[arch-commits] Commit in murmur/trunk (2 files)

Sven-Hendrik Haase svenstaro at archlinux.org
Sun Apr 5 02:15:29 UTC 2020 

    Date: Sunday, April 5, 2020 @ 02:15:28
  Author: svenstaro
Revision: 611770

upgpkg: murmur 1.3.0-7

Added:
  murmur/trunk/a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch
Modified:
  murmur/trunk/PKGBUILD

------------------------------------------------+
 PKGBUILD                                       |    7 +++
 a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch |   42 +++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-04-05 02:10:08 UTC (rev 611769)
+++ PKGBUILD	2020-04-05 02:15:28 UTC (rev 611770)
@@ -6,7 +6,7 @@
 _name=mumble
 pkgname=murmur
 pkgver=1.3.0
-pkgrel=6
+pkgrel=7
 pkgdesc="The voice chat application server for Mumble"
 arch=('x86_64')
 url="https://wiki.mumble.info/wiki/Main_Page"
@@ -17,6 +17,7 @@
 backup=("etc/murmur.ini")
 install="murmur.install"
 source=("https://github.com/mumble-voip/${_name}/releases/download/${pkgver}/${_name}-${pkgver}.tar.gz"{,.sig}
+        a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch
         "murmur.dbus.conf"
         "murmur.service"
         "murmur.sysusers"
@@ -23,6 +24,7 @@
         "murmur.tmpfiles")
 sha512sums=('2a629fc97f3c7c587c9a3b40fc96cf15d668acada37282ec1c4a5b169ad37717d60af94d12c7bce45f2816c265f76a99ebad40a006adcf8ca38a117e7c0a4122'
             'SKIP'
+            '2f379e355227e37f2d23d984d3a59779e3b7a2206865db8c9e4c9cb4eba563ca468744d862e29892919d8d2798576d2e011c658b48ca0acdde63e8a5cc577119'
             '97c7effdddec324e40195c36ef4927950a5de26d2ee2d268d89df6fb547207bbbe30292773316cae6f57ec9923244f205fb0edc377b798771ba7385e3c11d86a'
             '2059eeac32cc078168a2ea56fe3034df69814516303adeffb8062c7b90a88177a536e6a6742196ee90370084d4e536f825b1744f8bed2bb704159a8a8bccb606'
             '5af28d0c2b2b072cfbd500b5f63549e88a86cf3fc15e4d2df89e787c4d2bafdecbe078a518e0d1b25d82f9873cb06838ec1c9ebed625ffb7e8c80fcd942ebf74'
@@ -38,6 +40,9 @@
       -e "s|;logfile=murmur.log|logfile=|" \
       -e "s|;uname=|uname=murmur|" \
       -i scripts/murmur.ini
+
+  # See https://github.com/mumble-voip/mumble/pull/4032
+  patch -Np1 -i "$srcdir"/a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch
 }
 
 build() {

Added: a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch
===================================================================
--- a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch	                        (rev 0)
+++ a48aea18b6c7ee534cd21f7febfe253e31b33eda.patch	2020-04-05 02:15:28 UTC (rev 611770)
@@ -0,0 +1,42 @@
+From a48aea18b6c7ee534cd21f7febfe253e31b33eda Mon Sep 17 00:00:00 2001
+From: Davide Beatrici <git at davidebeatrici.dev>
+Date: Sat, 4 Apr 2020 07:48:46 +0200
+Subject: [PATCH] src/murmur/Server.cpp: implement workaround for critical
+ QSslSocket issue
+
+A severe bug was introduced in qt/qtbase at 93a803a6de27d9eb57931c431b5f3d074914f693: q_SSL_shutdown() causes Qt to emit "error()" from unrelated QSslSocket(s), in addition to the correct one.
+
+The issue causes Server::connectionClosed() to disconnect random authenticated clients.
+
+The workaround consists in ignoring a specific OpenSSL error:
+"Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]"
+
+Definitely not ideal, but it fixes a critical vulnerability. Details on how to trigger it are deliberately omitted.
+---
+ src/murmur/Server.cpp | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/src/murmur/Server.cpp b/src/murmur/Server.cpp
+index cac75e4fea..055ad96d95 100644
+--- a/src/murmur/Server.cpp
++++ b/src/murmur/Server.cpp
+@@ -1422,6 +1422,19 @@ void Server::sslError(const QList<QSslError> &errors) {
+ }
+ 
+ void Server::connectionClosed(QAbstractSocket::SocketError err, const QString &reason) {
++	if (reason.contains(QLatin1String("140E0197"))) {
++		// A severe bug was introduced in qt/qtbase at 93a803a6de27d9eb57931c431b5f3d074914f693.
++		// q_SSL_shutdown() causes Qt to emit "error()" from unrelated QSslSocket(s), in addition to the correct one.
++		// The issue causes this function to disconnect random authenticated clients.
++		//
++		// The workaround consists in ignoring a specific OpenSSL error:
++		// "Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]"
++		//
++		// Definitely not ideal, but it fixes a critical vulnerability.
++		qWarning("Ignored OpenSSL error 140E0197 for %p", sender());
++		return;
++	}
++
+ 	Connection *c = qobject_cast<Connection *>(sender());
+ 	if (! c)
+ 		return;

More information about the arch-commits mailing list