: 2012-03-06 21:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-02-15 19:32:44 UTC 
From secunia security advisory at $URL:


Description:
The security issue is caused due to the application creating a database file (~/.local/share/data/Mumble/Mumble/.mumble.sqlite) with insecure world-readable permissions. This can be exploited to disclose password and configuration settings.

The security issue is reported in version 1.2.3. Other versions may also be affected.


Solution
Fixed in the Git repository.

Original Advisory:
https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405
Comment 1 Timo Gurr (RETIRED) gentoo-dev 2012-02-16 02:13:35 UTC 
Thanks, fixed in mumble-1.2.3-r2. When starting up Mumble (-r2) it also automatically corrects the permissions of already existing files.
Comment 2 Agostino Sarubbo gentoo-dev 2012-02-16 09:16:03 UTC 
Arches please test and mark stable:
media-sound/mumble-1.2.3-r2
target keywords :"amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-02-16 14:04:41 UTC 
amd64 stable
Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-02-18 14:31:14 UTC 
x86 stable
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-02-18 21:33:49 UTC 
Thanks, everyone. GLSA Vote: yes.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 00:54:16 UTC 
Homedirs should be 700 anyways.
Vote: NO.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-06 21:27:00 UTC 
Vote: no. 

Closing noglsa.