Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 736649 (CVE-2020-8189, CVE-2020-8224, CVE-2020-8227)

Summary: <net-misc/nextcloud-client-2.6.5: Multiple vulnerabilities (CVE-2020-{8189,8224,8227,8229})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: voyageur
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
net-misc/nextcloud-client-2.6.5 amd64 x86
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-10 16:48:26 UTC 
CVE-2020-8224 (https://nextcloud.com/security/advisory/?id=NC-SA-2020-030):

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.

CVE-2020-8229 (https://nextcloud.com/security/advisory/?id=NC-SA-2020-034):

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.



Maintainer, please stabilize 2.6.5 when ready.
Comment 1 Bernard Cafarelli gentoo-dev 2020-08-18 10:00:55 UTC 
2.6.5 was added on July 11 and no bug report, so it looks to go stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-08-22 05:47:05 UTC 
amd64 stable
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-08-23 00:39:14 UTC 
CVE-2020-8189:

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.

CVE-2020-8227:

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-08-30 01:33:31 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-30 01:45:07 UTC 
Please cleanup.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-09-12 20:26:18 UTC 
Removing CVE-2020-8229 -- Windows only.

New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:42:19 UTC 
This issue was resolved and addressed in
 GLSA 202009-09 at https://security.gentoo.org/glsa/202009-09
by GLSA coordinator Thomas Deutschmann (whissi).