aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2021-02-22 16:13:02 -0300
committerLeo <thinkabit.ukim@gmail.com>2021-02-22 20:06:28 +0000
commit41094412f7715b8bb0a68af65eddc7505612e4d3 (patch)
tree498757a7c016a9ab1a2241158d75d298e1319c83
parentfd9ce08fba267b8ee71b3b525e43a79c075a5885 (diff)
community/mumble: fix CVE-2021-27339
See: #12456
-rw-r--r--community/mumble/APKBUILD11
-rw-r--r--community/mumble/e59ee87abe249f345908c7d568f6879d16bfd648.patch61
2 files changed, 69 insertions, 3 deletions
diff --git a/community/mumble/APKBUILD b/community/mumble/APKBUILD
index ee6c9ca564b..b77bb8402b1 100644
--- a/community/mumble/APKBUILD
+++ b/community/mumble/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Johannes Matheis <jomat+alpinebuild@jmt.gr>
pkgname=mumble
pkgver=1.3.3
-pkgrel=5
+pkgrel=6
pkgdesc="Low-latency, high quality voice chat software"
url="https://wiki.mumble.info/"
arch="all"
@@ -24,9 +24,13 @@ subpackages="
murmur-doc:murmur_doc:noarch
"
source="https://github.com/mumble-voip/mumble/releases/download/$pkgver/mumble-$pkgver.tar.gz
- murmur.initd"
+ murmur.initd
+ e59ee87abe249f345908c7d568f6879d16bfd648.patch
+ "
# secfixes:
+# 1.3.3-r6:
+# - CVE-2021-27229
# 1.2.19-r9:
# - CVE-2018-20743
@@ -116,4 +120,5 @@ murmur_openrc() {
}
sha512sums="be4c6d4de82a1059bf30d4c7e3c44e41e4bb50dc4a811b7d0def808c52059ff7bcccf65140db940f18cc1bb66d58ea4dab23ba5dcfae3b8b904866751f32edb3 mumble-1.3.3.tar.gz
-1882dea434ee4bbf8e9a5c12a450b1846c1f992c4ce324c2a9b57faf204193cc13b3029af6cd9de6d12e2b8e2004958594f4d8d0d78343d45b0365994bd5bec7 murmur.initd"
+1882dea434ee4bbf8e9a5c12a450b1846c1f992c4ce324c2a9b57faf204193cc13b3029af6cd9de6d12e2b8e2004958594f4d8d0d78343d45b0365994bd5bec7 murmur.initd
+5d84b82930d737fe898a05c95527973c3acb10f6df678010198124406d857d02117c4aeb62f31ba5abbc380de931666c382670b09b6092814d4c77e393587900 e59ee87abe249f345908c7d568f6879d16bfd648.patch"
diff --git a/community/mumble/e59ee87abe249f345908c7d568f6879d16bfd648.patch b/community/mumble/e59ee87abe249f345908c7d568f6879d16bfd648.patch
new file mode 100644
index 00000000000..478f47d4314
--- /dev/null
+++ b/community/mumble/e59ee87abe249f345908c7d568f6879d16bfd648.patch
@@ -0,0 +1,61 @@
+From e59ee87abe249f345908c7d568f6879d16bfd648 Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <git@davidebeatrici.dev>
+Date: Fri, 5 Feb 2021 20:01:04 +0100
+Subject: [PATCH] FIX(client): Only allow "http"/"https" for URLs in
+ ConnectDialog
+
+Our public server list registration script doesn't have an URL scheme
+whitelist for the website field.
+
+Turns out a malicious server can register itself with a dangerous URL in
+an attempt to attack a user's machine.
+
+User interaction is required, as the URL has to be opened by
+right-clicking on the server entry and clicking on "Open Webpage".
+
+This commit introduces a client-side whitelist, which only allows "http"
+and "https" schemes. We will also implement it in our public list.
+
+In future we should probably add a warning QMessageBox informing the
+user that there's no guarantee the URL is safe (regardless of the
+scheme).
+
+Thanks a lot to https://positive.security for reporting the RCE
+vulnerability to us privately.
+---
+ src/mumble/ConnectDialog.cpp | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/src/mumble/ConnectDialog.cpp b/src/mumble/ConnectDialog.cpp
+index a77a632c83..7ab6034b73 100644
+--- a/src/mumble/ConnectDialog.cpp
++++ b/src/mumble/ConnectDialog.cpp
+@@ -1265,11 +1265,25 @@ void ConnectDialog::on_qaFavoritePaste_triggered() {
+ }
+
+ void ConnectDialog::on_qaUrl_triggered() {
+- ServerItem *si = static_cast<ServerItem *>(qtwServers->currentItem());
+- if (! si || si->qsUrl.isEmpty())
++ auto *si = static_cast< const ServerItem * >(qtwServers->currentItem());
++ if (!si || si->qsUrl.isEmpty()) {
+ return;
++ }
++
++ const QStringList allowedSchemes = { QLatin1String("http"), QLatin1String("https") };
+
+- QDesktopServices::openUrl(QUrl(si->qsUrl));
++ const auto url = QUrl(si->qsUrl);
++ if (allowedSchemes.contains(url.scheme())) {
++ QDesktopServices::openUrl(url);
++ } else {
++ // Inform user that the requested URL has been blocked
++ QMessageBox msgBox;
++ msgBox.setText(QObject::tr("<b>Blocked URL scheme \"%1\"</b>").arg(url.scheme()));
++ msgBox.setInformativeText(QObject::tr("The URL uses a scheme that has been blocked for security reasons."));
++ msgBox.setDetailedText(QObject::tr("Blocked URL: \"%1\"").arg(url.toString()));
++ msgBox.setIcon(QMessageBox::Warning);
++ msgBox.exec();
++ }
+ }
+
+ void ConnectDialog::onFiltersTriggered(QAction *act) {