Re: mumble package / CVE-2018-20743

To: Brian May <brian@linuxpenguins.xyz>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: mumble package / CVE-2018-20743
From: Abhijith PA <abhijith@disroot.org>
Date: Wed, 6 May 2020 19:48:41 +0530
Message-id: <[🔎] c2a4ae40-66b8-5d7b-a8e9-f181895ace67@disroot.org>
In-reply-to: <[🔎] 87tv0ucaww.fsf@silverfish.pri>
References: <[🔎] 87tv0ucaww.fsf@silverfish.pri>

Brian,

On 06/05/20 3:16 am, Brian May wrote:
> Hello All,
> 
> Background:
> 
> Yesterday I started looking at an unclaimed package, mumble. I concluded
> that the security patch requires C++11, does unless C++11 support is
> enabled, but enabling C++11 support is not possible with the Jessie
> package as is because the Jessie package has no build support for C++11.

This was the initial problem by which I was contacted by Chris Knadle
(mumble maintainer). I enabled C++11 support and also got a PoC shared
by Chris. So with PoC it is clear that the upstream patch is inadequate
for jessie's version. We were under the assumption that packages in
stretch and buster are fixed as on random testing nothing popped up to
suspect. So I backported stretch version to jessie. During the testing,
it turns out package in stretch is also vulnerable. What I heard from
Chris is, there is a drastic change from 1.2.x to 1.3 that upstream no
longer understand 1.2.x and no interested in doing a patch. So we are
our own now.

> Then today I noticed that Abhijith is still working on this package, who
> added the following entry to dla-needed.txt:
> 
> === cut ===
> commit c68a758f05548b7441dc218176123c37db4bb3bb
> Author: Abhijith PA <abhijith@disroot.org>
> Date:   Tue May 5 18:02:27 2020 +0530
> 
>     Add note for mumble in dla-needed.txt
> 
> diff --git a/data/dla-needed.txt b/data/dla-needed.txt
> index 1f1e7888df..ef6beea1ac 100644
> --- a/data/dla-needed.txt
> +++ b/data/dla-needed.txt
> @@ -65,6 +65,7 @@ mumble
>    NOTE: 20200325: Regression in last upload, forgot to follow up.
>    NOTE: 20200325: https://github.com/mumble-voip/mumble/issues/3605 (abhijith)
>    NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
> +  NOTE: 20200504: discussion going on with team@security.debian.org and mumble maintainer (abhijith)
>  --
>  nginx
>    NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasible and, alas, no tests. (lamby)
> === cut ===
> 
> 
> Abhijith:
> 
> Unfortunately, I can't find any record of these discussions - in order
> to reduce duplicated work - is it possible you could please summarise
> here on debian-lts?

I believe its a severe issue thus initiated discussion privately with
team@security.debian.org

> Alternatively (or maybe additionally) you might want to reclaim the
> mumble package again...

I will claim mumble.


--abhijith

Reply to:

Follow-Ups:
- Re: mumble package / CVE-2018-20743
  - From: Brian May <bam@debian.org>

References:
- mumble package / CVE-2018-20743
  - From: Brian May <brian@linuxpenguins.xyz>

Prev by Date: mumble package / CVE-2018-20743
Next by Date: Re: mumble package / CVE-2018-20743
Previous by thread: mumble package / CVE-2018-20743
Next by thread: Re: mumble package / CVE-2018-20743
Index(es):
- Date
- Thread