Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 727598 - <media-sound/{mumble,murmur}-1.3.1: Possible vulnerability in OCB2 encryption
Summary: <media-sound/{mumble,murmur}-1.3.1: Possible vulnerability in OCB2 encryption
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-08 22:52 UTC by Sam James
Modified: 2020-07-27 20:39 UTC (History)
1 user (show)

See Also:
Package list:
media-sound/mumble-1.3.1-r1 amd64 x86 media-sound/murmur-1.3.1 amd64 x86
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-08 22:52:59 UTC 
Description:
"Potential exploit in the OCB2 encryption"

https://github.com/mumble-voip/mumble/pull/4227

Fixed in 1.3.1, not included in rc1.
Comment 1 Larry the Git Cow gentoo-dev 2020-06-15 09:56:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e94d04bc2b125cecd0611e9cebc4746071e04b67

commit e94d04bc2b125cecd0611e9cebc4746071e04b67
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-15 09:56:27 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-15 09:56:42 +0000

    media-sound/murmur: Security bump to version 1.3.1
    
    Bug: https://bugs.gentoo.org/727598
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/murmur/Manifest                                         | 2 +-
 media-sound/murmur/{murmur-1.3.1_rc1.ebuild => murmur-1.3.1.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=afc960cb03b862c89be6840332deee8059dc3f5d

commit afc960cb03b862c89be6840332deee8059dc3f5d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-15 09:54:00 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-15 09:56:42 +0000

    media-sound/mumble: Security bump to version 1.3.1
    
    Bug: https://bugs.gentoo.org/727598
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/mumble/Manifest                        |  2 +-
 .../mumble/files/mumble-1.3.1_rc1-qt-5.15.patch    | 28 ----------------------
 ...mumble-1.3.1_rc1.ebuild => mumble-1.3.1.ebuild} |  2 --
 3 files changed, 1 insertion(+), 31 deletions(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 13:37:05 UTC 
This has been stabled in the past, just not for a while, back when Qt 4 was around.

The Qt 5 version was only a snapshot before now and didn't get stabled.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:50:45 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-21 17:17:44 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Larry the Git Cow gentoo-dev 2020-06-25 14:03:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efdd2417271d7444170db0b9ac7b44a619d7016a

commit efdd2417271d7444170db0b9ac7b44a619d7016a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-25 14:02:58 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-25 14:03:07 +0000

    media-sound/murmur: Security cleanup
    
    Bug: https://bugs.gentoo.org/727598
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/murmur/Manifest            |   1 -
 media-sound/murmur/murmur-1.3.0.ebuild | 154 ---------------------------------
 2 files changed, 155 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fbd8da7678a281279f19b91bd36a63593bc858a

commit 8fbd8da7678a281279f19b91bd36a63593bc858a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-25 14:02:13 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-25 14:03:07 +0000

    media-sound/mumble: Security cleanup
    
    Bug: https://bugs.gentoo.org/727598
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/mumble/Manifest            |   1 -
 media-sound/mumble/mumble-1.3.0.ebuild | 160 ---------------------------------
 2 files changed, 161 deletions(-)
Comment 6 NATTkA bot gentoo-dev 2020-06-25 14:04:37 UTC 
Unable to check for sanity:

> no match for package: media-sound/mumble-1.3.1