Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Greetings. Attached is a debdiff for mumble to fix CVE-2021-27229 in Buster marked no-dsa by the security team, bug #982904. As the upload to buster-proposed-updates only contains one patch and a changelog entry (the same patch used for mumble in Sid), I'm going to go ahead and do the upload as suggested in Debian Developers Reference ยง5.5.1 paragraph 3. -- Chris -- Chris Knadle chris.kna...@coredump.us
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog --- mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2019-02-28 16:36:21.000000000 +0000 +++ mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2021-04-30 22:24:25.000000000 +0000 @@ -1,3 +1,16 @@ +mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium + + * debian/patches: + - Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229 + "Mumble before 1.3.4 allows remote code execution if a victim navigates + to a crafted URL on a server list and clicks on the Open Webpage text." + This patch only allows "http"/"https" URLs in ConnectDialog + (Closes: #982904) + Thanks to Salvatore Bonaccorso <car...@debian.org> for reporting the bug + and giving links to the fix. + + -- Christopher Knadle <chris.kna...@coredump.us> Fri, 30 Apr 2021 22:24:25 +0000 + mumble (1.3.0~git20190125.440b173+dfsg-2) unstable; urgency=medium * debian/patches: diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff --- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff 1970-01-01 00:00:00.000000000 +0000 +++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff 2021-03-04 08:44:10.000000000 +0000 @@ -0,0 +1,61 @@ +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904 +Last-Updated: 2021-03-04 +From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001 +From: Davide Beatrici <g...@davidebeatrici.dev> +Date: Fri, 5 Feb 2021 20:01:04 +0100 +Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in + ConnectDialog + +Our public server list registration script doesn't have an URL scheme +whitelist for the website field. + +Turns out a malicious server can register itself with a dangerous URL in +an attempt to attack a user's machine. + +User interaction is required, as the URL has to be opened by +right-clicking on the server entry and clicking on "Open Webpage". + +This commit introduces a client-side whitelist, which only allows "http" +and "https" schemes. We will also implement it in our public list. + +In future we should probably add a warning QMessageBox informing the +user that there's no guarantee the URL is safe (regardless of the +scheme). + +Thanks a lot to https://positive.security for reporting the RCE +vulnerability to us privately. +--- + src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/src/mumble/ConnectDialog.cpp ++++ b/src/mumble/ConnectDialog.cpp +@@ -1259,11 +1259,25 @@ + } + + void ConnectDialog::on_qaUrl_triggered() { +- ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem()); +- if (! si || si->qsUrl.isEmpty()) ++ auto *si = static_cast< const ServerItem * >(qtwServers->currentItem()); ++ if (!si || si->qsUrl.isEmpty()) { + return; ++ } + +- QDesktopServices::openUrl(QUrl(si->qsUrl)); ++ const QStringList allowedSchemes = { QLatin1String("http"), QLatin1String("https") }; ++ ++ const auto url = QUrl(si->qsUrl); ++ if (allowedSchemes.contains(url.scheme())) { ++ QDesktopServices::openUrl(url); ++ } else { ++ // Inform user that the requested URL has been blocked ++ QMessageBox msgBox; ++ msgBox.setText(QObject::tr("<b>Blocked URL scheme \"%1\"</b>").arg(url.scheme())); ++ msgBox.setInformativeText(QObject::tr("The URL uses a scheme that has been blocked for security reasons.")); ++ msgBox.setDetailedText(QObject::tr("Blocked URL: \"%1\"").arg(url.toString())); ++ msgBox.setIcon(QMessageBox::Warning); ++ msgBox.exec(); ++ } + } + + void ConnectDialog::onFiltersTriggered(QAction *act) { diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series --- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2019-02-28 16:36:21.000000000 +0000 +++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2021-03-04 08:21:39.000000000 +0000 @@ -8,3 +8,4 @@ 52-use-update-rc.d-for-disable.diff 60-crossbuild.diff 65-fix-sample-path.diff +67-only-http-https-URLs-in-Connect.diff