802537 – (CVE-2021-36769) <net-im/telegram-desktop{-bin,}-2.8.10: message reordering vulnerability (CVE-2021-36769)

Bug 802537 (CVE-2021-36769) - <net-im/telegram-desktop{-bin,}-2.8.10: message reordering vulnerability (CVE-2021-36769)

Summary: <net-im/telegram-desktop{-bin,}-2.8.10: message reordering vulnerability (CVE...

Status:	RESOLVED FIXED

Alias:	CVE-2021-36769

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://mtpsym.github.io
Whiteboard:	B4 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2021-07-17 05:18 UTC by John Helmert III
Modified:	2021-08-06 21:57 UTC (History)
CC List:	6 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/21891
Package list:	net-im/telegram-desktop-2.8.11 media-libs/libtgvoip-2.4.4_p20210302-r2 media-libs/rnnoise-0.4.1_p20210122 media-libs/tg_owt-0_pre20210626
Runtime testing required:	---

Flags:	nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-07-17 05:18:15 UTC

CVE-2021-36769:

A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.


Please bump.

Comment 1 Esteve Varela Colominas 2021-07-19 01:59:55 UTC

net-im/telegram-desktop-2.8.10 is available in testing, but is currently affected by a hard to reproduce build-time bug, that I've confirmed affects more than one user. Additionally, 2.8.11 has been released as an unrelated bugfix and upstream is still doing their post-2.8.8 minor bugfix song and dance for this release so we might get more minor bumps in the coming days.

Unless you absolutely must, please give it a day or two. The new release is uncomfortably fresh.

Comment 2 Esteve Varela Colominas 2021-07-20 13:14:38 UTC

Alright, net-im/telegram-desktop-2.8.11 was bumped and the build bug was fixed, and upstream seems to be done with the minor bumps.

I'm not sure how the stabilization process works with security issues like this, but I'm confident enough this new release doesn't have any major issues so feel free to bump whenever.

Comment 3 John Helmert III archtester

2021-07-20 22:19:50 UTC

(In reply to Esteve Varela Colominas from comment #2)
> Alright, net-im/telegram-desktop-2.8.11 was bumped and the build bug was
> fixed, and upstream seems to be done with the minor bumps.
> 
> I'm not sure how the stabilization process works with security issues like
> this, but I'm confident enough this new release doesn't have any major
> issues so feel free to bump whenever.

Thanks!

Ping -bin maintainers.

Comment 4 NATTkA bot gentoo-dev

2021-07-20 22:24:21 UTC Comment hidden (obsolete)

Sanity check failed:

> net-im/telegram-desktop-2.8.11
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     >=media-libs/libtgvoip-2.4.4_p20210302-r2
>     media-libs/rnnoise
>     ~media-libs/tg_owt-0_pre20210626
>   depend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     >=media-libs/libtgvoip-2.4.4_p20210302-r2
>     media-libs/rnnoise
>     ~media-libs/tg_owt-0_pre20210626
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     >=media-libs/libtgvoip-2.4.4_p20210302-r2
>     media-libs/rnnoise
>     ~media-libs/tg_owt-0_pre20210626
>   rdepend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     >=media-libs/libtgvoip-2.4.4_p20210302-r2
>     media-libs/rnnoise
>     ~media-libs/tg_owt-0_pre20210626

Comment 5 Reva Denis 2021-08-02 09:52:34 UTC

May be 2.9.0 version resolves the build-time bug?

Comment 6 Esteve Varela Colominas 2021-08-02 11:32:50 UTC

2.9.0 doesn't, but it's been solved as a patch in gentoo. I'm waiting for 2.9.1 to release before bumping the package, but that's unrelated to this security issue.

Comment 7 Henning Schild 2021-08-03 07:49:15 UTC

-bin is currently available as 2.8.10 and 2.9.0, so i guess not affected anymore anyways.

Comment 8 Ilia Durov 2021-08-03 14:10:11 UTC

emerge --info:
https://pastebin.com/FmuyBUne

Comment 9 Ilia Durov 2021-08-03 14:17:18 UTC

Maybe related bug:
https://bugs.gentoo.org/806292

Comment 10 Agostino Sarubbo gentoo-dev

2021-08-04 06:39:17 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 11 Larry the Git Cow gentoo-dev

2021-08-04 08:31:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40623472719594cde893870e7199dd5175e8d2ca

commit 40623472719594cde893870e7199dd5175e8d2ca
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-08-04 08:29:45 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-04 08:30:16 +0000

    net-im/telegram-desktop: revbump 2.8.11 to propogate patches/changes
    
    Bug: https://bugs.gentoo.org/802537
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../{telegram-desktop-2.8.11.ebuild => telegram-desktop-2.8.11-r1.ebuild} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)

Comment 12 NATTkA bot gentoo-dev

2021-08-04 08:36:25 UTC

Unable to check for sanity:

> no match for package: net-im/telegram-desktop-2.8.11

Comment 13 Larry the Git Cow gentoo-dev

2021-08-05 16:42:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbb8b0398ed27aa780f0b60911582926d40092e

commit 6cbb8b0398ed27aa780f0b60911582926d40092e
Author:     Esteve Varela Colominas <esteve.varela@gmail.com>
AuthorDate: 2021-08-05 10:24:30 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-05 16:42:10 +0000

    net-im/telegram-desktop: Drop vulnerable versions
    
    Security bump was already a bit late, it's had long enough to cook.
    
    Bug: https://bugs.gentoo.org/802537
    Signed-off-by: Esteve Varela Colominas <esteve.varela@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   1 -
 .../tdesktop-2.7.3-webview-include-gdkx.patch      |  10 -
 .../tdesktop-2.7.4-disable-webkit-separately.patch |  72 ------
 ...esktop-2.7.4-fix-disable-dbus-integration.patch |  21 --
 .../files/tdesktop-2.7.4-voice-crash.patch         | 262 ---------------------
 .../files/tdesktop-2.7.4-voice-ffmpeg44.patch      |  25 --
 .../files/tdesktop-2.7.4-webview-fix-gcc11.patch   |  31 ---
 .../telegram-desktop-2.7.4-r1.ebuild               | 146 ------------
 8 files changed, 568 deletions(-)

Comment 14 Georgy Yakovlev archtester

2021-08-05 16:42:57 UTC

cleanup done

Comment 15 John Helmert III archtester

2021-08-06 21:57:50 UTC

Thanks all. Minimal impact so no GLSA. All done!