Bug#682010: [mumble] Communication failures due to CELT codec library removal

[Ian Jackson <ijackson@chiark.greenend.org.uk>]

Chris Knadle writes ("Bug#682010: [mumble] Communication failures due to CELT codec library removal"):
> Package: tech-ctte
> Severity: normal
...
> This refers to Bug #675971 (which is severity grave, and currently closed)
> against the Mumble VoIP package, which is also affected by Bug #674650
> concerning the removal of the CELT library.  This evening we also just
> discovered the existence of Bug #674634 which concerns the CELT library
> removal as well, and which may have more of the technical story.

Thanks for this, including the clear summary.

> - From the point of view of the bug reporters, what we want is a
>   package that inter-operates with other Mumble clients and servers,
>   if possible.  To do this today would require reintroducing the celt
>   source package again, which is rumored to have potential security issues.
>   [We have not seen any details on this yet.]
> 
>   Note: this evening we think we have found a security expert who is
>   willing to audit the CELT 0.7.1 codec for issues and possibly provide
>   patches, assuming this is reasonably feasible.

This sounds like a good option to me.  I will write to the security
team and ask them for their opinion about CELT.

>From what you say I think:

 - We should try to address the security problems, if any, in the celt
   0.7.1 codec.  An audit would be very good.

 - This is a serious problem for mumble at least and is arguably RC.

Do you have people who are willing to be the maintainer(s) and (if
necessary) sponsor(s) for the celt package ?

I assume it would be possible to reintroduce a celt package which was
very similar to the one recently removed, so as to avoid risking
unnecessary bugs.

Ian.