Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618024 (CVE-2016-10351) - net-im/telegram-desktop-bin: insecure permission of $HOME/.TelegramDesktop directory (CVE-2016-10351)
Summary: net-im/telegram-desktop-bin: insecure permission of $HOME/.TelegramDesktop di...
Status: RESOLVED FIXED
Alias: CVE-2016-10351
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://blogs.gentoo.org/ago/2017/05/...
Whiteboard: ~3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-09 18:33 UTC by Agostino Sarubbo
Modified: 2017-12-27 22:01 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-05-09 18:33:00 UTC
Details at $URL.



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 pva 2017-05-22 09:28:42 UTC
Agostino, could you check this bug in 1.1.2 (could be installed just copying ebuild with a required version). I don't have .TelegramDesktop folder any more and .telegram has sane permissions:

peter@i7 ~ $ ls -dalh .telegram/
drwx------ 3 peter peter 4.0K мар 26  2014 .telegram/

Looks like something changed to the best. Yet upstream bug report was closed for comments and I have no chance asking there: https://github.com/telegramdesktop/tdesktop/issues/2666 Could you try?
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-09 07:17:56 UTC
ago@wanheda ~ $ find . -type d -iname "*telegram*"
./.local/share/TelegramDesktop
ago@wanheda ~ $ ls -la ./.local/share/TelegramDesktop
total 73728
drwxr-xr-x  4 ago ago     4096 giu  9 08:53 .

ago@wanheda ~ $ su test
Password:
test@wanheda ~ $ ls -la /home/ago/.local/share/TelegramDesktop/
total 73728
drwxr-xr-x  4 ago ago     4096 giu  9 08:53 .
drwxr-xr-x 34 ago ago     4096 giu  7 10:13 ..
drwxr-xr-x  2 ago ago     4096 mag 27 18:04 fontconfig
-rw-r--r--  1 ago ago     4030 giu  9 09:15 log.txt
drwxr-xr-x  5 ago ago     4096 giu  9 08:53 tdata
-rwxr-xr-x  1 ago ago 75282056 mag 16 16:55 Telegram
-rwxr-xr-x  1 ago ago   190881 mag 16 16:55 Updater
Comment 3 Victor Gaydov 2017-10-03 10:17:26 UTC
It seems it's fixed in master[1] but not released yet.

BTW, on my system ~/.local has drwx------ permissions, so ~/.local/share/TelegramDesktop can't be accessed from another user.

[1] https://github.com/telegramdesktop/tdesktop/pull/3842
Comment 4 Henning Schild 2017-12-15 23:02:02 UTC
This was fixed upstream, the following PR drops the last affected version

https://github.com/gentoo/gentoo/pull/6562
Comment 5 Henning Schild 2017-12-15 23:25:47 UTC
To be honest i can not see the problem with the permissions on that directory. Before the upstream patch - that Agostino initiated - the directory was probably created according to "umask". It would be an issue if umask was not "0022".

But my wild guess is that Agostino has indeed "0022" and that any "mkdir" in his $HOME would result in "0755". In that case the whole CVE is pointless and i am tempted to get the upstream patch reverted. Because it now effectively violates "umask" and maybe someone actually wants to share that directory.
Comment 6 Anna Chalova 2017-12-20 21:47:43 UTC
I have Telegram 1.2.0 installed with "Telegram auto-update" disabled.
In terminal, I do:

$ stat -c '%a' ~/.local/share/TelegramDesktop
700

Don't think there's a bug really.
Comment 7 Larry the Git Cow gentoo-dev 2017-12-27 22:01:54 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50a6cce2126c700148259a473bff7a4e5a5bd5b0

commit 50a6cce2126c700148259a473bff7a4e5a5bd5b0
Author:     Henning Schild <henning@hennsch.de>
AuthorDate: 2017-12-15 22:35:30 +0000
Commit:     NP-Hardass <NP-Hardass@gentoo.org>
CommitDate: 2017-12-27 22:01:48 +0000

    net-im/telegram-desktop-bin: clean up old.
    
    Closes: https://bugs.gentoo.org/618024
    
    Signed-off-by: Henning Schild <henning@hennsch.de>

 net-im/telegram-desktop-bin/Manifest               |  3 --
 .../telegram-desktop-bin-1.1.23-r1.ebuild          | 58 ----------------------
 2 files changed, 61 deletions(-)