Re: CVE request: mumble local information disclosure

[Kurt Seifried <kseifried () redhat com>]

On 02/15/2012 03:09 PM, Vincent Danen wrote:
> It was discovered that mumble created its database file
> (~/.local/share/data/Mumble/.mumble.sqlite) with insecure world-readable
> permissions.  If the user had (non-default) permissions on their home
> directory, another local user could obtain password and configuration
> settings from the database file.
>
> This has been corrected in upstream git and is reported as affecting
> 1.2.3 and earlier.
>
> Could a CVE be assigned to this flaw?
>
> References:
>
> https://bugs.launchpad.net/ubuntu/+source/mumble/+bug/783405
> https://github.com/mumble-voip/mumble/commit/5632c35d6759f5e13a7dfe78e4ee6403ff6a8e3e
>
> https://bugzilla.redhat.com/show_bug.cgi?id=791000
> http://bugs.gentoo.org/show_bug.cgi?id=403939

Please use CVE-2012-0863 for this issue.

-- 
Kurt Seifried Red Hat Security Response Team (SRT)