Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770973 (CVE-2021-27229) - <media-sound/mumble-1.3.4: remote code execution if a victim navigates to a crafted URL (CVE-2021-27229)
Summary: <media-sound/mumble-1.3.4: remote code execution if a victim navigates to a c...
Status: RESOLVED FIXED
Alias: CVE-2021-27229
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-16 16:12 UTC by John Helmert III
Modified: 2021-05-26 08:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 16:12:41 UTC 
CVE-2021-27229:

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Patch: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
Please stabilize 1.3.4.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 19:22:15 UTC 
x86 done
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 03:55:20 UTC 
amd64 done

all arches done
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 04:07:43 UTC 
Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2021-02-26 16:41:34 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e57fddd2171c191705563384a889bbb2b75960ee

commit e57fddd2171c191705563384a889bbb2b75960ee
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-02-26 13:26:24 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-02-26 16:41:31 +0000

    media-sound/mumble: Security cleanup
    
    Bug: https://bugs.gentoo.org/770973
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/mumble/Manifest            |   1 -
 media-sound/mumble/mumble-1.3.3.ebuild | 161 ---------------------------------
 2 files changed, 162 deletions(-)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 20:51:38 UTC 
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:54:57 UTC 
This issue was resolved and addressed in
 GLSA 202105-13 at https://security.gentoo.org/glsa/202105-13
by GLSA coordinator Thomas Deutschmann (whissi).