Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802537 (CVE-2021-36769) - <net-im/telegram-desktop{-bin,}-2.8.10: message reordering vulnerability (CVE-2021-36769)
Summary: <net-im/telegram-desktop{-bin,}-2.8.10: message reordering vulnerability (CVE...
Status: RESOLVED FIXED
Alias: CVE-2021-36769
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://mtpsym.github.io
Whiteboard: B4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-07-17 05:18 UTC by John Helmert III
Modified: 2021-08-06 21:57 UTC (History)
6 users (show)

See Also:
Package list:
net-im/telegram-desktop-2.8.11 media-libs/libtgvoip-2.4.4_p20210302-r2  media-libs/rnnoise-0.4.1_p20210122 media-libs/tg_owt-0_pre20210626
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-17 05:18:15 UTC 
CVE-2021-36769:

A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.


Please bump.
Comment 1 Esteve Varela Colominas 2021-07-19 01:59:55 UTC 
net-im/telegram-desktop-2.8.10 is available in testing, but is currently affected by a hard to reproduce build-time bug, that I've confirmed affects more than one user. Additionally, 2.8.11 has been released as an unrelated bugfix and upstream is still doing their post-2.8.8 minor bugfix song and dance for this release so we might get more minor bumps in the coming days.

Unless you absolutely must, please give it a day or two. The new release is uncomfortably fresh.
Comment 2 Esteve Varela Colominas 2021-07-20 13:14:38 UTC 
Alright, net-im/telegram-desktop-2.8.11 was bumped and the build bug was fixed, and upstream seems to be done with the minor bumps.

I'm not sure how the stabilization process works with security issues like this, but I'm confident enough this new release doesn't have any major issues so feel free to bump whenever.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-20 22:19:50 UTC 
(In reply to Esteve Varela Colominas from comment #2)
> Alright, net-im/telegram-desktop-2.8.11 was bumped and the build bug was
> fixed, and upstream seems to be done with the minor bumps.
> 
> I'm not sure how the stabilization process works with security issues like
> this, but I'm confident enough this new release doesn't have any major
> issues so feel free to bump whenever.

Thanks!

Ping -bin maintainers.
Comment 4 NATTkA bot gentoo-dev 2021-07-20 22:24:21 UTC Comment hidden (obsolete)
Comment 5 Reva Denis 2021-08-02 09:52:34 UTC 
May be 2.9.0 version resolves the build-time bug?
Comment 6 Esteve Varela Colominas 2021-08-02 11:32:50 UTC 
2.9.0 doesn't, but it's been solved as a patch in gentoo. I'm waiting for 2.9.1 to release before bumping the package, but that's unrelated to this security issue.
Comment 7 Henning Schild 2021-08-03 07:49:15 UTC 
-bin is currently available as 2.8.10 and 2.9.0, so i guess not affected anymore anyways.
Comment 8 Ilia Durov 2021-08-03 14:10:11 UTC 
emerge --info:
https://pastebin.com/FmuyBUne
Comment 9 Ilia Durov 2021-08-03 14:17:18 UTC 
Maybe related bug:
https://bugs.gentoo.org/806292
Comment 10 Agostino Sarubbo gentoo-dev 2021-08-04 06:39:17 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Larry the Git Cow gentoo-dev 2021-08-04 08:31:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40623472719594cde893870e7199dd5175e8d2ca

commit 40623472719594cde893870e7199dd5175e8d2ca
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-08-04 08:29:45 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-04 08:30:16 +0000

    net-im/telegram-desktop: revbump 2.8.11 to propogate patches/changes
    
    Bug: https://bugs.gentoo.org/802537
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 .../{telegram-desktop-2.8.11.ebuild => telegram-desktop-2.8.11-r1.ebuild} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
Comment 12 NATTkA bot gentoo-dev 2021-08-04 08:36:25 UTC 
Unable to check for sanity:

> no match for package: net-im/telegram-desktop-2.8.11
Comment 13 Larry the Git Cow gentoo-dev 2021-08-05 16:42:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cbb8b0398ed27aa780f0b60911582926d40092e

commit 6cbb8b0398ed27aa780f0b60911582926d40092e
Author:     Esteve Varela Colominas <esteve.varela@gmail.com>
AuthorDate: 2021-08-05 10:24:30 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-08-05 16:42:10 +0000

    net-im/telegram-desktop: Drop vulnerable versions
    
    Security bump was already a bit late, it's had long enough to cook.
    
    Bug: https://bugs.gentoo.org/802537
    Signed-off-by: Esteve Varela Colominas <esteve.varela@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   1 -
 .../tdesktop-2.7.3-webview-include-gdkx.patch      |  10 -
 .../tdesktop-2.7.4-disable-webkit-separately.patch |  72 ------
 ...esktop-2.7.4-fix-disable-dbus-integration.patch |  21 --
 .../files/tdesktop-2.7.4-voice-crash.patch         | 262 ---------------------
 .../files/tdesktop-2.7.4-voice-ffmpeg44.patch      |  25 --
 .../files/tdesktop-2.7.4-webview-fix-gcc11.patch   |  31 ---
 .../telegram-desktop-2.7.4-r1.ebuild               | 146 ------------
 8 files changed, 568 deletions(-)
Comment 14 Georgy Yakovlev archtester gentoo-dev 2021-08-05 16:42:57 UTC 
cleanup done
Comment 15 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-06 21:57:50 UTC 
Thanks all. Minimal impact so no GLSA. All done!