mumble-server creates world readable config file

Bug #704674 reported by Felix Geyer on 2011-01-18
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mumble (Debian)
Fix Released
Unknown
mumble (Ubuntu)
High
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
High
Unassigned
Maverick
High
Unassigned

Bug Description

Binary package hint: mumble

mumble-server creates the config file /etc/mumble-server.ini
and doesn't change the permissions so it is world readable (0644).

The config file contains sensitive information like the server and sql password.

Felix Geyer (debfx) wrote :

Already fixed in natty (mumble 1.2.2-6).

Changed in mumble (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in mumble (Ubuntu Lucid):
importance: Undecided → High
Changed in mumble (Ubuntu Maverick):
importance: Undecided → High
Felix Geyer (debfx) on 2011-01-19
Changed in mumble (Ubuntu Lucid):
assignee: nobody → Felix Geyer (debfx)
status: New → In Progress
Felix Geyer (debfx) wrote :

Uploaded a fix to lucid-proposed and maverick-proposed, waiting for approval.

Changed in mumble (Ubuntu Lucid):
assignee: Felix Geyer (debfx) → nobody
status: In Progress → Triaged
Changed in mumble (Ubuntu Maverick):
status: New → Triaged
John Dong (jdong) wrote :

IMO this borders on being a security vulnerability. The patch of course is good, but I'm hesitant on whether or not this should be handled as a USN so that affected administrators can be aware of potential sensitive information leakage.

John Dong (jdong) wrote :

After talking it over with Kees Cook, I think it's best to handle this bug as a security update and go through the Ubuntu Security Team rather than SRU.

Felix Geyer (debfx) on 2011-01-19
security vulnerability: no → yes
Felix Geyer (debfx) wrote :

Alright, attached is a debdiff targeting maverick-security.
If this one is fine, I'll prepare packages for the other series.
I have tested that it correctly sets the permissions for new installs and upgrades.

Changed in mumble (Ubuntu Maverick):
status: Triaged → Confirmed
Changed in mumble (Ubuntu Lucid):
status: Triaged → New

Patrick,

Definitely it's not an earth-shattering vulnerability, but the Ubuntu process for USNs isn't any more difficult to go through than the SRU process (need the debdiff to be tested and commented as tested on the bug report).

John

On Jan 19, 2011, at 1:31 PM, Patrick Matthäi wrote:

> Am 19.01.2011 18:58, schrieb John Dong:
>> After talking it over with Kees Cook, I think it's best to handle this
>> bug as a security update and go through the Ubuntu Security Team rather
>> than SRU.
>>
>
> Hello,
>
> I already asked the Debian Security Team how I should handle this. In
> their opinion it is nothing for a DSA, but it is fixed with our next
> point release.
>
> --
> /*
> Mit freundlichem Gruß / With kind regards,
> Patrick Matthäi
> GNU/Linux Debian Developer
>
> E-Mail: <email address hidden>
> <email address hidden>
>
> Comment:
> Always if we think we are right,
> we were maybe wrong.
> */
>

Jamie Strandboge (jdstrand) wrote :

Thanks for the debdiff!

It is possible that /etc/mumble-server.ini will not be present on upgrades, in which case postinst would fail. Please verify that the file exists by doing something like this instead:

if [ -f /etc/mumble-server.ini ]; then
    chmod 0640 /etc/mumble-server.ini || true
    chown root:mumble-server /etc/mumble-server.ini || true
fi

Changed in mumble (Ubuntu Maverick):
assignee: nobody → Felix Geyer (debfx)
status: Confirmed → Incomplete
Jamie Strandboge (jdstrand) wrote :

Unsubscribing ubuntu-security-sponsors. Please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when the changes are complete. Thanks!

Felix Geyer (debfx) wrote :

I've fixed the debdiff for maverick.
The "|| true" error catch shouldn't be necessary.

Changed in mumble (Ubuntu Maverick):
status: Incomplete → New
assignee: Felix Geyer (debfx) → nobody
Felix Geyer (debfx) wrote :

debdiff for lucid

Felix Geyer (debfx) wrote :

debdiff for karmic

Felix Geyer (debfx) wrote :

debdiff for hardy

Changed in mumble (Debian):
status: Unknown → Fix Released
Changed in mumble (Ubuntu Lucid):
status: New → Triaged
Changed in mumble (Ubuntu Maverick):
status: New → Triaged
Changed in mumble (Ubuntu Hardy):
status: New → Triaged
Changed in mumble (Ubuntu Karmic):
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

ACK to hardy-maverick.

Changed in mumble (Ubuntu Lucid):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Maverick):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Hardy):
status: Triaged → Fix Committed
Changed in mumble (Ubuntu Karmic):
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Uploaded hardy-maverick to the security PPA. Thanks for the patches!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-4ubuntu0.1

---------------
mumble (1.2.2-4ubuntu0.1) maverick-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 12:22:57 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-1ubuntu1.1

---------------
mumble (1.2.2-1ubuntu1.1) lucid-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 12:56:28 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.1.8-3ubuntu0.1

---------------
mumble (1.1.8-3ubuntu0.1) karmic-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 13:02:46 +0100

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.1.3-0ubuntu2.1

---------------
mumble (1.1.3-0ubuntu2.1) hardy-security; urgency=low

  * SECURITY UPDATE: /etc/mumble-server.ini is world readable. (LP: #704674)
    - debian/mumble-server.postinst: Set permissions of mumble-server.ini to
      0640 and the owner to root:mumble-server.
 -- Felix Geyer <email address hidden> Thu, 20 Jan 2011 13:02:50 +0100

Changed in mumble (Ubuntu Hardy):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Karmic):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in mumble (Ubuntu Maverick):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.