Red Hat Bugzilla – Bug 610845
CVE-2010-2490 Mumble: Remotely exploitable DoS (murmur server termination) due QueryUsers Qt SQLite database bug
Last modified: 2011-06-08 09:12:46 EDT
Luigi Auriemma reported: [1] http://aluigi.altervista.org/adv/mumbleed-adv.txt a deficiency in the way Mumble server processed malformed SQL query data. A remote, authenticated user could use this flaw to cause denial of service (mumble server termination) via specially-crafted QueryUsers Qt SQLite SQL query. References: [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587713 Public PoC: [3] http://aluigi.org/poc/mumbleed.zip CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/07/02/2
Than, Jaroslav, though this flaw being reported against Murmur (mumble server), it speaks about some Qt SQLite QueryUsers database bug. Could you please check, what's the true reason for this behavior: 1, either Mumble incorrectly calling some Qt function or 2, deficiency in that Qt function itself Because, if 2, is the case, this might be more general issue and it's possible, there are other ways, how to cause this to be exploited (trigger termination of other applications depending on Qt's SQLite). Thanks, Jan.
This is the commit that was used by Debian to fix the flaw: https://github.com/mumble-voip/mumble/commit/6b33dda344f89e5a039b7d79eb43925040654242 The problem seems to be related to long usernames and the LIKE statement; the upstream commit message is: "Don't crash on long usernames" and the corresponding Debian changelog entry is: mumble (1.2.2-4) unstable; urgency=high * Fix failure with SQLite with very long 'like' matches. Closes: #587713 This would affect all of the versions of mumble we are shipping.
Created mumble tracking bugs for this issue Affects: fedora-all [bug 691545]
Will have the fix out by tue / wed evening, thereby updating to 1.2.3 Mh. Why didn't I see the report back in July.
Not sure why you didn't see it back then, but thank you for looking after it now.
You're welcome. Mumble's been a bit neglected by me as I'm still waiting for this review #641572 But I guess I'll just make it a subpackage or so given that mumble is the sole package needing it and we need that security fix now.
I have packaged mumble 1.2.3 locally. I am still awaiting the celt071 review which I was told will definitely happen this weekend. Once that package is reviewed, I will push the update -- unless you'd like me to push the upgrade first and then push the next update with the celt071 dependency.
If it happens this week, waiting for that review is fine. This issue is pretty old, so waiting another few days or week isn't going to be a big problem.
Any updates on this?
Yes, I'm going to catch up on this work today. Sorry, this last part of school has, once again, proven more work-intensive than expected. Going to push the update later today.
The CVE identifier of CVE-2010-2490 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2010/07/02/11
Mumble 1.2.3 has reached stable by now. Seems like I forgot these two bugs in the bodhi update. Closing.
(In reply to comment #13) > Mumble 1.2.3 has reached stable by now. > Seems like I forgot these two bugs in the bodhi update. > > Closing. Thanks Andreas, will mention the relevant updates yet and change the resolution of this bug to errata.
This issue has been addressed in the following updates: 1) mumble-1.2.3-2.fc15 for Fedora-15: http://lists.fedoraproject.org/pipermail/package-announce/2011-May/ 060747.html 2) mumble-1.2.3-2.fc14 for Fedora-14: http://lists.fedoraproject.org/pipermail/package-announce/2011-June/ 061217.html
Unchecking all boxes makes this a more public bug.
Only members of a group can change the visibility of a bug for that group.