Mumble stores passwords in plain text in a globally readable sqlite DB

Bug #783405 reported by Tom Haddon
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mumble (Debian)
Fix Released
Unknown
mumble (Ubuntu)
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned
Natty
Fix Released
Medium
Unassigned
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: mumble

If you run:

sqlite3 ~/.local/share/data/Mumble/Mumble/.mumble.sqlite

And then:

SELECT * FROM servers;

You'll see your password in plain text. This file is globally readable by default.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: mumble 1.2.3-1ubuntu6
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic i686
Architecture: i386
Date: Mon May 16 11:18:59 2011
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: mumble
UpgradeStatus: Upgraded to natty on 2011-04-12 (33 days ago)

Revision history for this message
Tom Haddon (mthaddon) wrote :
Kees Cook (kees)
visibility: private → public
Changed in mumble (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.3-2ubuntu3

---------------
mumble (1.2.3-2ubuntu3) precise; urgency=low

  * debian/patches/0003-fix-cert-validation.patch: Fix certificate
    validation with QT 4.8. For some reason, the new on-demand root cert
    loading is not working with mumble. (LP: #928296)
  * debian/patches/0004-set-file-permissions.patch: Set restrictive
    permissions on data files. (LP: #783405)
 -- Marc Deslauriers <email address hidden> Tue, 07 Feb 2012 09:53:44 -0500

Changed in mumble (Ubuntu):
status: Confirmed → Fix Released
Changed in mumble (Ubuntu Lucid):
status: New → Confirmed
Changed in mumble (Ubuntu Maverick):
status: New → Confirmed
Changed in mumble (Ubuntu Natty):
status: New → Confirmed
Changed in mumble (Ubuntu Oneiric):
status: New → Confirmed
Changed in mumble (Ubuntu Lucid):
importance: Undecided → Medium
Changed in mumble (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in mumble (Ubuntu Natty):
importance: Undecided → Medium
Changed in mumble (Ubuntu Maverick):
importance: Undecided → Medium
Changed in mumble (Debian):
status: Unknown → New
Changed in mumble (Debian):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.3-2ubuntu2.1

---------------
mumble (1.2.3-2ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: credential disclosure via incorrect permissions
    (LP: #783405)
    - debian/patches/0004-set-file-permissions.patch: Set restrictive
      permissions on data files.
    - CVE-2012-0863
 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2012 08:33:17 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.3-1ubuntu6.1

---------------
mumble (1.2.3-1ubuntu6.1) natty-security; urgency=low

  * SECURITY UPDATE: credential disclosure via incorrect permissions
    (LP: #783405)
    - debian/patches/0004-set-file-permissions.patch: Set restrictive
      permissions on data files.
    - CVE-2012-0863
  * debian/control: reorder Build-Depends so it builds in a schroot.
 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2012 08:36:11 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-4ubuntu0.2

---------------
mumble (1.2.2-4ubuntu0.2) maverick-security; urgency=low

  * SECURITY UPDATE: credential disclosure via incorrect permissions
    (LP: #783405)
    - debian/patches/0004-set-file-permissions.patch: Set restrictive
      permissions on data files.
    - CVE-2012-0863
 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2012 09:31:21 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mumble - 1.2.2-1ubuntu1.2

---------------
mumble (1.2.2-1ubuntu1.2) lucid-security; urgency=low

  * SECURITY UPDATE: credential disclosure via incorrect permissions
    (LP: #783405)
    - debian/patches/0004-set-file-permissions.patch: Set restrictive
      permissions on data files.
    - CVE-2012-0863
 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2012 10:17:50 -0500

Changed in mumble (Ubuntu Lucid):
status: Confirmed → Fix Released
Changed in mumble (Ubuntu Maverick):
status: Confirmed → Fix Released
Changed in mumble (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in mumble (Ubuntu Oneiric):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.