Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 500486 (CVE-2014-0044)

Summary: <media-sound/mumble-1.2.5: Vulnerabilities in Opus voice packet handling (CVE-2014-{0044,0045})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: rjmars97, tgurr
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1061858
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-02-06 08:47:05 UTC
From ${URL} :

A denial of service flaw, with possible (but unconfirmed) arbitrary code execution, was reported [1] in 
Mumble:


A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow. This 
causes a client crash (Denial of Service) and can potentially be used to execute arbitrary code, though 
this is unconfirmed.

This issue can be triggered remotely by an entity participating in a Mumble voice chat.

This has been corrected in upstream version 1.2.5 [2].

[1] http://mumble.info/security/Mumble-SA-2014-002.txt
[2] https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b040ea4d0b079


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2014-02-07 08:10:37 UTC
*** Bug 500582 has been marked as a duplicate of this bug. ***
Comment 2 Timo Gurr (RETIRED) gentoo-dev 2014-02-07 17:05:13 UTC
I've committed the fixed version 1.2.5. It can be stabilized right away since the only changes it contains since 1.2.4 are just the security fixes.

Also feel free to stabilize the server part murmur 1.2.5 as well which is (besides the version number increment) identical to 1.2.4.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 15:18:38 UTC
CVE-2014-0045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0045):
  The needSamples method in AudioOutputSpeech.cpp in the client in Mumble
  1.2.4 and the 1.2.3 pre-release snapshots, Mumble for iOS 1.1 through 1.2.2,
  and MumbleKit before commit fd190328a9b24d37382b269a5674b0c0c7a7e36d does
  not check the return value of the opus_decode_float function, which allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via a crafted Opus voice packet, which triggers an error in
  opus_decode_float, a conversion of a negative integer to an unsigned
  integer, and a heap-based buffer over-read and over-write.

CVE-2014-0044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0044):
  The opus_packet_get_samples_per_frame function in client in Mumble 1.2.4 and
  the 1.2.3 pre-release snapshots allows remote attackers to cause a denial of
  service (crash) via a crafted length prefix value, which triggers a NULL
  pointer dereference or a heap-based buffer over-read (aka "out-of-bounds
  array access").
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-02-13 16:52:29 UTC
Arches, please test and mark stable:

=media-sound/mumble-1.2.5
=media-sound/murmur-1.2.5

Target Keywords : "amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2014-02-15 21:18:54 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-02-15 21:28:29 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 Timo Gurr (RETIRED) gentoo-dev 2014-03-26 17:36:52 UTC
(In reply to Agostino Sarubbo from comment #6)
> Maintainer(s), please cleanup.

Cleanup is done.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-21 03:03:20 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 12:34:27 UTC
This issue was resolved and addressed in
 GLSA 201406-06 at http://security.gentoo.org/glsa/glsa-201406-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).