Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected], [email protected] Control: affects -1 + src:mumble User: [email protected] Usertags: pu
[ Reason ] Mumble Trixie is affected by CVE-2025-71264 which is fixed upstream as well as in Debian Unstable and Testing [ Impact ] The Opus codec decoding has a miscalculation for the size of the buffer, and without patching the decoding can crash and crash the Mumble application when the audio stream is used for multiple audio channels [ Tests ] This bug was found by the Zom.bi community while creating a music bot, and they found Mumble would crash for some people as the music started playing. They were able to debug the issue and create a patch which they sent to the Debian Security Team via email. Upstream examined the patch and created their own patch, which can be found here: https://github.com/mumble-voip/mumble/pull/7032 The patch for this proposed upload to Debian Trixie implements these two upstream commits from pull 7032. I and upstream both emailed the Zom.bi community at the same email address that they had used to contact the Debian Security Team to test the patch that Mumble upstream implemented, but there has been no reply, and I do not have an automated test available. [ Risks ] The risks of implementing this upload to Trixie should be minimal, as the same patch is now used for Mumble in Unstable and Forky for a few weeks without any new bugs reported. [ Checklist ] [*] *all* changes are documented in the d/changelog [*] I reviewed all changes and I approve them [*] attach debdiff against the package in (old)stable [*] the issue is verified as fixed in unstable [ Changes ] 1) Increase the default Opus buffer length from 60ms to 120ms 2) Change the Opus buffer size to be calculated per-channel [ Other info ] This is for Debian Bug #1129178 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129178 Debian security tracker for the bug: https://security-tracker.debian.org/tracker/CVE-2025-71264 A .debdiff is attached
diff -Nru mumble-1.5.735/debian/changelog mumble-1.5.735/debian/changelog --- mumble-1.5.735/debian/changelog 2025-06-30 20:19:46.000000000 -0400 +++ mumble-1.5.735/debian/changelog 2026-02-27 14:55:08.000000000 -0500 @@ -1,3 +1,11 @@ +mumble (1.5.735-5+deb13u1) trixie; urgency=medium + + * debian/patches: + - Add 95-opus-dos-security.diff to fix crashes Opus buffer overruns + leading to crashes (Closes: #1129178) + + -- Christopher Knadle <[email protected]> Fri, 27 Feb 2026 14:55:08 -0500 + mumble (1.5.735-5) unstable; urgency=medium * debian/patches: diff -Nru mumble-1.5.735/debian/patches/95-opus-dos-security.diff mumble-1.5.735/debian/patches/95-opus-dos-security.diff --- mumble-1.5.735/debian/patches/95-opus-dos-security.diff 1969-12-31 19:00:00.000000000 -0500 +++ mumble-1.5.735/debian/patches/95-opus-dos-security.diff 2026-02-27 14:52:28.000000000 -0500 @@ -0,0 +1,56 @@ +Description: Fix Opus out-of-bounds array access, which can lead to + application crashes +Author: Robert Adam <[email protected]> +Origin: https://github.com/mumble-voip/mumble/pull/7032 +Forwarded: not-needed +Last-Updated: 2026-02-26 + +--- a/src/mumble/AudioOutputSpeech.cpp ++++ b/src/mumble/AudioOutputSpeech.cpp +@@ -86,13 +86,14 @@ + OPUS_SET_PHASE_INVERSION_DISABLED(1)); // Disable phase inversion for better mono downmix. + + // iAudioBufferSize: size (in unit of float) of the buffer used to store decoded pcm data. +- // For opus, the maximum frame size of a packet is 60ms. +- iAudioBufferSize = iSampleRate * 60 / 1000; // = SampleRate * 60ms = 48000Hz * 0.06s = 2880, ~12KB ++ // For opus, the maximum frame size of a packet is 120ms (the maximum duration for a single frame ++ // is 60ms but multiple frames may be bundled into a single packet of a duration up to 120ms). ++ iAudioBufferSize = iSampleRate * 120 / 1000; // = SampleRate * 120ms = 48000Hz * 0.12s = 5760, ~23KB + + // iBufferSize: size of the buffer to store the resampled audio data. + // Note that the number of samples in each opus packet can be different from the number of samples the system + // requests from us each time (this is known as the system's audio buffer size). +- // For example, the maximum size of an opus packet can be 60ms, but the system's audio buffer size is typically ++ // For example, the maximum size of an opus packet is 120ms, but the system's audio buffer size is typically + // ~5ms on my laptop. + // Whenever the system's audio callback is called, we have two choice: + // 1. Decode a new opus packet. Then we need a buffer to store unused samples (which don't fit in the system's +@@ -101,7 +102,7 @@ + // How large should this buffer be? Consider the case in which remaining samples in the buffer can not fill + // the system's audio buffer. In that case, we need to decode a new opus packet. In the worst case, the buffer size + // needed is +- // 60ms of new decoded audio data + system's buffer size - 1. ++ // 120ms of new decoded audio data + system's buffer size - 1. + iOutputSize = static_cast< unsigned int >( + ceilf(static_cast< float >(iAudioBufferSize * iMixerFreq) / static_cast< float >(iSampleRate))); + iBufferSize = iOutputSize + systemMaxBufferSize; // -1 has been rounded up +@@ -346,7 +347,8 @@ + // packet normally in order to be able to play it. + decodedSamples = opus_decode_float( + opusState, qba.isEmpty() ? nullptr : reinterpret_cast< const unsigned char * >(qba.constData()), +- qba.size(), pOut, static_cast< int >(iAudioBufferSize), 0); ++ static_cast< opus_int32 >(qba.size()), pOut, static_cast< int >(iAudioBufferSize / channels), ++ 0); + } else { + // If the packet is non-empty, but the associated user is locally muted, + // we don't have to decode the packet. Instead it is enough to know how many +@@ -398,7 +400,8 @@ + } + } else { + assert(m_codec == Mumble::Protocol::AudioCodec::Opus); +- decodedSamples = opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSize), 0); ++ decodedSamples = ++ opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSizePerChannel), 0); + decodedSamples *= static_cast< int >(channels); + + if (decodedSamples < 0) { diff -Nru mumble-1.5.735/debian/patches/series mumble-1.5.735/debian/patches/series --- mumble-1.5.735/debian/patches/series 2025-06-30 20:08:55.000000000 -0400 +++ mumble-1.5.735/debian/patches/series 2026-02-27 14:44:01.000000000 -0500 @@ -4,3 +4,4 @@ 45-add-pid-location-hint.diff 50-fix-segfault-missing-pipewire-config.diff 90-debianize-systemd-unit.diff +95-opus-dos-security.diff
