Re: mumble package / CVE-2018-20743
On 06/05/20 3:16 am, Brian May wrote:
> Hello All,
> Yesterday I started looking at an unclaimed package, mumble. I concluded
> that the security patch requires C++11, does unless C++11 support is
> enabled, but enabling C++11 support is not possible with the Jessie
> package as is because the Jessie package has no build support for C++11.
This was the initial problem by which I was contacted by Chris Knadle
(mumble maintainer). I enabled C++11 support and also got a PoC shared
by Chris. So with PoC it is clear that the upstream patch is inadequate
for jessie's version. We were under the assumption that packages in
stretch and buster are fixed as on random testing nothing popped up to
suspect. So I backported stretch version to jessie. During the testing,
it turns out package in stretch is also vulnerable. What I heard from
Chris is, there is a drastic change from 1.2.x to 1.3 that upstream no
longer understand 1.2.x and no interested in doing a patch. So we are
our own now.
> Then today I noticed that Abhijith is still working on this package, who
> added the following entry to dla-needed.txt:
> === cut ===
> commit c68a758f05548b7441dc218176123c37db4bb3bb
> Author: Abhijith PA <firstname.lastname@example.org>
> Date: Tue May 5 18:02:27 2020 +0530
> Add note for mumble in dla-needed.txt
> diff --git a/data/dla-needed.txt b/data/dla-needed.txt
> index 1f1e7888df..ef6beea1ac 100644
> --- a/data/dla-needed.txt
> +++ b/data/dla-needed.txt
> @@ -65,6 +65,7 @@ mumble
> NOTE: 20200325: Regression in last upload, forgot to follow up.
> NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
> NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
> + NOTE: 20200504: discussion going on with email@example.com and mumble maintainer (abhijith)
> NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby)
> === cut ===
> Unfortunately, I can't find any record of these discussions - in order
> to reduce duplicated work - is it possible you could please summarise
> here on debian-lts?
I believe its a severe issue thus initiated discussion privately with
> Alternatively (or maybe additionally) you might want to reclaim the
> mumble package again...
I will claim mumble.