Update the existing libopus version in the 1.3.x Stable builds from 1.1.3 to 1.1.5 at minimum.

[SC1040-TS2]

Context Aside from updating the Opus codec, this change would ensure that Mumble uses the latest build of LibOpus 1.1.x.

Describe the feature you have in mind Replace the libopus.dll file for libopus 1.1.3 with one based on libopus 1.1.5.

Describe alternatives you've considered There are not too many alternatives to consider, apart from either a newer version release than 1.1.5 (e.g. 1.2.x or 1.3.x), or leaving the existing libopus.dll file as-is in the event updating it breaks compatibility with Mumble 1.2.16-1.2.19 or otherwise.

Additional context The version release notes and source code for LibOpus 1.1.5 can be found in this archive here: https://opus-codec.org/release/stable/2017/05/24/libopus-1_1_5.html

However, while reading through the News and release archives, I came across the release notes for LibOpus 1.1.4 (https://opus-codec.org/release/stable/2017/01/20/libopus-1_1_4.html). That version release of libopus fixed a security vulnerability that seems suspiciously similar in wording to the one reported in Mumble Security Advisory 2016-001 (https://www.mumble.info/security/mumble-sa-2016-001/) and already fixed in Mumble 1.2.13 (https://wiki.mumble.info/wiki/1.2.13). If this is the exact same vulnerability as the one fixed in 1.2.13, then moving to LibOpus 1.1.4 or newer would serve as a redundant and codec-inherent fix for it.

I understand that reporting security vulnerabilities is meant to be discrete now, but as the above added context refers to an old, inactive, and fixed issue, it does not count as an active vulnerability in my opinion.

[Krzmbrzl]

What's up with this title? ^^

So in short you simply want us to update the used Opus version?

[SC1040-TS2]

In a long-winded phrasing that included forgetting if Opus 1.3.1 was in the 1.4.x Master repo, yes. However, rather than it being updated to 1.3.1, the idea of at least moving to the latest 1.1.x version(Compared to the console output version of Opus 1.1.3) as an interim release while Mumble 1.4.x is still being worked on came to mind.

[Krzmbrzl]

rather than it being updated to 1.3.1

It should be v1.3.1 (at least in current master) already

The idea of at least moving to the latest 1.1.x version(Compared to the console output version of Opus 1.1.3) as an interim release while Mumble 1.4.x is still being worked on came to mind.

Agreed :+1:

---

EDIT: According to Opus's website 1.3.1 is the latest released version... Where did you find information on a Opus 1.3.5 version?

[SC1040-TS2]

EDIT: According to Opus's website 1.3.1 is the latest released version... Where did you find information on a Opus 1.3.5 version?

I never said there was a Opus 1.3.5. It does not exist.

I was only ever referring to Opus 1.1.5.

[Krzmbrzl]

Oh yes indeed :facepalm:

In that case I think the issue has already been dealt with as the current master branch is using 1.3.1 already. Or does Opus have some weird versioning system so that the 1.1.x series is actually more recent than 1.3.1? :eyes:

[SC1040-TS2]

One moment while I correct the title.

[SC1040-TS2]

The point of this issue was more to propose an incremental change to components of existing versions of Mumble while issues with CMake migration and other things are still being worked on for Mumble 1.4.x, unless the intended release for that version of Mumble and Murmur as a Stable release build is planned for sometime within the next few months.

[Krzmbrzl]

Ah okay :bulb:

We don't backport new features to older Mumble releases, but I guess updating the Opus library doesn't really count as a "new feature"... @davidebeatrici what's your opinion on this?

In the end we are actually hoping that we don't have to release another iteration of the 1.3.x series in the first place but then again we also don't have a realy ETA for 1.4.0 so updating the Opus library for 1.3.x just in case might be viable :thinking:

[davidebeatrici]

Updating Opus for 1.3 is viable, releasing 1.3.4 is probably not worth it though.

[SC1040-TS2]

I understand that not wanting to release more 1.3.x versions given 1.4.x is due to be released at some point is a good reason, but the thought of making some incremental changes and updates leading up to the big CMake migration so the full move to it is not as painful seems worthwhile.

The main concern I have regarding moving from Opus 1.1.3 to Opus 1.3.1 in the Stable builds is whether doing so would break compatibility with the legacy codec version used in prior Mumble/Murmur versions, but if there is no real issue in connecting to legacy servers and using VOIP with Opus 1.3.1 as default in the Master Mumble implementation, it could probably be implemented in a hypothetical Mumble/Murmur 1.3.4 release.

———

On a different note, another component to look into updating prior to 1.4.x is the SQLite implementation. Console output shows that SQLite 3.18.0 is the version currently in use, but the most recent version is 3.33.0 last time I checked. If it is able to be migrated to without or with minimal backwards compatibility issues, it is another component due for some Maintenance.

[SC1040-TS2]

Also, understandable, @davidebeatrici.

[davidebeatrici]

Mumble 1.3.3 actually uses Opus 1.2.1.

As for SQLite: updating it would require us to recompile the build environment. For reference: https://github.com/mumble-voip/mumble-releng/blob/master/buildenv/1.3.x/win32-static/sqlite3.build

[SC1040-TS2]

Mumble 1.3.3 actually uses Opus 1.2.1.

Really, now? The only console output I am getting for my install of the Windows x64 build is "libopus v1.1.3 from C:/Program Files/Mumble/Versions/1.3.3/opus.dll". No libopus 1.2.1 anywhere, even after repairing it, in spite of 1.3.0 release notes including that update as part of its version release.

Something is not right here.

[davidebeatrici]

You're absolutely right: https://github.com/mumble-voip/mumble/blob/1.3.x/3rdparty/opus-build/win32/version.h

The version was not bumped...

At least it's only a cosmetic issue, but it's definitely confusing.

[SC1040-TS2]

Well, aside from changes to how the codec behaves in Opus 1.2 (1.2.1 was a bugfix release on top of that), but otherwise cosmetic.

[Krzmbrzl]

So this issue is resolved after all?

Updating SQLite by recompiling the build environment wilk definitely not happen as this is a real PITA and imo not worth the hours that had to be spent on it...

[no-response[bot]]

This issue has been automatically closed because there has been no response to our request for more information. With only the information that is currently in the issue, we don't have enough information to take action.

Please reach out if you have or find the answers we need so that we can investigate further (or if you feel like this issue shouldn't be closed for another reason).