Bug#659039: marked as done (mumble: Mumble database is world-readable)

[Debian Bug Tracking System]

Your message dated Sun, 19 Feb 2012 19:17:11 +0000
with message-id <e1rzcfz-0000ks...@franck.debian.org>
and subject line Bug#659039: fixed in mumble 1.2.2-6+squeeze1
has caused the Debian Bug report #659039,
regarding mumble: Mumble database is world-readable
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
659039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: mumble
Version: 1.2.3-2
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu precise ubuntu-patch



*** /tmp/tmpbbtG6M/bug_body
By default, Mumble creates it's config file and database with
world-readable permissions. The database may contain passwords.

In Ubuntu, the attached patch was applied to achieve the following:

  * debian/patches/0004-set-file-permissions.patch: Set restrictive
    permissions on data files. (LP: #783405)


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers precise-updates
  APT policy: (500, 'precise-updates'), (500, 'precise-security'), (500, 
'precise-proposed'), (500, 'precise')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-12-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru mumble-1.2.3/debian/changelog mumble-1.2.3/debian/changelog
diff -Nru mumble-1.2.3/debian/patches/0004-set-file-permissions.patch mumble-1.2.3/debian/patches/0004-set-file-permissions.patch
--- mumble-1.2.3/debian/patches/0004-set-file-permissions.patch	1969-12-31 19:00:00.000000000 -0500
+++ mumble-1.2.3/debian/patches/0004-set-file-permissions.patch	2012-02-07 10:24:47.000000000 -0500
@@ -0,0 +1,42 @@
+Description: Set restrictive permissions on data files.
+Origin: upstream, https://github.com/mumble-voip/mumble/commit/5632c35d6759f5e13a7dfe78e4ee6403ff6a8e3e
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405
+
+Index: mumble-1.2.3/src/mumble/Database.cpp
+===================================================================
+--- mumble-1.2.3.orig/src/mumble/Database.cpp	2011-02-19 16:35:16.000000000 -0500
++++ mumble-1.2.3/src/mumble/Database.cpp	2012-02-07 10:21:02.398225505 -0500
+@@ -92,6 +92,11 @@
+ 		qWarning("Database: Database is read-only");
+ 	}
+ 
++	{
++		QFile f(db.databaseName());
++		f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther));
++	}
++
+ 	QSqlQuery query;
+ 
+ 	query.exec(QLatin1String("CREATE TABLE IF NOT EXISTS `servers` (`id` INTEGER PRIMARY KEY AUTOINCREMENT, `name` TEXT, `hostname` TEXT, `port` INTEGER DEFAULT 64738, `username` TEXT, `password` TEXT)"));
+Index: mumble-1.2.3/src/mumble/Settings.cpp
+===================================================================
+--- mumble-1.2.3.orig/src/mumble/Settings.cpp	2011-02-19 16:35:17.000000000 -0500
++++ mumble-1.2.3/src/mumble/Settings.cpp	2012-02-07 10:21:02.398225505 -0500
+@@ -698,6 +698,17 @@
+ void OverlaySettings::save(QSettings* settings_ptr) {
+ 	OverlaySettings def;
+ 
++	settings_ptr->setValue(QLatin1String("version"), QLatin1String(MUMTEXT(MUMBLE_VERSION_STRING)));
++	settings_ptr->sync();
++
++#if defined(Q_OS_WIN) || defined(Q_OS_MAC)
++	if (settings_ptr->format() == QSettings::IniFormat)
++#endif
++        {
++               QFile f(settings_ptr->fileName());
++               f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther));
++        }
++
+ 	SAVELOAD(bEnable, "enable");
+ 
+ 	SAVELOAD(osShow, "show");

--- End Message ---

--- Begin Message ---

Source: mumble
Source-Version: 1.2.2-6+squeeze1

We believe that the bug you reported is fixed in the latest version of
mumble, which is due to be installed in the Debian FTP archive:

mumble-11x_1.2.2-6+squeeze1_amd64.deb
  to main/m/mumble/mumble-11x_1.2.2-6+squeeze1_amd64.deb
mumble-dbg_1.2.2-6+squeeze1_amd64.deb
  to main/m/mumble/mumble-dbg_1.2.2-6+squeeze1_amd64.deb
mumble-server-web_1.2.2-6+squeeze1_all.deb
  to main/m/mumble/mumble-server-web_1.2.2-6+squeeze1_all.deb
mumble-server_1.2.2-6+squeeze1_amd64.deb
  to main/m/mumble/mumble-server_1.2.2-6+squeeze1_amd64.deb
mumble_1.2.2-6+squeeze1.debian.tar.gz
  to main/m/mumble/mumble_1.2.2-6+squeeze1.debian.tar.gz
mumble_1.2.2-6+squeeze1.dsc
  to main/m/mumble/mumble_1.2.2-6+squeeze1.dsc
mumble_1.2.2-6+squeeze1_amd64.deb
  to main/m/mumble/mumble_1.2.2-6+squeeze1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatth...@debian.org> (supplier of updated mumble package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 17 Feb 2012 14:13:34 +0100
Source: mumble
Binary: mumble mumble-11x mumble-server mumble-dbg mumble-server-web
Architecture: source all amd64
Version: 1.2.2-6+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Debian VoIP Team <pkg-voip-maintain...@lists.alioth.debian.org>
Changed-By: Patrick Matthäi <pmatth...@debian.org>
Description: 
 mumble     - Low latency VoIP client
 mumble-11x - Low latency VoIP client (1.1.x)
 mumble-dbg - Low latency VoIP client (debugging symbols)
 mumble-server - Low latency VoIP server
 mumble-server-web - Web scripts for mumble-server
Closes: 659039
Changes: 
 mumble (1.2.2-6+squeeze1) stable-security; urgency=high
 .
   * Add patch 0005-set-file-permissions from Marc Deslauriers, which fixes the
     word readable file permissions of the Mumble SQLite database, as described
     in CVE-2012-0863.
     Closes: #659039
Checksums-Sha1: 
 940701430019a4178b81165fa152cfa3b5e5fc3d 2557 mumble_1.2.2-6+squeeze1.dsc
 b2a7fd50e70147b3ea2361cbc5a577b0e1ae45ea 2920587 mumble_1.2.2.orig.tar.gz
 ac613eb9d289448ecf3e974e0a8f9481277003e2 32430 
mumble_1.2.2-6+squeeze1.debian.tar.gz
 eb769c54327b1eaec9c3be40ead444bc09246752 94742 
mumble-server-web_1.2.2-6+squeeze1_all.deb
 76d2371cc84d96f70a8c1e8637dfe7e5c72dddf9 2215346 
mumble_1.2.2-6+squeeze1_amd64.deb
 0ff0aae4f1db44da6dfd0a27767b73ab9e614e19 1279340 
mumble-11x_1.2.2-6+squeeze1_amd64.deb
 f7da3c81635defae574db32017d482c88994a171 815390 
mumble-server_1.2.2-6+squeeze1_amd64.deb
 d77df6d1cf6a3062f549ef03b0513f08d5ba24c9 24314666 
mumble-dbg_1.2.2-6+squeeze1_amd64.deb
Checksums-Sha256: 
 a8a0a530f1cddb827e1c54034b5f4893d1ce9106601f3c3520a27ff61141a183 2557 
mumble_1.2.2-6+squeeze1.dsc
 2c564e3d5b7481129482f2365375a2dc77e134c0c00012073cfdfbeadaa49be8 2920587 
mumble_1.2.2.orig.tar.gz
 b15b080cf9932491efbc051f191042be7c13e697a374a140e96223eba5866b72 32430 
mumble_1.2.2-6+squeeze1.debian.tar.gz
 0d9713ec27ad89e06259a2b692e821018238227827acdf2cfb6d138ea79c0106 94742 
mumble-server-web_1.2.2-6+squeeze1_all.deb
 8278a6a2e9cf81c09c0f8e2273659d493abad1d007a1835dd0b68b86c25571a2 2215346 
mumble_1.2.2-6+squeeze1_amd64.deb
 1f6bb4a30ab2de983dfbaac7877fbfb3dcf0c23852a33c206d7de4cf464999db 1279340 
mumble-11x_1.2.2-6+squeeze1_amd64.deb
 d1ed776acb24d11f16ec9491a555be016ccb817f2b23f99f6f73a18b57dffced 815390 
mumble-server_1.2.2-6+squeeze1_amd64.deb
 c71755308c16f50a1e8c32f4450b5172e6750bf4f594a34bee03f177f4b093dc 24314666 
mumble-dbg_1.2.2-6+squeeze1_amd64.deb
Files: 
 ea02a2d446b2edd36e1d1502ea6cfb88 2557 sound optional 
mumble_1.2.2-6+squeeze1.dsc
 de30ee85170e183b66568b53b04c5727 2920587 sound optional 
mumble_1.2.2.orig.tar.gz
 2a4ada84870c369d2b180145e73d4512 32430 sound optional 
mumble_1.2.2-6+squeeze1.debian.tar.gz
 4f072221f76f8328a41521d738e4769f 94742 sound optional 
mumble-server-web_1.2.2-6+squeeze1_all.deb
 4ecab88ebab758860598a09f8b4673bb 2215346 sound optional 
mumble_1.2.2-6+squeeze1_amd64.deb
 7c5f778f7eb2ec8717d922a2c69576fc 1279340 sound optional 
mumble-11x_1.2.2-6+squeeze1_amd64.deb
 62245b83b73a57f6f7dd7bba0c055c1f 815390 sound optional 
mumble-server_1.2.2-6+squeeze1_amd64.deb
 3c9f28bc05dcaaf344b265b0226846df 24314666 debug extra 
mumble-dbg_1.2.2-6+squeeze1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJPPliWAAoJEBLZsEqQy9jk0XkP/2i3EjwFae5AIeA+Z0K/4Ezt
Q7ezcQUFfL3ZRctcNUrwkPm2ahyp9+of6KeW4EZhnOmUCiX9bkmVSe8d35wAFsf/
86pp2i3PsSR0deOMLIGin5X5qOsVpwszTTAS/pcTDIKwJLoxsft+1mCnpNwyc2vn
LmCRNKjBHCyFPK/xEYb1SB4JhHN1VcfhAoLqeqsxZxSYQFTkOnKigFO54kgEsv3F
99XVo2VfFuvBicv1O1UDMyIH6sRkW0ZgwH2miMZDmfXKSwDlntXsTFcXcThbTOUg
6Ic34iG0UQk7W4cMJ0JgBxSxLZqOJg9JHPKcC4xJcVmhiS4YLcxpl0p8jgCMcL1C
isAlAmX90wuPTYb6vVIJcsIRqd4x/98JDHxJDliBQvISS/iYapsVU1+QUP8L2fwH
1/JfHDEz1G9LV+vLHUhtQyRf/Wo8hWV8MMx9Yccvk71Q1l3hamBxBjDvZpPKYhcJ
5uNpiSl/NEiFze1HaTehSCga8rdadikA9qcHe9yF4r/0DyzimfwKodpdIcKtq+AO
dFBd4924ictznj4P1kCVtr8IcpJcBzWU2/tj5v6qAzj1rdxSyaXF6REh5V6BJ5zm
EkpD4XYyee1ZIN8vyHPDulWSV65guRlOjj6aoMGvi2WJuGyEjSEWRG6o1CeQoAaa
+R4b9P7v4+RZrVbsE6wL
=KhMH
-----END PGP SIGNATURE-----

--- End Message ---