CVE-2022-23242: TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password. Please bump to 15.28.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fe3e0e2a1707912510a3ef593b180e44855b11 commit 05fe3e0e2a1707912510a3ef593b180e44855b11 Author: Martin Dummer <martin.dummer@gmx.net> AuthorDate: 2022-03-25 16:49:40 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-03-26 13:27:32 +0000 net-misc/teamviewer: version bump to 15.28.6 add RDEPEND for sys-libs/glibc to avoid installation on musl profile systems this version should fix CVE-2022-23242 - connection password leakage after crash Bug: https://bugs.gentoo.org/835862 Closes: https://bugs.gentoo.org/832558 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Martin Dummer <martin.dummer@gmx.net> Closes: https://github.com/gentoo/gentoo/pull/24747 Signed-off-by: Joonas Niilola <juippis@gentoo.org> net-misc/teamviewer/Manifest | 4 + net-misc/teamviewer/teamviewer-15.28.6.ebuild | 156 ++++++++++++++++++++++++++ 2 files changed, 160 insertions(+)
Thanks, all done!