Summary: | <net-im/telegram-desktop{,-bin}-2.4.4: Export Telegram Data wizard vulnerability (CVE-2020-25824) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | gyakovlev, henning, np-hardass, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/soheilsamanabadi/vulnerability/blob/main/Telegram-Desktop-CVE-2020-25824 | ||
Whiteboard: | B4 [glsa+ cve] | ||
Package list: |
net-im/telegram-desktop-2.4.6 amd64
media-libs/libtgvoip-2.4.4_p20201030 amd64
media-libs/tg_owt-0_pre20201030 amd64
|
Runtime testing required: | --- |
Bug Depends on: | 739466 | ||
Bug Blocks: | 736774 |
Description
filip ambroz
2020-10-15 13:25:36 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4364658df0ff6f92297648a32dbd28efac732e80 commit 4364658df0ff6f92297648a32dbd28efac732e80 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-10-26 08:00:00 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-10-26 08:01:28 +0000 net-im/telegram-desktop: bump to 2.4.4 webrtc is imposibble to turn off for now, unfortunately. webrtc alsa and pulseaudio will be forced on for now. add system-rlottie useflag. for now tg_owt bundles the following: openh264 abseil-cpp libsrtp libvpx libyuv pffft rnnoise usrsctp Bug: https://bugs.gentoo.org/736774 Bug: https://bugs.gentoo.org/749288 Closes: https://bugs.gentoo.org/739466 Closes: https://bugs.gentoo.org/707272 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> net-im/telegram-desktop/Manifest | 2 + net-im/telegram-desktop/metadata.xml | 2 + .../telegram-desktop/telegram-desktop-2.4.4.ebuild | 184 +++++++++++++++++++++ 3 files changed, 188 insertions(+) CVE references list the Github release for 2.4.3, but we should have already stabilized for bug 736774 so we'll go ahead and stabilize -desktop here. gyakovlev, please proceed with stabilization when ready. Sanity check failed:
> net-im/telegram-desktop-2.4.4
> depend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
> rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
> ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
> ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
Unable to check for sanity:
> invalid package spec: media-libs/libtgvoip2.4.4_p20200818
updating to 2.4.5 as it has split pulse and split webrtc deps. amd64 done all arches done Please cleanup, thanks! I'd wait at least 3 days before cleanup in case of unexpected regressions as this version was a bit rushed due to this security thing. (In reply to Georgy Yakovlev from comment #8) > I'd wait at least 3 days before cleanup in case of unexpected regressions as > this version was a bit rushed due to this security thing. no problem, of course The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=398c40130021de759ec95b211689e9318c25ece9 commit 398c40130021de759ec95b211689e9318c25ece9 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2020-11-02 19:13:57 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2020-11-02 19:14:29 +0000 net-im/telegram-desktop: security cleanup Bug: https://bugs.gentoo.org/749288 Bug: https://bugs.gentoo.org/736774 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> net-im/telegram-desktop/Manifest | 2 - .../telegram-desktop-2.1.13.ebuild | 145 ------------------- .../telegram-desktop-2.2.0-r1.ebuild | 153 --------------------- 3 files changed, 300 deletions(-) Unable to check for sanity:
> no match for package: net-im/telegram-desktop-2.4.5
Unable to check for sanity:
> no match for package: net-im/telegram-desktop-2.4.6
Cleanup for both is done. All done! commit 4e65e44184f8eec7213588530568456fb6c6e9e0 Author: Henning Schild <henning@hennsch.de> Date: Fri Nov 6 07:40:38 2020 +0100 net-im/telegram-desktop-bin: cleanup old Signed-off-by: Henning Schild <henning@hennsch.de> Closes: https://github.com/gentoo/gentoo/pull/18143 Signed-off-by: Aaron Bauman <bman@gentoo.org> delete mode 100644 net-im/telegram-desktop-bin/telegram-desktop-bin-2.3.2.ebuild delete mode 100644 net-im/telegram-desktop-bin/telegram-desktop-bin-2.4.0.ebuild This issue was resolved and addressed in GLSA 202101-34 at https://security.gentoo.org/glsa/202101-34 by GLSA coordinator Aaron Bauman (b-man). |