--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package mumble/1.3.0~git20190125.440b173+dfsg-2
- From: Chris Knadle <Chris.Knadle@coredump.us>
- Date: Sat, 1 May 2021 02:31:54 +0000
- Message-id: <dc757581-2764-1ee2-c03f-f38a1818be6f@coredump.us>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Greetings.
Attached is a debdiff for mumble to fix CVE-2021-27229 in Buster marked no-dsa
by the security team, bug #982904.
As the upload to buster-proposed-updates only contains one patch and a
changelog entry (the same patch used for mumble in Sid), I'm going to go
ahead and do the upload as suggested in Debian Developers Reference §5.5.1
paragraph 3.
-- Chris
--
Chris Knadle
Chris.Knadle@coredump.us
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2019-02-28 16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 2021-04-30 22:24:25.000000000 +0000
@@ -1,3 +1,16 @@
+mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium
+
+ * debian/patches:
+ - Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229
+ "Mumble before 1.3.4 allows remote code execution if a victim navigates
+ to a crafted URL on a server list and clicks on the Open Webpage text."
+ This patch only allows "http"/"https" URLs in ConnectDialog
+ (Closes: #982904)
+ Thanks to Salvatore Bonaccorso <carnil@debian.org> for reporting the bug
+ and giving links to the fix.
+
+ -- Christopher Knadle <Chris.Knadle@coredump.us> Fri, 30 Apr 2021 22:24:25 +0000
+
mumble (1.3.0~git20190125.440b173+dfsg-2) unstable; urgency=medium
* debian/patches:
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff 1970-01-01 00:00:00.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff 2021-03-04 08:44:10.000000000 +0000
@@ -0,0 +1,61 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904
+Last-Updated: 2021-03-04
+From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <git@davidebeatrici.dev>
+Date: Fri, 5 Feb 2021 20:01:04 +0100
+Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in
+ ConnectDialog
+
+Our public server list registration script doesn't have an URL scheme
+whitelist for the website field.
+
+Turns out a malicious server can register itself with a dangerous URL in
+an attempt to attack a user's machine.
+
+User interaction is required, as the URL has to be opened by
+right-clicking on the server entry and clicking on "Open Webpage".
+
+This commit introduces a client-side whitelist, which only allows "http"
+and "https" schemes. We will also implement it in our public list.
+
+In future we should probably add a warning QMessageBox informing the
+user that there's no guarantee the URL is safe (regardless of the
+scheme).
+
+Thanks a lot to https://positive.security for reporting the RCE
+vulnerability to us privately.
+---
+ src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/src/mumble/ConnectDialog.cpp
++++ b/src/mumble/ConnectDialog.cpp
+@@ -1259,11 +1259,25 @@
+ }
+
+ void ConnectDialog::on_qaUrl_triggered() {
+- ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem());
+- if (! si || si->qsUrl.isEmpty())
++ auto *si = static_cast< const ServerItem * >(qtwServers->currentItem());
++ if (!si || si->qsUrl.isEmpty()) {
+ return;
++ }
+
+- QDesktopServices::openUrl(QUrl(si->qsUrl));
++ const QStringList allowedSchemes = { QLatin1String("http"), QLatin1String("https") };
++
++ const auto url = QUrl(si->qsUrl);
++ if (allowedSchemes.contains(url.scheme())) {
++ QDesktopServices::openUrl(url);
++ } else {
++ // Inform user that the requested URL has been blocked
++ QMessageBox msgBox;
++ msgBox.setText(QObject::tr("<b>Blocked URL scheme \"%1\"</b>").arg(url.scheme()));
++ msgBox.setInformativeText(QObject::tr("The URL uses a scheme that has been blocked for security reasons."));
++ msgBox.setDetailedText(QObject::tr("Blocked URL: \"%1\"").arg(url.toString()));
++ msgBox.setIcon(QMessageBox::Warning);
++ msgBox.exec();
++ }
+ }
+
+ void ConnectDialog::onFiltersTriggered(QAction *act) {
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2019-02-28 16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2021-03-04 08:21:39.000000000 +0000
@@ -8,3 +8,4 @@
52-use-update-rc.d-for-disable.diff
60-crossbuild.diff
65-fix-sample-path.diff
+67-only-http-https-URLs-in-Connect.diff
--- End Message ---