Version in base suite: 1.5.735-5

Base version: mumble_1.5.735-5
Target version: mumble_1.5.735-5+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/mumble/mumble_1.5.735-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/mumble/mumble_1.5.735-5+deb13u1.dsc

 changelog                         |    8 +++++
 patches/95-opus-dos-security.diff |   56 ++++++++++++++++++++++++++++++++++++++
 patches/series                    |    1 
 3 files changed, 65 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpff5fbu2u/mumble_1.5.735-5.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpff5fbu2u/mumble_1.5.735-5+deb13u1.dsc: no acceptable signature found
diff -Nru mumble-1.5.735/debian/changelog mumble-1.5.735/debian/changelog
--- mumble-1.5.735/debian/changelog	2025-07-01 00:19:46.000000000 +0000
+++ mumble-1.5.735/debian/changelog	2026-02-27 19:55:08.000000000 +0000
@@ -1,3 +1,11 @@
+mumble (1.5.735-5+deb13u1) trixie; urgency=medium
+
+  * debian/patches:
+    - Add 95-opus-dos-security.diff to fix crashes Opus buffer overruns
+      leading to crashes (Closes: #1129178)
+
+ -- Christopher Knadle <Chris.Knadle@coredump.us>  Fri, 27 Feb 2026 14:55:08 -0500
+
 mumble (1.5.735-5) unstable; urgency=medium
 
   * debian/patches:
diff -Nru mumble-1.5.735/debian/patches/95-opus-dos-security.diff mumble-1.5.735/debian/patches/95-opus-dos-security.diff
--- mumble-1.5.735/debian/patches/95-opus-dos-security.diff	1970-01-01 00:00:00.000000000 +0000
+++ mumble-1.5.735/debian/patches/95-opus-dos-security.diff	2026-02-27 19:52:28.000000000 +0000
@@ -0,0 +1,56 @@
+Description: Fix Opus out-of-bounds array access, which can lead to
+ application crashes
+Author: Robert Adam <dev@robert-adam.de>
+Origin: https://github.com/mumble-voip/mumble/pull/7032
+Forwarded: not-needed
+Last-Updated: 2026-02-26
+
+--- a/src/mumble/AudioOutputSpeech.cpp
++++ b/src/mumble/AudioOutputSpeech.cpp
+@@ -86,13 +86,14 @@
+ 					 OPUS_SET_PHASE_INVERSION_DISABLED(1)); // Disable phase inversion for better mono downmix.
+ 
+ 	// iAudioBufferSize: size (in unit of float) of the buffer used to store decoded pcm data.
+-	// For opus, the maximum frame size of a packet is 60ms.
+-	iAudioBufferSize = iSampleRate * 60 / 1000; // = SampleRate * 60ms = 48000Hz * 0.06s = 2880, ~12KB
++	// For opus, the maximum frame size of a packet is 120ms (the maximum duration for a single frame
++	// is 60ms but multiple frames may be bundled into a single packet of a duration up to 120ms).
++	iAudioBufferSize = iSampleRate * 120 / 1000; // = SampleRate * 120ms = 48000Hz * 0.12s = 5760, ~23KB
+ 
+ 	// iBufferSize: size of the buffer to store the resampled audio data.
+ 	// Note that the number of samples in each opus packet can be different from the number of samples the system
+ 	// requests from us each time (this is known as the system's audio buffer size).
+-	// For example, the maximum size of an opus packet can be 60ms, but the system's audio buffer size is typically
++	// For example, the maximum size of an opus packet is 120ms, but the system's audio buffer size is typically
+ 	// ~5ms on my laptop.
+ 	// Whenever the system's audio callback is called, we have two choice:
+ 	//  1. Decode a new opus packet. Then we need a buffer to store unused samples (which don't fit in the system's
+@@ -101,7 +102,7 @@
+ 	// How large should this buffer be? Consider the case in which remaining samples in the buffer can not fill
+ 	// the system's audio buffer. In that case, we need to decode a new opus packet. In the worst case, the buffer size
+ 	// needed is
+-	//    60ms of new decoded audio data + system's buffer size - 1.
++	//    120ms of new decoded audio data + system's buffer size - 1.
+ 	iOutputSize = static_cast< unsigned int >(
+ 		ceilf(static_cast< float >(iAudioBufferSize * iMixerFreq) / static_cast< float >(iSampleRate)));
+ 	iBufferSize = iOutputSize + systemMaxBufferSize; // -1 has been rounded up
+@@ -346,7 +347,8 @@
+ 					// packet normally in order to be able to play it.
+ 					decodedSamples = opus_decode_float(
+ 						opusState, qba.isEmpty() ? nullptr : reinterpret_cast< const unsigned char * >(qba.constData()),
+-						qba.size(), pOut, static_cast< int >(iAudioBufferSize), 0);
++						static_cast< opus_int32 >(qba.size()), pOut, static_cast< int >(iAudioBufferSize / channels),
++						0);
+ 				} else {
+ 					// If the packet is non-empty, but the associated user is locally muted,
+ 					// we don't have to decode the packet. Instead it is enough to know how many
+@@ -398,7 +400,8 @@
+ 				}
+ 			} else {
+ 				assert(m_codec == Mumble::Protocol::AudioCodec::Opus);
+-				decodedSamples = opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSize), 0);
++				decodedSamples =
++					opus_decode_float(opusState, nullptr, 0, pOut, static_cast< int >(iFrameSizePerChannel), 0);
+ 				decodedSamples *= static_cast< int >(channels);
+ 
+ 				if (decodedSamples < 0) {
diff -Nru mumble-1.5.735/debian/patches/series mumble-1.5.735/debian/patches/series
--- mumble-1.5.735/debian/patches/series	2025-07-01 00:08:55.000000000 +0000
+++ mumble-1.5.735/debian/patches/series	2026-02-27 19:44:01.000000000 +0000
@@ -4,3 +4,4 @@
 45-add-pid-location-hint.diff
 50-fix-segfault-missing-pipewire-config.diff
 90-debianize-systemd-unit.diff
+95-opus-dos-security.diff