Bug 403939 (CVE-2012-0863)

Summary:	<media-sound/mumble-1.2.3-r2 : Database File Insecure Permissions (CVE-2012-0863)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	tgurr, voip+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/47951/
Whiteboard:	B4 [noglsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2012-02-15 19:32:44 UTC

From secunia security advisory at $URL:


Description:
The security issue is caused due to the application creating a database file (~/.local/share/data/Mumble/Mumble/.mumble.sqlite) with insecure world-readable permissions. This can be exploited to disclose password and configuration settings.

The security issue is reported in version 1.2.3. Other versions may also be affected.


Solution
Fixed in the Git repository.

Original Advisory:
https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405

Comment 1 Timo Gurr (RETIRED) gentoo-dev

2012-02-16 02:13:35 UTC

Thanks, fixed in mumble-1.2.3-r2. When starting up Mumble (-r2) it also automatically corrects the permissions of already existing files.

Comment 2 Agostino Sarubbo gentoo-dev

2012-02-16 09:16:03 UTC

Arches please test and mark stable:
media-sound/mumble-1.2.3-r2
target keywords :"amd64 x86"

Comment 3 Agostino Sarubbo gentoo-dev

2012-02-16 14:04:41 UTC

amd64 stable

Comment 4 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2012-02-18 14:31:14 UTC

x86 stable

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2012-02-18 21:33:49 UTC

Thanks, everyone. GLSA Vote: yes.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2012-03-06 00:54:16 UTC

Homedirs should be 700 anyways.
Vote: NO.

Comment 7 Sean Amoss (RETIRED) gentoo-dev

2012-03-06 21:27:00 UTC

Vote: no. 

Closing noglsa.