Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id
<5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #987859,
regarding buster-pu: package mumble/1.3.0~git20190125.440b173+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
987859: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987859
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Greetings.
Attached is a debdiff for mumble to fix CVE-2021-27229 in Buster marked no-dsa
by the security team, bug #982904.
As the upload to buster-proposed-updates only contains one patch and a
changelog entry (the same patch used for mumble in Sid), I'm going to go
ahead and do the upload as suggested in Debian Developers Reference ยง5.5.1
paragraph 3.
-- Chris
--
Chris Knadle
[email protected]
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog
mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2019-02-28
16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2021-04-30
22:24:25.000000000 +0000
@@ -1,3 +1,16 @@
+mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ - Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229
+ "Mumble before 1.3.4 allows remote code execution if a victim navigates
+ to a crafted URL on a server list and clicks on the Open Webpage text."
+ This patch only allows "http"/"https" URLs in ConnectDialog
+ (Closes: #982904)
+ Thanks to Salvatore Bonaccorso <[email protected]> for reporting the bug
+ and giving links to the fix.
+
+ -- Christopher Knadle <[email protected]> Fri, 30 Apr 2021 22:24:25
+0000
+
mumble (1.3.0~git20190125.440b173+dfsg-2) unstable; urgency=medium
* debian/patches:
diff -Nru
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
---
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
1970-01-01 00:00:00.000000000 +0000
+++
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
2021-03-04 08:44:10.000000000 +0000
@@ -0,0 +1,61 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904
+Last-Updated: 2021-03-04
+From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <[email protected]>
+Date: Fri, 5 Feb 2021 20:01:04 +0100
+Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in
+ ConnectDialog
+
+Our public server list registration script doesn't have an URL scheme
+whitelist for the website field.
+
+Turns out a malicious server can register itself with a dangerous URL in
+an attempt to attack a user's machine.
+
+User interaction is required, as the URL has to be opened by
+right-clicking on the server entry and clicking on "Open Webpage".
+
+This commit introduces a client-side whitelist, which only allows "http"
+and "https" schemes. We will also implement it in our public list.
+
+In future we should probably add a warning QMessageBox informing the
+user that there's no guarantee the URL is safe (regardless of the
+scheme).
+
+Thanks a lot to https://positive.security for reporting the RCE
+vulnerability to us privately.
+---
+ src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/src/mumble/ConnectDialog.cpp
++++ b/src/mumble/ConnectDialog.cpp
+@@ -1259,11 +1259,25 @@
+ }
+
+ void ConnectDialog::on_qaUrl_triggered() {
+- ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem());
+- if (! si || si->qsUrl.isEmpty())
++ auto *si = static_cast< const ServerItem * >(qtwServers->currentItem());
++ if (!si || si->qsUrl.isEmpty()) {
+ return;
++ }
+
+- QDesktopServices::openUrl(QUrl(si->qsUrl));
++ const QStringList allowedSchemes = { QLatin1String("http"),
QLatin1String("https") };
++
++ const auto url = QUrl(si->qsUrl);
++ if (allowedSchemes.contains(url.scheme())) {
++ QDesktopServices::openUrl(url);
++ } else {
++ // Inform user that the requested URL has been blocked
++ QMessageBox msgBox;
++ msgBox.setText(QObject::tr("<b>Blocked URL scheme
\"%1\"</b>").arg(url.scheme()));
++ msgBox.setInformativeText(QObject::tr("The URL uses a scheme
that has been blocked for security reasons."));
++ msgBox.setDetailedText(QObject::tr("Blocked URL:
\"%1\"").arg(url.toString()));
++ msgBox.setIcon(QMessageBox::Warning);
++ msgBox.exec();
++ }
+ }
+
+ void ConnectDialog::onFiltersTriggered(QAction *act) {
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2019-02-28
16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2021-03-04
08:21:39.000000000 +0000
@@ -8,3 +8,4 @@
52-use-update-rc.d-for-disable.diff
60-crossbuild.diff
65-fix-sample-path.diff
+67-only-http-https-URLs-in-Connect.diff
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.10
Hi,
Each of the updates referenced in these bugs was included in the 10.10
point release today.
Regards,
Adam
--- End Message ---
