Bug#987859: buster-pu: package mumble/1.3.0~git20190125.440b173+dfsg-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#987859: buster-pu: package mumble/1.3.0~git20190125.440b173+dfsg-2
From: Chris Knadle <Chris.Knadle@coredump.us>
Date: Sat, 1 May 2021 02:31:54 +0000
Message-id: <[🔎] dc757581-2764-1ee2-c03f-f38a1818be6f@coredump.us>
Reply-to: Chris Knadle <Chris.Knadle@coredump.us>, 987859@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Greetings.

Attached is a debdiff for mumble to fix CVE-2021-27229 in Buster marked no-dsa
by the security team, bug #982904.

As the upload to buster-proposed-updates only contains one patch and a
changelog entry (the same patch used for mumble in Sid), I'm going to go
ahead and do the upload as suggested in Debian Developers Reference §5.5.1
paragraph 3.

  -- Chris

--
Chris Knadle
Chris.Knadle@coredump.us

diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog	2019-02-28 16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog	2021-04-30 22:24:25.000000000 +0000
@@ -1,3 +1,16 @@
+mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+    - Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229
+      "Mumble before 1.3.4 allows remote code execution if a victim navigates
+       to a crafted URL on a server list and clicks on the Open Webpage text."
+      This patch only allows "http"/"https" URLs in ConnectDialog
+      (Closes: #982904)
+      Thanks to Salvatore Bonaccorso <carnil@debian.org> for reporting the bug
+      and giving links to the fix.
+
+ -- Christopher Knadle <Chris.Knadle@coredump.us>  Fri, 30 Apr 2021 22:24:25 +0000
+
 mumble (1.3.0~git20190125.440b173+dfsg-2) unstable; urgency=medium
 
   * debian/patches:
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff	1970-01-01 00:00:00.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff	2021-03-04 08:44:10.000000000 +0000
@@ -0,0 +1,61 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904
+Last-Updated: 2021-03-04
+From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <git@davidebeatrici.dev>
+Date: Fri, 5 Feb 2021 20:01:04 +0100
+Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in
+ ConnectDialog
+
+Our public server list registration script doesn't have an URL scheme
+whitelist for the website field.
+
+Turns out a malicious server can register itself with a dangerous URL in
+an attempt to attack a user's machine.
+
+User interaction is required, as the URL has to be opened by
+right-clicking on the server entry and clicking on "Open Webpage".
+
+This commit introduces a client-side whitelist, which only allows "http"
+and "https" schemes. We will also implement it in our public list.
+
+In future we should probably add a warning QMessageBox informing the
+user that there's no guarantee the URL is safe (regardless of the
+scheme).
+
+Thanks a lot to https://positive.security for reporting the RCE
+vulnerability to us privately.
+---
+ src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/src/mumble/ConnectDialog.cpp
++++ b/src/mumble/ConnectDialog.cpp
+@@ -1259,11 +1259,25 @@
+ }
+ 
+ void ConnectDialog::on_qaUrl_triggered() {
+-	ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem());
+-	if (! si || si->qsUrl.isEmpty())
++	auto *si = static_cast< const ServerItem * >(qtwServers->currentItem());
++	if (!si || si->qsUrl.isEmpty()) {
+ 		return;
++	}
+ 
+-	QDesktopServices::openUrl(QUrl(si->qsUrl));
++	const QStringList allowedSchemes = { QLatin1String("http"), QLatin1String("https") };
++
++	const auto url = QUrl(si->qsUrl);
++	if (allowedSchemes.contains(url.scheme())) {
++		QDesktopServices::openUrl(url);
++	} else {
++		// Inform user that the requested URL has been blocked
++		QMessageBox msgBox;
++		msgBox.setText(QObject::tr("<b>Blocked URL scheme \"%1\"</b>").arg(url.scheme()));
++		msgBox.setInformativeText(QObject::tr("The URL uses a scheme that has been blocked for security reasons."));
++		msgBox.setDetailedText(QObject::tr("Blocked URL: \"%1\"").arg(url.toString()));
++		msgBox.setIcon(QMessageBox::Warning);
++		msgBox.exec();
++	}
+ }
+ 
+ void ConnectDialog::onFiltersTriggered(QAction *act) {
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series	2019-02-28 16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series	2021-03-04 08:21:39.000000000 +0000
@@ -8,3 +8,4 @@
 52-use-update-rc.d-for-disable.diff
 60-crossbuild.diff
 65-fix-sample-path.diff
+67-only-http-https-URLs-in-Connect.diff

Reply to:

Follow-Ups:
- Bug#987859: mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Next by Date: Bug#987863: unblock: debian-reference/2.78
Next by thread: Bug#987859: mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1 flagged for acceptance
Index(es):
- Date
- Thread