CVE-2022-44567: A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API. No idea if we're affected.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a494d9b3a7b969ae12e9f750907152954f0c28c commit 8a494d9b3a7b969ae12e9f750907152954f0c28c Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-12-24 09:43:11 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-12-24 09:45:38 +0000 net-im/rocketchat-desktop-bin: drop 3.8.9-r1 Bug: https://bugs.gentoo.org/888103 Signed-off-by: Pacho Ramos <pacho@gentoo.org> net-im/rocketchat-desktop-bin/Manifest | 1 - .../rocketchat-desktop-bin-3.8.9-r1.ebuild | 104 --------------------- 2 files changed, 105 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a21165687c2d6048500700e0a01259b228d54fc7 commit a21165687c2d6048500700e0a01259b228d54fc7 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-12-24 09:42:38 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-12-24 09:45:38 +0000 net-im/rocketchat-desktop-bin: add 3.8.14 Bug: https://bugs.gentoo.org/888103 Signed-off-by: Pacho Ramos <pacho@gentoo.org> net-im/rocketchat-desktop-bin/Manifest | 1 + .../rocketchat-desktop-bin-3.8.14.ebuild | 101 +++++++++++++++++++++ 2 files changed, 102 insertions(+)
Thanks, all done!