Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500486 (CVE-2014-0044) - <media-sound/mumble-1.2.5: Vulnerabilities in Opus voice packet handling (CVE-2014-{0044,0045})
Summary: <media-sound/mumble-1.2.5: Vulnerabilities in Opus voice packet handling (CVE...
Status: RESOLVED FIXED
Alias: CVE-2014-0044
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
: 500582 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-02-06 08:47 UTC by Agostino Sarubbo
Modified: 2014-06-06 12:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-06 08:47:05 UTC
From ${URL} :

A denial of service flaw, with possible (but unconfirmed) arbitrary code execution, was reported [1] in 
Mumble:


A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow. This 
causes a client crash (Denial of Service) and can potentially be used to execute arbitrary code, though 
this is unconfirmed.

This issue can be triggered remotely by an entity participating in a Mumble voice chat.

This has been corrected in upstream version 1.2.5 [2].

[1] http://mumble.info/security/Mumble-SA-2014-002.txt
[2] https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b040ea4d0b079


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-02-07 08:10:37 UTC
*** Bug 500582 has been marked as a duplicate of this bug. ***
Comment 2 Timo Gurr (RETIRED) gentoo-dev 2014-02-07 17:05:13 UTC
I've committed the fixed version 1.2.5. It can be stabilized right away since the only changes it contains since 1.2.4 are just the security fixes.

Also feel free to stabilize the server part murmur 1.2.5 as well which is (besides the version number increment) identical to 1.2.4.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:18:38 UTC
CVE-2014-0045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0045):
  The needSamples method in AudioOutputSpeech.cpp in the client in Mumble
  1.2.4 and the 1.2.3 pre-release snapshots, Mumble for iOS 1.1 through 1.2.2,
  and MumbleKit before commit fd190328a9b24d37382b269a5674b0c0c7a7e36d does
  not check the return value of the opus_decode_float function, which allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted Opus voice packet, which triggers an error in
  opus_decode_float, a conversion of a negative integer to an unsigned
  integer, and a heap-based buffer over-read and over-write.

CVE-2014-0044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0044):
  The opus_packet_get_samples_per_frame function in client in Mumble 1.2.4 and
  the 1.2.3 pre-release snapshots allows remote attackers to cause a denial of
  service (crash) via a crafted length prefix value, which triggers a NULL
  pointer dereference or a heap-based buffer over-read (aka "out-of-bounds
  array access").
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-02-13 16:52:29 UTC
Arches, please test and mark stable:

=media-sound/mumble-1.2.5
=media-sound/murmur-1.2.5

Target Keywords : "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-15 21:18:54 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-15 21:28:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Timo Gurr (RETIRED) gentoo-dev 2014-03-26 17:36:52 UTC
(In reply to Agostino Sarubbo from comment #6)
> Maintainer(s), please cleanup.

Cleanup is done.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2014-05-21 03:03:20 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 12:34:27 UTC
This issue was resolved and addressed in
 GLSA 201406-06 at http://security.gentoo.org/glsa/glsa-201406-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).