Mumble: Support for custom rate limiting with murmur.ini file?

LeakyBucket has been introduced in Murmur 1.3 (#3510), 1.2.x doesn't have a rate limiting system.

That's what I thought from the stuff I've seen, however 1.2.8-2+deb8u1 Armhf build was a security update that was forced on debian which included the rate limiting system. Could you check this and let me know?

What distribution and version are you using?

Version: 1.2.8-2+deb8u1 ARMHF Build (Debian based)
OS: Raspbian GNU/Linux 8.0 (Jessie)
Raspbian is a debian-based OS for the raspberrypi (arm architecture)

Is this what you needed?

Yes, thank you.

@crknadle Is 1.2.8-2+deb8u1 built without b44b1f2172a8fa489697cd78d2cc92254c968283?

1.2.8+deb8u1 was uploaded by the Debian LTS team without any co-ordination from/with me.
Best I can tell yes, the patch used doesn't include the rate-limiting from b44b1f2.

The specific commits referenced in CVE--2018-20743.patch are https://github.com/mumble-voip/mumble/commit/44b9004d2c208b42c6f8ffa99938361e31f5a071 and https://github.com/mumble-voip/mumble/commit/f7221c14efa14c4c73b64782673d309e97f87e61.

Is this something that has to be corrected by Debian LTS team or something that the mumble team can update?

I would assume the Debian LTS team and/or I could update the package if there was a bug to be fixed, but right now all of the security bugs in Jessie are marked as "fixed":
https://security-tracker.debian.org/tracker/source-package/mumble

I have patches for the rate limiting for Mumble 1.2 that I backported from Mumble 1.3 during the Christmas holiday, which includes a rate-limiting patch; I'll check to see if they apply to Mumble 1.2.8 in Jessie.

I checked; the rate limit patch I had backported from Mumble 1.3 for 1.2.18 won't directly apply for 1.2.8, but the prior patch without the rate limit does.

Someone else had identical issues to mine with the 1.2.8+deb8u1 update so I referenced this issue for them.

I think there may be a bigger issue with the fix used in Mumble 1.2.8+deb8u1 -- parts of the patch require c++11 (and those sections are skipped if c++11 is not available) and the package in Jessie is not built with c++11. (The package in Stretch is.) Building with c++11 requires CONFIG*=c+11 in the debian/rules which the update package for Jessie doesn't use. I have no idea if the resulting package was tested to see if the fix functioned as expected. I think it's time I contact the author of the upload.

Hi, did you ever contact the author of the upload? I'm just checking in on the status of this issue.

I had not written the upstream author yet, so I did so now. I've had a request to upload Mumble 1.3.0-rc1 to try to get it in the Buster (Debian 10) release even though it's in "full freeze", so I'm likely going to be focusing on that more (for now).

Hi LTS uploader here. I will prepare an update this week itself.

Thanks for getting back to me everyone =)

Hello @DuckBoss , Can you test with new build https://people.debian.org/~abhijith/upload/

@bh-e Thanks! I'll run some tests on this build and let you know how it goes.

@bh-e I wasn't able to test the new build since I needed the armhf build. I checked your link but I only saw the update available for the amd64 architecture.

Version: 1.2.8-2+deb8u1 ARMHF Build (Debian based)
OS: Raspbian GNU/Linux 8.0 (Jessie)
Raspbian is a debian-based OS for the raspberrypi (arm architecture)

Do you have an armhf build as referenced here from my previous comment?

@DuckBoss , ah !. Let me see what I can do.

@bh-e Hello! Just checking in since it's been a couple days. Do you have an armhf build available for testing?

DuckBoss. My armhf lxc container setup is not working. Can you build yourself a copy by pulling that dsc file. I will be backporting the version in stable to Jessie. Right now, I am busy with some personal stuff. I will start working on it from next week Wednesday.

Thanks for updating me on this, unfortunately my raspberry pi that I was running the server on is dead and I won't be able to test your build. I'll see if I can get one of my friends to try it out and I'll let you know how it goes!

Oops didn't mean to close ^

To address the original topic: THe rate-limiter can be configured via https://wiki.mumble.info/wiki/Murmur.ini#messagelimit_and_messageburst