Bug 771684 (CVE-2021-27351)

Summary:	<net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	esteve.varela, proxy-maint
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
Whiteboard:	B4 [glsa+ cve]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-02-19 22:15:55 UTC

CVE-2021-27351:

The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.


Evidently there's not much information on this, but in any case we should
probably go ahead and stabilize 2.4.11 anyway. Please continue when ready.

Comment 1 NATTkA bot gentoo-dev

2021-02-19 22:16:56 UTC Comment hidden (obsolete)

Sanity check failed:

> net-im/telegram-desktop-2.4.11
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   depend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]

Comment 2 NATTkA bot gentoo-dev

2021-02-28 21:00:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/tg_owt-0_pre2021112

Comment 3 NATTkA bot gentoo-dev

2021-02-28 21:04:54 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 4 Sam James archtester

2021-03-25 23:46:16 UTC

amd64 done

all arches done

Comment 5 John Helmert III archtester

2021-03-25 23:48:55 UTC

Please cleanup.

Comment 6 NATTkA bot gentoo-dev

2021-03-25 23:53:09 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 7 Larry the Git Cow gentoo-dev

2021-04-23 19:06:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=599beaa6d3b62e8849fde028fea9b37f1a183deb

commit 599beaa6d3b62e8849fde028fea9b37f1a183deb
Author:     Esteve Varela Colominas <esteve.varela@gmail.com>
AuthorDate: 2021-04-22 16:22:00 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-23 19:05:38 +0000

    net-im/telegram-desktop: drop old
    
    Bug: https://bugs.gentoo.org/771684
    Signed-off-by: Esteve Varela Colominas <esteve.varela@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   2 -
 .../telegram-desktop/files/no-webrtc-build.patch   |  96 ------------
 net-im/telegram-desktop/metadata.xml               |   2 -
 .../telegram-desktop-2.4.11.ebuild                 | 174 ---------------------
 .../telegram-desktop-2.4.7-r1.ebuild               | 173 --------------------
 5 files changed, 447 deletions(-)

Comment 8 John Helmert III archtester

2021-04-24 02:24:01 UTC

Thanks!

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 20:09:37 UTC

New GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 08:31:08 UTC

This issue was resolved and addressed in
 GLSA 202105-07 at https://security.gentoo.org/glsa/202105-07
by GLSA coordinator Thomas Deutschmann (whissi).