903571 – (CVE-2023-28103) <net-im/element-desktop-bin-1.11.29: Multiple security vulnerabilities

Bug 903571 (CVE-2023-28103) - <net-im/element-desktop-bin-1.11.29: Multiple security vulnerabilities

Summary: <net-im/element-desktop-bin-1.11.29: Multiple security vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2023-28103

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2023-28427
	Show dependency tree

Reported:	2023-03-30 10:56 UTC by tastytea
Modified:	2023-04-30 23:56 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tastytea 2023-03-30 10:56:55 UTC

1.11.26 fixes 2 CVEs: <https://github.com/vector-im/element-desktop/releases/tag/v1.11.26>

See also: <https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0>

> Although we have only demonstrated a denial-of-service-style impact, we cannot
> completely rule out the possibility of a more severe impact due to the
> relatively extensive attack surface. We have therefore classified this as High
> severity and strongly recommend upgrading as a precautionary measure.

Comment 1 tastytea 2023-04-20 20:00:52 UTC

fixed in 04863433b36f012d01c712ea86b784c01734bdf9 (bumped to to 1.11.29)

Comment 2 John Helmert III archtester

2023-04-30 23:56:27 UTC

Both prototype pollution vulnerabilities in bundled Matrix libraries. All done, thanks!