Bug 746401 (CVE-2020-26164)

Summary:	<kde-misc/kdeconnect-20.04.3-r1: Denial of service (CVE-2020-26164)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://kde.org/info/security/advisory-20201002-1.txt
Whiteboard:	B3 [glsa+ cve]
Package list:		Runtime testing required:	---

Description Sam James archtester

2020-10-03 23:42:38 UTC

Description:
"An attacker on your local network could send maliciously crafted packets to other hosts running
kdeconnect on the network, causing them to use large amounts of CPU, memory or network
connections, which could be used in a Denial of Service attack within the network."

Comment 1 Sam James archtester

2020-10-03 23:43:30 UTC

"KDE Connect 20.08.2 patches several code paths that could result in a DoS.
You can apply these patches on top of 20.08.1:
https://invent.kde.org/network/kdeconnect-kde/-/commit/f183b5447bad47655c21af87214579f03bf3a163
https://invent.kde.org/network/kdeconnect-kde/-/commit/b279c52101d3f7cc30a26086d58de0b5f1c547fa
https://invent.kde.org/network/kdeconnect-kde/-/commit/d35b88c1b25fe13715f9170f18674d476ca9acdc
https://invent.kde.org/network/kdeconnect-kde/-/commit/b496e66899e5bc9547b6537a7f44ab44dd0aaf38
https://invent.kde.org/network/kdeconnect-kde/-/commit/5310eae85dbdf92fba30375238a2481f2e34943e
https://invent.kde.org/network/kdeconnect-kde/-/commit/721ba9faafb79aac73973410ee1dd3624ded97a5
https://invent.kde.org/network/kdeconnect-kde/-/commit/ae58b9dec49c809b85b5404cee17946116f8a706
https://invent.kde.org/network/kdeconnect-kde/-/commit/66c768aa9e7fba30b119c8b801efd49ed1270b0a
https://invent.kde.org/network/kdeconnect-kde/-/commit/85b691e40f525e22ca5cc4ebe79c361d71d7dc05
https://invent.kde.org/network/kdeconnect-kde/-/commit/48180b46552d40729a36b7431e97bbe2b5379306"

I assume 20.04.x is vulnerable too based on the linked advisory.

Comment 2 Larry the Git Cow gentoo-dev

2020-10-04 16:07:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb81637747a3a0d3cc36bd19f73250d32dfc8b6c

commit bb81637747a3a0d3cc36bd19f73250d32dfc8b6c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-04 08:35:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-04 15:54:07 +0000

    kde-misc/kdeconnect: Fix CVE-2020-26164
    
    See also: https://kde.org/info/security/advisory-20201002-1.txt
    
    Bug: https://bugs.gentoo.org/746401
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 ...re-SSL-errors-except-for-self-signed-cert.patch |  65 +++++++++++++
 ...ot-leak-the-local-user-in-the-device-name.patch |  32 +++++++
 ...fter-free-in-LanLinkProvider-connectError.patch |  28 ++++++
 ...20.04.3-04-Limit-identity-packets-to-8KiB.patch |  36 ++++++++
 ...lanlink-connections-stay-open-for-long-wi.patch |  37 ++++++++
 ...3-06-Don-t-brute-force-reading-the-socket.patch | 102 +++++++++++++++++++++
 ...r-of-connected-sockets-from-unpaired-devi.patch |  42 +++++++++
 ...mber-more-than-a-few-identity-packets-at-.patch |  54 +++++++++++
 ...orts-we-try-to-connect-to-to-the-port-ran.patch |  32 +++++++
 ...ace-connections-for-a-given-deviceId-if-t.patch |  58 ++++++++++++
 kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild   |  98 ++++++++++++++++++++
 kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild   |  99 ++++++++++++++++++++
 12 files changed, 683 insertions(+)

Comment 3 Sam James archtester

2020-10-04 16:11:50 UTC

Thanks. Stable when ready, ofc.

Comment 4 Sam James archtester

2020-10-06 13:04:46 UTC

arm64 done

Comment 5 Agostino Sarubbo gentoo-dev

2020-10-07 06:43:32 UTC

amd64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-10-07 07:12:46 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Larry the Git Cow gentoo-dev

2020-10-07 10:07:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40a1ba6db3e5a581340be31c380f670821ff5389

commit 40a1ba6db3e5a581340be31c380f670821ff5389
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-07 10:06:46 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-07 10:06:46 +0000

    kde-misc/kdeconnect: Cleanup vulnerable 20.04.3 (r0)
    
    Bug: https://bugs.gentoo.org/746401
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-misc/kdeconnect/kdeconnect-20.04.3.ebuild | 84 ---------------------------
 1 file changed, 84 deletions(-)

Comment 8 NATTkA bot gentoo-dev

2020-11-25 18:17:51 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: kde-misc/kdeconnect-20.04.3-r1

Comment 9 NATTkA bot gentoo-dev

2021-01-18 00:41:00 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-01-22 16:17:14 UTC

This issue was resolved and addressed in
 GLSA 202101-16 at https://security.gentoo.org/glsa/202101-16
by GLSA coordinator Aaron Bauman (b-man).