On Wednesday, February 05, 2014 22:16:32 Salvatore Bonaccorso wrote:
> Hi Chris,
>
> On Wed, Feb 05, 2014 at 11:09:00AM -0500, Chris Knadle wrote:
> > On Wednesday, February 05, 2014 16:10:36 Salvatore Bonaccorso wrote:
> > > Source: mumble
> > > Version: 1.2.3-349-g315b5f5-2.2
> > > Severity: grave
> > > Tags: security upstream fixed-upstream
> > >
> > > Hi
> > >
> > > Mumble has released a new upstream version fixing CVE-2014-0044 and
> > > CVE-2014-0045. See upstream commits at:
> > >
> > > https://github.com/mumble-voip/mumble/commit/850649234d11685145193a59d72
> > > d984 29e4f9ba7
> > > https://github.com/mumble-voip/mumble/commit/d3be3d7b96a5130e4b20f23e327
> > > b04
> > > 0ea4d0b079
> > >
> > > Upstream announces at
> > >
> > > http://mumble.info/security/Mumble-SA-2014-001.txt
> > > http://mumble.info/security/Mumble-SA-2014-002.txt
> > >
> > > Regards,
> > > Salvatore
> >
> > Thanks for fixing this.
> >
> > As these commits were authored only 5 days ago I'd think the current
> > 1.2.4-0.1 package in Sid and Jessie have this issue too, unless there's
> > some other mitigating factor with the stable 1.2.4 version.
>
> Yes it is also as it's supporting Opus; reason is that I concentrated
> first on the wheezy-security upload.
Okay. Currently there's ABI breakage in protobuf 2.5.0-7 which will be fixed
with the -9 upload once it's finished being built; I have to wait for that
before we can upload a new 1.2.4 mumble package fixes. I've got both of the
CVE patches queued for the next upload which I'm looking to do this weekend,
but if you'd like to do a security fix on 1.2.4-0.1 after the protobuf -9
build go ahead and do so.
-- Chris
--
Chris Knadle
chris.kna...@coredump.us
Description: Fix denial-of-service vulnerability
CVE-2014-0044: A malformed Opus voice packet sent to a Mumble client
could trigger a NULL pointer dereference or an out-of-bounds array
access, leading to a crash (Denial of Service).
Author: Mikkel Krautz <mik...@krautz.dk>
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737739
Origin: upstream
Applied-Upstream: commit 850649234d11685145193a59d72d98429e4f9ba7
Last-Update: 2014-02-05
--- a/src/mumble/AudioOutputSpeech.cpp
+++ b/src/mumble/AudioOutputSpeech.cpp
@@ -148,8 +148,15 @@
int size;
pds >> size;
size &= 0x1fff;
+ if (size == 0) {
+ return;
+ }
const QByteArray &qba = pds.dataBlock(size);
+ if (size != qba.size() || !pds.isValid()) {
+ return;
+ }
+
const unsigned char *packet = reinterpret_cast<const unsigned char*>(qba.constData());
#ifdef USE_OPUS
Description: Fix heap-based buffer overflow vulnerability
CVE-2014-0045: A malformed Opus voice packet sent to a Mumble client
could trigger a heap-based buffer overflow. This causes a client crash
(Denial of Service) and can potentially be used to execute arbitrary
code.
Author: Mikkel Krautz <mik...@krautz.dk>
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737739
Origin: upstream
Applied-Upstream: commit d3be3d7b96a5130e4b20f23e327b040ea4d0b079
Last-Update: 2014-02-05
--- a/src/mumble/AudioOutputSpeech.cpp
+++ b/src/mumble/AudioOutputSpeech.cpp
@@ -342,6 +342,10 @@
pOut,
iAudioBufferSize,
0);
+ if (decodedSamples < 0) {
+ decodedSamples = iFrameSize;
+ memset(pOut, 0, iFrameSize * sizeof(float));
+ }
#endif
} else {
if (qba.isEmpty()) {
@@ -391,6 +395,10 @@
} else if (umtType == MessageHandler::UDPVoiceOpus) {
#ifdef USE_OPUS
decodedSamples = opus_decode_float(opusState, NULL, 0, pOut, iFrameSize, 0);
+ if (decodedSamples < 0) {
+ decodedSamples = iFrameSize;
+ memset(pOut, 0, iFrameSize * sizeof(float));
+ }
#endif
} else {
speex_decode(dsSpeex, NULL, pOut);
