Advisories » MGASA-2020-0315

Updated mumble packages fix security vulnerability

Publication date: 16 Aug 2020
Modification date: 16 Aug 2020
Type: security
Affected Mageia releases : 7

Description

Updated mumble package fixes security vulnerability:


OCB2 is known to be broken under certain conditions:
https://eprint.iacr.org/2019/311

To execute the universal attacks described in the paper, an attacker
needs access to an encryption oracle that allows it to perform encryption
queries with attacker-chosen nonce. Luckily in Mumble the encryption nonce
is a fixed counter which is far too restrictive for the universal attacks
to be feasible against Mumble.

The basic attacks do not require an attacker-chosen nonce and as such are
more applicable to Mumble. They are however of limited use and do require
an en- and a decryption oracle which Mumble seemingly does not provide at
the same time.

To be on the safe side, this commit implements the counter-cryptanalysis
measure described in the paper in section 9 for the sender and receiver side.
This way if either server of client are patched, their communication is almost
certainly (merely lacking formal proof) not susceptible to the attacks described
in the paper.


Fixed: Potential exploit in the OCB2 encryption (#4227)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26746
• https://github.com/mumble-voip/mumble/issues/4219
• https://github.com/mumble-voip/mumble/pull/4227

SRPMS

7/core

• mumble-1.3.2-1.mga7