Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770973 (CVE-2021-27229) - <media-sound/mumble-1.3.4: remote code execution if a victim navigates to a crafted URL (CVE-2021-27229)
Summary: <media-sound/mumble-1.3.4: remote code execution if a victim navigates to a c...
Status: RESOLVED FIXED
Alias: CVE-2021-27229
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-16 16:12 UTC by John Helmert III
Modified: 2021-05-26 08:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-16 16:12:41 UTC
CVE-2021-27229:

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Patch: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
Please stabilize 1.3.4.
Comment 1 Sam James archtester gentoo-dev Security 2021-02-16 19:22:15 UTC
x86 done
Comment 2 Sam James archtester gentoo-dev Security 2021-02-17 03:55:20 UTC
amd64 done

all arches done
Comment 3 John Helmert III gentoo-dev Security 2021-02-17 04:07:43 UTC
Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2021-02-26 16:41:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e57fddd2171c191705563384a889bbb2b75960ee

commit e57fddd2171c191705563384a889bbb2b75960ee
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-02-26 13:26:24 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-02-26 16:41:31 +0000

    media-sound/mumble: Security cleanup
    
    Bug: https://bugs.gentoo.org/770973
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 media-sound/mumble/Manifest            |   1 -
 media-sound/mumble/mumble-1.3.3.ebuild | 161 ---------------------------------
 2 files changed, 162 deletions(-)
Comment 5 Thomas Deutschmann gentoo-dev Security 2021-05-25 20:51:38 UTC
New GLSA request filed.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:54:57 UTC
This issue was resolved and addressed in
 GLSA 202105-13 at https://security.gentoo.org/glsa/202105-13
by GLSA coordinator Thomas Deutschmann (whissi).