Ubuntu
mumble package

mumble-server creates world readable config file

Bug #704674 reported by Felix Geyer
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mumble (Debian)
Fix Released
Unknown
mumble (Ubuntu)
Fix Released
High
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
High
Unassigned
Maverick
Fix Released
High
Unassigned

Bug Description

Binary package hint: mumble

mumble-server creates the config file /etc/mumble-server.ini
and doesn't change the permissions so it is world readable (0644).

The config file contains sensitive information like the server and sql password.

Revision history for this message
Felix Geyer (debfx) wrote :

Already fixed in natty (mumble 1.2.2-6).

Changed in mumble (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in mumble (Ubuntu Lucid):
importance: Undecided → High
Changed in mumble (Ubuntu Maverick):
importance: Undecided → High
Felix Geyer (debfx)
Changed in mumble (Ubuntu Lucid):
assignee: nobody → Felix Geyer (debfx)
status: New → In Progress
Revision history for this message
Felix Geyer (debfx) wrote :

Uploaded a fix to lucid-proposed and maverick-proposed, waiting for approval.

Changed in mumble (Ubuntu Lucid):
assignee: Felix Geyer (debfx) → nobody
status: In Progress → Triaged
Changed in mumble (Ubuntu Maverick):
status: New → Triaged
Revision history for this message
John Dong (jdong) wrote :

IMO this borders on being a security vulnerability. The patch of course is good, but I'm hesitant on whether or not this should be handled as a USN so that affected administrators can be aware of potential sensitive information leakage.

Revision history for this message
John Dong (jdong) wrote :

After talking it over with Kees Cook, I think it's best to handle this bug as a security update and go through the Ubuntu Security Team rather than SRU.

Felix Geyer (debfx)
security vulnerability: no → yes
Revision history for this message
Felix Geyer (debfx) wrote :

Alright, attached is a debdiff targeting maverick-security.
If this one is fine, I'll prepare packages for the other series.
I have tested that it correctly sets the permissions for new installs and upgrades.

Changed in mumble (Ubuntu Maverick):
status: Triaged → Confirmed
Changed in mumble (Ubuntu Lucid):
status: Triaged → New
Revision history for this message
John Dong (jdong) wrote : Re: [Bug 704674] Re: mumble-server creates world readable config file

Patrick,

Definitely it's not an earth-shattering vulnerability, but the Ubuntu process for USNs isn't any more difficult to go through than the SRU process (need the debdiff to be tested and commented as tested on the bug report).

John

On Jan 19, 2011, at 1:31 PM, Patrick Matthäi wrote:

> Am 19.01.2011 18:58, schrieb John Dong:
>> After talking it over with Kees Cook, I think it's best to handle this
>> bug as a security update and go through the Ubuntu Security Team rather
>> than SRU.
>>
>
> Hello,
>
> I already asked the Debian Security Team how I should handle this. In
> their opinion it is nothing for a DSA, but it is fixed with our next
> point release.
>
> --
> /*
> Mit freundlichem Gruß / With kind regards,
> Patrick Matthäi
> GNU/Linux Debian Developer
>
> E-Mail: <email address hidden>
> <email address hidden>
>
> Comment:
> Always if we think we are right,
> we were maybe wrong.
> */
>

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff!

It is possible that /etc/mumble-server.ini will not be present on upgrades, in which case postinst would fail. Please verify that the file exists by doing something like this instead:

if [ -f /etc/mumble-server.ini ]; then
    chmod 0640 /etc/mumble-server.ini || true
    chown root:mumble-server /etc/mumble-server.ini || true
fi

Changed in mumble (Ubuntu Maverick):
assignee: nobody → Felix Geyer (debfx)
status: Confirmed → Incomplete
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks!

Revision history for this message
Felix Geyer (debfx) wrote :

I've fixed the debdiff for maverick.
The "|| true" error catch shouldn't be necessary.

Changed in mumble (Ubuntu Maverick):
status: Incomplete → New
assignee: Felix Geyer (debfx) → nobody
Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for lucid

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for karmic

Revision history for this message
Felix Geyer (debfx) wrote :

debdiff for hardy

Bug Watch Updater (bug-watch-updater)
Changed in mumble (Debian):
status: Unknown → Fix Released
Jamie Strandboge (jdstrand)
Changed in mumble (Ubuntu Lucid):
status: New → Triaged
Changed in mumble (Ubuntu Maverick):
status: New → Triaged
Changed in mumble (Ubuntu Hardy):
status: New → Triaged
Changed in mumble (Ubuntu Karmic):
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

ACK to hardy-maverick.

Changed in mumble (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Hardy):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Karmic):
status: Triaged → Fix Committed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Uploaded hardy-maverick to the security PPA. Thanks for the patches!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-4ubuntu0.1

---------------
mumble (1.2.2-4ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 12:22:57 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-1ubuntu1.1

---------------
mumble (1.2.2-1ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 12:56:28 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.1.8-3ubuntu0.1

---------------
mumble (1.1.8-3ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 13:02:46 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.1.3-0ubuntu2.1

---------------
mumble (1.1.3-0ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 13:02:50 +0100

Changed in mumble (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.