Summary: | <kde-misc/kdeconnect-20.04.3-r1: Denial of service (CVE-2020-26164) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://kde.org/info/security/advisory-20201002-1.txt | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-10-03 23:42:38 UTC
"KDE Connect 20.08.2 patches several code paths that could result in a DoS. You can apply these patches on top of 20.08.1: https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163 https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38 https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5 https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706 https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05 https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306" I assume 20.04.x is vulnerable too based on the linked advisory. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb81637747a3a0d3cc36bd19f73250d32dfc8b6c commit bb81637747a3a0d3cc36bd19f73250d32dfc8b6c Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-04 08:35:47 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-04 15:54:07 +0000 kde-misc/kdeconnect: Fix CVE-2020-26164 See also: https://kde.org/info/security/advisory-20201002-1.txt Bug: https://bugs.gentoo.org/746401 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> ...re-SSL-errors-except-for-self-signed-cert.patch | 65 +++++++++++++ ...ot-leak-the-local-user-in-the-device-name.patch | 32 +++++++ ...fter-free-in-LanLinkProvider-connectError.patch | 28 ++++++ ...20.04.3-04-Limit-identity-packets-to-8KiB.patch | 36 ++++++++ ...lanlink-connections-stay-open-for-long-wi.patch | 37 ++++++++ ...3-06-Don-t-brute-force-reading-the-socket.patch | 102 +++++++++++++++++++++ ...r-of-connected-sockets-from-unpaired-devi.patch | 42 +++++++++ ...mber-more-than-a-few-identity-packets-at-.patch | 54 +++++++++++ ...orts-we-try-to-connect-to-to-the-port-ran.patch | 32 +++++++ ...ace-connections-for-a-given-deviceId-if-t.patch | 58 ++++++++++++ kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild | 98 ++++++++++++++++++++ kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild | 99 ++++++++++++++++++++ 12 files changed, 683 insertions(+) Thanks. Stable when ready, ofc. arm64 done amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40a1ba6db3e5a581340be31c380f670821ff5389 commit 40a1ba6db3e5a581340be31c380f670821ff5389 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-07 10:06:46 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-07 10:06:46 +0000 kde-misc/kdeconnect: Cleanup vulnerable 20.04.3 (r0) Bug: https://bugs.gentoo.org/746401 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> kde-misc/kdeconnect/kdeconnect-20.04.3.ebuild | 84 --------------------------- 1 file changed, 84 deletions(-) Unable to check for sanity:
> no match for package: kde-misc/kdeconnect-20.04.3-r1
Resetting sanity check; package list is empty or all packages are done. This issue was resolved and addressed in GLSA 202101-16 at https://security.gentoo.org/glsa/202101-16 by GLSA coordinator Aaron Bauman (b-man). |