CVE-2021-32728: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading. Please bump to 3.3.0.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa2fce3ee3c2f60b38c962da8d4d1260039a1206 commit fa2fce3ee3c2f60b38c962da8d4d1260039a1206 Author: Bernard Cafarelli <voyageur@gentoo.org> AuthorDate: 2022-02-14 08:54:24 +0000 Commit: Bernard Cafarelli <voyageur@gentoo.org> CommitDate: 2022-02-14 08:54:32 +0000 net-misc/nextcloud-client: drop vulnerable version Bug: https://bugs.gentoo.org/809311 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org> net-misc/nextcloud-client/Manifest | 1 - .../nextcloud-client/nextcloud-client-3.1.3.ebuild | 89 ---------------------- 2 files changed, 90 deletions(-)
Sorry this bug had slipped under my radar, I just found it checking open bugs for nextcloud-client. The good thing is since bug opening, 3.3.6 was stabled so vulnerable version is now dropped
Thanks! Minimal impact/complex to exploit so no GLSA. All done!
