Bug#987859: buster-pu: package mumble/1.3.0~git20190125.440b173+dfsg-2

Fri, 30 Apr 2021 20:09:16 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Greetings.

Attached is a debdiff for mumble to fix CVE-2021-27229 in Buster marked no-dsa
by the security team, bug #982904.

As the upload to buster-proposed-updates only contains one patch and a
changelog entry (the same patch used for mumble in Sid), I'm going to go
ahead and do the upload as suggested in Debian Developers Reference ยง5.5.1
paragraph 3.

  -- Chris

--
Chris Knadle
chris.kna...@coredump.us

diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog 
mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog      2019-02-28 
16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/changelog      2021-04-30 
22:24:25.000000000 +0000
@@ -1,3 +1,16 @@
+mumble (1.3.0~git20190125.440b173+dfsg-2+deb10u1) buster; urgency=medium
+
+  * debian/patches:
+    - Add 67-only-http-https-URLs-in-Connect.diff to fix CVE-2021-27229
+      "Mumble before 1.3.4 allows remote code execution if a victim navigates
+       to a crafted URL on a server list and clicks on the Open Webpage text."
+      This patch only allows "http"/"https" URLs in ConnectDialog
+      (Closes: #982904)
+      Thanks to Salvatore Bonaccorso <car...@debian.org> for reporting the bug
+      and giving links to the fix.
+
+ -- Christopher Knadle <chris.kna...@coredump.us>  Fri, 30 Apr 2021 22:24:25 
+0000
+
 mumble (1.3.0~git20190125.440b173+dfsg-2) unstable; urgency=medium
 
   * debian/patches:
diff -Nru 
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
 
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
--- 
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
        1970-01-01 00:00:00.000000000 +0000
+++ 
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/67-only-http-https-URLs-in-Connect.diff
        2021-03-04 08:44:10.000000000 +0000
@@ -0,0 +1,61 @@
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982904
+Last-Updated: 2021-03-04
+From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <g...@davidebeatrici.dev>
+Date: Fri, 5 Feb 2021 20:01:04 +0100
+Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in
+ ConnectDialog
+
+Our public server list registration script doesn't have an URL scheme
+whitelist for the website field.
+
+Turns out a malicious server can register itself with a dangerous URL in
+an attempt to attack a user's machine.
+
+User interaction is required, as the URL has to be opened by
+right-clicking on the server entry and clicking on "Open Webpage".
+
+This commit introduces a client-side whitelist, which only allows "http"
+and "https" schemes. We will also implement it in our public list.
+
+In future we should probably add a warning QMessageBox informing the
+user that there's no guarantee the URL is safe (regardless of the
+scheme).
+
+Thanks a lot to https://positive.security for reporting the RCE
+vulnerability to us privately.
+---
+ src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/src/mumble/ConnectDialog.cpp
++++ b/src/mumble/ConnectDialog.cpp
+@@ -1259,11 +1259,25 @@
+ }
+ 
+ void ConnectDialog::on_qaUrl_triggered() {
+-      ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem());
+-      if (! si || si->qsUrl.isEmpty())
++      auto *si = static_cast< const ServerItem * >(qtwServers->currentItem());
++      if (!si || si->qsUrl.isEmpty()) {
+               return;
++      }
+ 
+-      QDesktopServices::openUrl(QUrl(si->qsUrl));
++      const QStringList allowedSchemes = { QLatin1String("http"), 
QLatin1String("https") };
++
++      const auto url = QUrl(si->qsUrl);
++      if (allowedSchemes.contains(url.scheme())) {
++              QDesktopServices::openUrl(url);
++      } else {
++              // Inform user that the requested URL has been blocked
++              QMessageBox msgBox;
++              msgBox.setText(QObject::tr("<b>Blocked URL scheme 
\"%1\"</b>").arg(url.scheme()));
++              msgBox.setInformativeText(QObject::tr("The URL uses a scheme 
that has been blocked for security reasons."));
++              msgBox.setDetailedText(QObject::tr("Blocked URL: 
\"%1\"").arg(url.toString()));
++              msgBox.setIcon(QMessageBox::Warning);
++              msgBox.exec();
++      }
+ }
+ 
+ void ConnectDialog::onFiltersTriggered(QAction *act) {
diff -Nru mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 
mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series
--- mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2019-02-28 
16:36:21.000000000 +0000
+++ mumble-1.3.0~git20190125.440b173+dfsg/debian/patches/series 2021-03-04 
08:21:39.000000000 +0000
@@ -8,3 +8,4 @@
 52-use-update-rc.d-for-disable.diff
 60-crossbuild.diff
 65-fix-sample-path.diff
+67-only-http-https-URLs-in-Connect.diff

Reply via email to