Accepting request 106279 from games:tools

- remove read permissions for other users on local sqlite database
  as it may contain passwords (bnc#747833, CVE-2012-0863)

OBS-URL: https://build.opensuse.org/request/show/106279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mumble?expand=0&rev=15

0001-Explicitly-remove-file-permissions-for-settings-and-D.diff

@@ -0,0 +1,52 @@
+From cc52dd435e281f008866439b9eb5565729bd1956 Mon Sep 17 00:00:00 2001
+From: Thorvald Natvig <slicer@users.sourceforge.net>
+Date: Fri, 27 May 2011 16:59:15 -0700
+Subject: [PATCH mumble] Explicitly remove file permissions for settings and
+ DB
+
+---
+ src/mumble/Database.cpp |    5 +++++
+ src/mumble/Settings.cpp |   11 +++++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/src/mumble/Database.cpp b/src/mumble/Database.cpp
+index 6c4d940..5caed38 100644
+--- a/src/mumble/Database.cpp
++++ b/src/mumble/Database.cpp
+@@ -92,6 +92,11 @@ Database::Database() {
+ 		qWarning("Database: Database is read-only");
+ 	}
+ 
++	{
++		QFile f(db.databaseName());
++		f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther));
++	}
++
+ 	QSqlQuery query;
+ 
+ 	query.exec(QLatin1String("CREATE TABLE IF NOT EXISTS `servers` (`id` INTEGER PRIMARY KEY AUTOINCREMENT, `name` TEXT, `hostname` TEXT, `port` INTEGER DEFAULT 64738, `username` TEXT, `password` TEXT)"));
+diff --git a/src/mumble/Settings.cpp b/src/mumble/Settings.cpp
+index 5ebbc53..df9d7f3 100644
+--- a/src/mumble/Settings.cpp
++++ b/src/mumble/Settings.cpp
+@@ -698,6 +698,17 @@ void OverlaySettings::save() {
+ void OverlaySettings::save(QSettings* settings_ptr) {
+ 	OverlaySettings def;
+ 
++	settings_ptr->setValue(QLatin1String("version"), QLatin1String(MUMTEXT(MUMBLE_VERSION_STRING)));
++	settings_ptr->sync();
++
++#if defined(Q_OS_WIN) || defined(Q_OS_MAC)
++	if (settings_ptr->format() == QSettings::IniFormat)
++#endif
++        {
++               QFile f(settings_ptr->fileName());
++               f.setPermissions(f.permissions() & ~(QFile::ReadGroup | QFile::WriteGroup | QFile::ExeGroup | QFile::ReadOther | QFile::WriteOther | QFile::ExeOther));
++        }
++
+ 	SAVELOAD(bEnable, "enable");
+ 
+ 	SAVELOAD(osShow, "show");
+-- 
+1.7.7
+

mumble.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Feb 20 08:49:15 UTC 2012 - lnussel@suse.de
+
+- remove read permissions for other users on local sqlite database
+  as it may contain passwords (bnc#747833, CVE-2012-0863)
+
 -------------------------------------------------------------------
 Mon Feb 13 14:00:57 UTC 2012 - lnussel@suse.de
 

mumble.spec

@@ -103,6 +103,7 @@ Patch3:         0001-if-service-name-is-empty-don-t-pass-an-empty-string.diff
 Patch4:         0001-remove-CAP_NET_ADMIN.diff
 Patch5:         0001-fix-bonjour-support-using-avahi-compat-lib.diff
 Patch6:         mumble-1.2.3-nohardcodedcas.diff
+Patch7:         0001-Explicitly-remove-file-permissions-for-settings-and-D.diff
 Patch50:        mumble-1.2.2-buildcompare.diff
 # hack, no clue about glx so no idea to fix this properly
 Patch99:        mumble-1.1.4-sle10glx.diff
@@ -173,6 +174,7 @@ won't be audible to other players.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 #
 %patch50 -p1
 %if 0%{?suse_version} && 0%{?suse_version} < 1020