From ${URL} : A denial of service flaw, with possible (but unconfirmed) arbitrary code execution, was reported [1] in Mumble: A malformed Opus voice packet sent to a Mumble client could trigger a heap-based buffer overflow. This causes a client crash (Denial of Service) and can potentially be used to execute arbitrary code, though this is unconfirmed. This issue can be triggered remotely by an entity participating in a Mumble voice chat. This has been corrected in upstream version 1.2.5 [2]. [1] http://mumble.info/security/Mumble-SA-2014-002.txt [2] https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327b040ea4d0b079 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
*** Bug 500582 has been marked as a duplicate of this bug. ***
I've committed the fixed version 1.2.5. It can be stabilized right away since the only changes it contains since 1.2.4 are just the security fixes. Also feel free to stabilize the server part murmur 1.2.5 as well which is (besides the version number increment) identical to 1.2.4.
CVE-2014-0045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0045): The needSamples method in AudioOutputSpeech.cpp in the client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots, Mumble for iOS 1.1 through 1.2.2, and MumbleKit before commit fd190328a9b24d37382b269a5674b0c0c7a7e36d does not check the return value of the opus_decode_float function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Opus voice packet, which triggers an error in opus_decode_float, a conversion of a negative integer to an unsigned integer, and a heap-based buffer over-read and over-write. CVE-2014-0044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0044): The opus_packet_get_samples_per_frame function in client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots allows remote attackers to cause a denial of service (crash) via a crafted length prefix value, which triggers a NULL pointer dereference or a heap-based buffer over-read (aka "out-of-bounds array access").
Arches, please test and mark stable: =media-sound/mumble-1.2.5 =media-sound/murmur-1.2.5 Target Keywords : "amd64 x86"
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #6) > Maintainer(s), please cleanup. Cleanup is done.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201406-06 at http://security.gentoo.org/glsa/glsa-201406-06.xml by GLSA coordinator Sergey Popov (pinkbyte).