Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAJZzgYh86ij-6x-7=OjBe0h1WObzPe-QGRotgKYfWr-R=NeoQ@mail.gmail.com>
Date: Wed, 5 Feb 2014 21:33:05 +0100
From: Mikkel Krautz <mikkel@...utz.dk>
To: oss-security@...ts.openwall.com
Subject: Mumble-SA-2014-001 and Mumble-SA-2014-002

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Two vulnerabilities were recently discovered in the Mumble
client for the Mumble voice chat system.

Please find the Mumble team's advisories for these issues
inline below, or view them directly on mumble.info:

http://mumble.info/security/Mumble-SA-2014-001.txt
(For a detached, ASCII-armoured signature, append .sig)

http://mumble.info/security/Mumble-SA-2014-002.txt
(For a detached, ASCII-armoured signature, append .sig)

Thanks,
Mikkel Krautz on behalf of the Mumble team

PGP: 4096R/41BCDD10
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJS8p+cAAoJEIxe9eJBvN0Qm/0P/R3dH6ogKihcvxVuvCrIHbD5
L7fPnUF7stq9Ik+vXw0IdiCkm5/r4exGIxXNU5Vo4rZxBiYaR6j8tS+/G/fXWRtR
HEs9EsaNhHim+RHB38jsUpnY6QW6fHpCU05fszcyFMrRXkOJXOqWm7ENnWS8DRUl
t+lu2l1DbK3q3lJa2gUFhN74fKixtyJ+J8px+fNRVNST3oKDIW4y/qJKHGiQt+WG
WCquokoLjq4NbR59rhj5wa/TnsLFF0s/1ZixFhaD8UOwgvwBFFpnLcaV3UNqaLwx
nfPUpCtMAkyi0iRjExlMPrlOXlmaWyVMcIUis2hiP6iresZtzUvTisNDTZ9c7GA4
qQmqCXPVa4Md2fvvQ4w8bD8vRMrzz1owziRvPgwYSLA9L9ktYfTXFTWaa4Ncn3rh
0t+W5tHUntSa3Pso8EbiZ/NoPDJjDnMSOWYyYwpGhEg7nU+B6/MtajE8qI4YqYmt
jIfLQq3mq2sVGc42alDuMq/TO/LVuyqk9rnauuvFbdHSSuiLCYuXqekGFmHiHXpW
upQVevwyLgRyVTPQQonqyZ2zKMtkwGhb10wKb3SkpvG7ltNp811kfk50z9hnVkmL
tAs+SwblM3nHyCWVaHGfPOCy0NX8MwhAS2ieh8lb3GScaQeBY2H18E6om4VmEtBT
aosLvcktdgqO/kA+fcak
=u/8c
-----END PGP SIGNATURE-----

---------->8----------------------------------------------->8----------

Mumble Security Advisory 2014-001

ID:              Mumble-SA-2014-001
Date:            February 2014
CVE Reference:   CVE-2014-0044
Product:         Mumble
Mumble Website:  http://mumble.info
Permalink:       http://mumble.info/security/Mumble-SA-2014-001.txt
Last Updated:    05-02-2014

1. Vulnerability

    A malformed Opus voice packet sent to a Mumble client
    could trigger a NULL pointer dereference or an
    out-of-bounds array access, leading to a crash
    (Denial of Service).

    This can be triggered remotely by an entity
    participating in a Mumble voice chat.

2. Affected versions and configurations

    Mumble 1.2.4 in its default configuration is vulnerable.
    This is the only stable release that is vulnerable.

    Pre-release snapshots released prior to 1.2.4 (these
    are named 1.2.3-<number>-g<commit>) that include Opus
    support are potentially vulnerable.

    Pre-release snapshots released after 1.2.4 (these are
    named 1.2.4-<number>-g<commit>) are vulnerable.

    Some distributions (such as Debian and Ubuntu) ship a
    pre-release snapshot in their stable distributions.
    This snapshot is version 1.2.3-349-g315b5f5, and it is
    also vulnerable.

3. Mitigation

    A Mumble client built without Opus support is not
    vulnerable to this issue.

    Opus is enabled in the default build configuration for
    Mumble, but can be disabled by passing CONFIG+=no-opus
    to the qmake program when building the Mumble client.
    (Note that Mumble might still enable Opus support if
    an installed version of Opus is found via pkg-config.
    To avoid this, you will need to pass
    CONFIG+="bundled-opus no-opus" to qmake to also disable
    the pkg-config querying.)

    Version 1.2.3 and prior of Mumble's server component
    ('Murmur' or 'mumble-server') does not allow the
    transmission of Opus packets, and as such a vulnerable
    client connected to a stock Murmur server that runs
    version 1.2.3 or prior should not be affected by this
    issue.

    Note however that since Mumble is a centralized VoIP
    system, a modified server could potentially also
    trigger malformed Opus packets to be sent to clients
    of its choosing, thus triggering this issue.

4. Details

    Mumble's Opus voice packets are serialized as a buffer
    with a length-prefix using Mumble's internal
    PacketDataStream serialization format.

    Mumble failed to properly validate the length prefix
    of received Opus voice packets.

    If an Opus packet with a length prefix of zero was
    received, the Mumble client would attempt to extract
    an Opus buffer of size 0 by calling the dataBlock()
    method on a PacketDataStream object. In this case the
    dataBlock() method would return a QByteArray that uses
    the result of malloc(0) as its internal buffer.

    Depending on the system's implementation of malloc this
    call may return either NULL, or a non-NULL pointer that
    points to a zero-length buffer.

    The QByteArray's internal buffer is later used in a
    call to the opus_packet_get_samples_per_frame() function,
    which attempts to read the first byte of the passed-in
    buffer to calculate its return value. This can either
    cause a NULL pointer dereference, or a read outside the
    bounds of the zero-sized heap-allocated buffer.

    Similarly, if the Mumble client received an Opus packet
    with a length prefix that is negative, or larger than
    the encapsulating packet, the dataBlock() method of the
    PacketDataStream object would return a QByteArray
    constructed by the QByteArray class's default constructor.
    That is, a 'null' QByteArray where the internal buffer
    is a NULL pointer.

    This NULL buffer is then passed to the
    opus_packet_get_samples_per_frame() function which will
    dereference it when attempting to read the first byte of
    the buffer.

5. Credits

    This issue was discovered by the Mumble team after a
    reproducible crash that happened when transmitting
    audio was reported by Wesley Wolfe on January 25, 2014.

6. Fix

    A fix for this issue has been released in Mumble 1.2.5.

    A fix is also available in the master branch of Mumble's
    Git repository.

    A patch which can be applied to previous vulnerable
    versions can be found in-line below.


--- ./src/mumble/AudioOutputSpeech.cpp
+++ ./src/mumble/AudioOutputSpeech.cpp
@@ -148,8 +148,15 @@ void AudioOutputSpeech::addFrameToBuffer(const
QByteArray &qbaPacket, unsigned i
         int size;
         pds >> size;
         size &= 0x1fff;
+        if (size == 0) {
+            return;
+        }

         const QByteArray &qba = pds.dataBlock(size);
+        if (size != qba.size() || !pds.isValid()) {
+            return;
+        }
+
         const unsigned char *packet = reinterpret_cast<const unsigned
char*>(qba.constData());

 #ifdef USE_OPUS

---------->8----------------------------------------------->8----------

Mumble Security Advisory 2014-002

ID:              Mumble-SA-2014-002
Date:            February 2014
CVE Reference:   CVE-2014-0045
Product:         Mumble
Mumble Website:  http://mumble.info
Permalink:       http://mumble.info/security/Mumble-SA-2014-002.txt
Last Updated:    05-02-2014

1. Vulnerability

    A malformed Opus voice packet sent to a Mumble client
    could trigger a heap-based buffer overflow. This causes
    a client crash (Denial of Service) and can potentially
    be used to execute arbitrary code, though this is
    unconfirmed.

    This issue can be triggered remotely by an entity
    participating in a Mumble voice chat.

2. Affected versions and configurations

    Mumble 1.2.4 in its default configuration is vulnerable.
    This is the only stable release that is vulnerable.

    Pre-release snapshots released prior to 1.2.4 (these
    are named 1.2.3-<number>-g<commit>) that include Opus
    support are potentially vulnerable.

    Pre-release snapshots released after 1.2.4 (these are
    named 1.2.4-<number>-g<commit>) are vulnerable.

    Some distributions (such as Debian and Ubuntu) ship a
    pre-release snapshot in their stable distributions.
    This snapshot is version 1.2.3-349-g315b5f5, and it is
    also vulnerable.

3. Mitigation

    A Mumble client built without Opus support is not
    vulnerable to this issue.

    Opus is enabled in the default build configuration for
    Mumble, but can be disabled by passing CONFIG+=no-opus
    to the qmake program when building the Mumble client.
    (Note that Mumble might still enable Opus support if
    an installed version of Opus is found via pkg-config.
    To avoid this, you will need to pass
    CONFIG+="bundled-opus no-opus" to qmake to also disable
    the pkg-config querying.)

    Version 1.2.3 and prior of Mumble's server component
    ('Murmur' or 'mumble-server') does not allow the
    transmission of Opus packets, and as such a vulnerable
    client connected to a stock Murmur server that runs
    version 1.2.3 or prior should not be affected by this
    issue.

    Note however that since Mumble is a centralized VoIP
    system, a modified server could potentially also
    trigger malformed Opus packets to be sent to clients
    of its choosing, thus triggering this issue.

4. Details

    Mumble failed to properly check the return value of
    a call to the opus_decode_float() function in
    Mumble's AudioOutputSpeech::needSamples() method.

    When opus_decode_float() encounters an error, it
    returns a negative integer signalling the error
    condition it met.

    Instead of catching these errors, Mumble would
    assign the negative values to a variable denoting
    the amount of decoded samples (decodedSamples)
    by the call to the opus_decode_float() function
    and continue its processing.

    Later on in the AudioOutputSpeech::needSamples()
    method, the decodedSamples variable is converted
    to a pair of unsigned integers: inlen and outlen.
    The inlen variable's value becomes close to UINT_MAX,
    since the error codes returned by opus_decode_float()
    are small negative integers. The outlen variable's
    value is bounded by a sample rate calculation, which
    causes the value to be somewhere around
    UINT_MAX / 48000, depending on the Opus error code
    and the current sample rate being used by the Mumble
    client.

    Following this, these two unsigned integers are then
    used as buffer lengths in calls to
    speex_resampler_process_float() and in a memory-copying
    "for"-loop at the top of the
    AudioOutputSpeech::needSamples() method.

    The inadvertently large buffer lengths cause the two
    cases above to perform reads and writes outside the
    bounds of their heap-allocated buffers.

5. Credits

    This issue was discovered by the Mumble team after a
    reproducible crash that happened when transmitting
    audio was reported by Wesley Wolfe on January 25, 2014.

6. Fix

    A fix for this issue has been released in Mumble 1.2.5.

    A fix is also available in the master branch of Mumble's
    Git repository.

    A patch which can be applied to previous vulnerable
    versions can be found in-line below.

    (Note: this patch does not apply to Debian and Ubuntu's
     1.2.3-349-g315b5f5 version due to whitespace changes
     of the code above the inserted "if"-statement in the
     first hunk of the patch.  It is, however, trivially
     applied or fixed by hand.)


--- ./src/mumble/AudioOutputSpeech.cpp
+++ ./src/mumble/AudioOutputSpeech.cpp
@@ -335,6 +335,10 @@ bool AudioOutputSpeech::needSamples(unsigned int snum) {
                                                        pOut,
                                                        iAudioBufferSize,
                                                        0);
+                    if (decodedSamples < 0) {
+                        decodedSamples = iFrameSize;
+                        memset(pOut, 0, iFrameSize * sizeof(float));
+                    }
 #endif
                 } else {
                     if (qba.isEmpty()) {
@@ -384,6 +388,10 @@ bool AudioOutputSpeech::needSamples(unsigned int snum) {
                 } else if (umtType == MessageHandler::UDPVoiceOpus) {
 #ifdef USE_OPUS
                     decodedSamples = opus_decode_float(opusState,
NULL, 0, pOut, iFrameSize, 0);
+                    if (decodedSamples < 0) {
+                        decodedSamples = iFrameSize;
+                        memset(pOut, 0, iFrameSize * sizeof(float));
+                    }
 #endif
                 } else {
                     speex_decode(dsSpeex, NULL, pOut);

---------->8----------------------------------------------->8----------

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.