Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mumble for openSUSE:Factory checked in at 2026-03-18 16:49:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mumble (Old) and /work/SRC/openSUSE:Factory/.mumble.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mumble" Wed Mar 18 16:49:46 2026 rev:14 rq:1340722 version:1.5.857 Changes: -------- --- /work/SRC/openSUSE:Factory/mumble/mumble.changes 2025-11-09 21:08:07.823718975 +0100 +++ /work/SRC/openSUSE:Factory/.mumble.new.8177/mumble.changes 2026-03-18 16:51:08.314620617 +0100 @@ -1,0 +2,7 @@ +Tue Mar 17 15:37:34 UTC 2026 - Andreas Stieger <[email protected]> + +- CVE-2025-71264: (opus) incorrect size calculations allow for an + out-of-bounds array access and can lead to a client crash + (boo#1259721) add mumble-1.5.857-CVE-2025-71264.patch + +------------------------------------------------------------------- New: ---- mumble-1.5.857-CVE-2025-71264.patch ----------(New B)---------- New: out-of-bounds array access and can lead to a client crash (boo#1259721) add mumble-1.5.857-CVE-2025-71264.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mumble.spec ++++++ --- /var/tmp/diff_new_pack.FiLG5P/_old 2026-03-18 16:51:09.362664517 +0100 +++ /var/tmp/diff_new_pack.FiLG5P/_new 2026-03-18 16:51:09.362664517 +0100 @@ -2,7 +2,7 @@ # spec file for package mumble # # Copyright (c) 2024 SUSE LLC -# Copyright (c) 2025 Andreas Stieger <[email protected]> +# Copyright (c) 2026 Andreas Stieger <[email protected]> # Copyright (c) 2024 Tobias Burnus <[email protected]> # # All modifications and additions to the file contributed by third parties @@ -40,6 +40,8 @@ Source6: baselibs.conf # PATCH-FIX-UPSTREAM fix-64bit-only-plugins.patch -- Requires 64bit memory alignment ( https://github.com/mumble-voip/mumble/issues/5849 ) Patch0: fix-64bit-only-plugins.patch +# PATCH-FIX-UPSTREAM mumble-1.5.857-CVE-2025-71264.patch -- boo#1259721 +Patch1: mumble-1.5.857-CVE-2025-71264.patch # Patches related to dependency unbundling Patch100: licenses.patch Patch101: mumble-unbundle-tracy.patch ++++++ mumble-1.5.857-CVE-2025-71264.patch ++++++ >From aae3e47b23518c97f5dbe1dbca51ad7d750bbefb Mon Sep 17 00:00:00 2001 From: Robert Adam <[email protected]> Date: Sun, 28 Dec 2025 16:48:24 +0100 Subject: [PATCH] FIX(client, audio): Opus expects frame size per channel However, the code used to provide it with the total frame size. This made Opus believe that the associated buffers (arrays) are twice as large as they really are in case stereo audio is decoded. This can lead to out-of-bounds array accesses. --- src/mumble/AudioOutputSpeech.cpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/mumble/AudioOutputSpeech.cpp b/src/mumble/AudioOutputSpeech.cpp index 7a168e1f4f2..542f6dd6f53 100644 --- a/src/mumble/AudioOutputSpeech.cpp +++ b/src/mumble/AudioOutputSpeech.cpp @@ -346,7 +346,7 @@ bool AudioOutputSpeech::prepareSampleBuffer(unsigned int frameCount) { // packet normally in order to be able to play it. decodedSamples = opus_decode_float( opusState, qba.isEmpty() ? nullptr : reinterpret_cast< const unsigned char * >(qba.constData()), - qba.size(), pOut, static_cast< int >(iAudioBufferSize), 0); + qba.size(), pOut, static_cast< int >(iAudioBufferSize / channels), 0); } else { // If the packet is non-empty, but the associated user is locally muted, // we don't have to decode the packet. Instead it is enough to know how many @@ -398,7 +398,8 @@ bool AudioOutputSpeech::prepareSampleBuffer(unsigned int frameCount) { } } else { assert(m_codec == Mumble::Protocol::AudioCodec::Opus); - decodedSamples = opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSize), 0); + decodedSamples = + opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSizePerChannel), 0); decodedSamples *= static_cast< int >(channels); if (decodedSamples < 0) {
