Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 744199 (CVE-2020-24619) - <media-video/shotcut-20.10.31: Fails to validate TLS certificates (CVE-2020-24619)
Summary: <media-video/shotcut-20.10.31: Fails to validate TLS certificates (CVE-2020-2...
Status: RESOLVED FIXED
Alias: CVE-2020-24619
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://shotcut.org/blog/new-release-...
Whiteboard: ~3 [ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-23 03:21 UTC by Sam James
Modified: 2020-11-23 16:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 03:21:59 UTC 
Description:
"In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check misuses TLS because of setPeerVerifyMode(QSslSocket::VerifyNone). A man-in-the-middle attacker could offer a spoofed download resource."

Patch: https://github.com/mltframework/shotcut/commit/f008adc039642307f6ee3378d378cdb842e52c1d
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 03:22:32 UTC 
Please bump to 20.09.13.
Comment 2 Larry the Git Cow gentoo-dev 2020-10-23 16:15:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=97213464378a284b250c6e0c1b1b956d1e79b4fd

commit 97213464378a284b250c6e0c1b1b956d1e79b4fd
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-23 16:12:55 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-23 16:12:55 +0000

    profiles: Mask media-libs/webvfx, media-video/shotcut for removal
    
    Bug: https://bugs.gentoo.org/688850
    Bug: https://bugs.gentoo.org/744199
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 profiles/package.mask | 6 ++++++
 1 file changed, 6 insertions(+)
Comment 3 Andreas Sturmlechner gentoo-dev 2020-11-21 23:06:06 UTC 
Vulnerable version was dropped in commit fec56e0dfda7b516cc06a5e395ce72f77a125697.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 16:13:56 UTC 
(In reply to Andreas Sturmlechner from comment #3)
> Vulnerable version was dropped in commit
> fec56e0dfda7b516cc06a5e395ce72f77a125697.

Thanks! Closing.