Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835862 (CVE-2022-23242) - <net-misc/teamviewer-15.28.6: connection password leakage after crash
Summary: <net-misc/teamviewer-15.28.6: connection password leakage after crash
Status: RESOLVED FIXED
Alias: CVE-2022-23242
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.teamviewer.com/en/trust-c...
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-03-23 18:28 UTC by John Helmert III
Modified: 2022-03-26 21:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-23 18:28:10 UTC
CVE-2022-23242:

TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password.

Please bump to 15.28.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-26 13:54:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fe3e0e2a1707912510a3ef593b180e44855b11

commit 05fe3e0e2a1707912510a3ef593b180e44855b11
Author:     Martin Dummer <martin.dummer@gmx.net>
AuthorDate: 2022-03-25 16:49:40 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-26 13:27:32 +0000

    net-misc/teamviewer: version bump to 15.28.6
    
    add RDEPEND for sys-libs/glibc to avoid installation on musl profile
    systems
    this version should fix CVE-2022-23242 - connection password leakage after crash
    
    Bug: https://bugs.gentoo.org/835862
    Closes: https://bugs.gentoo.org/832558
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Martin Dummer <martin.dummer@gmx.net>
    Closes: https://github.com/gentoo/gentoo/pull/24747
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/teamviewer/Manifest                  |   4 +
 net-misc/teamviewer/teamviewer-15.28.6.ebuild | 156 ++++++++++++++++++++++++++
 2 files changed, 160 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 21:34:42 UTC
Thanks, all done!