Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 772209 (CVE-2021-23827)

Summary: app-crypt/keybase: unnecessary storage of sensitive data (CVE-2021-23827)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: mail, nicolasbock
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://johnjhacking.com/blog/cve-2021-23827/
See Also: https://github.com/gentoo/gentoo/pull/26954
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-23 01:58:11 UTC 
CVE-2021-23827:

Keybase Desktop Client before 5.6.0 on Windows and macOS, and before 5.6.1 on Linux, allows an attacker to obtain potentially sensitive media (such as private pictures) in the Cache and uploadtemps directories. It fails to effectively clear cached pictures, even after deletion via normal methodology within the client, or by utilizing the "Explode message/Explode now" functionality. Local filesystem access is needed by the attacker.


Fixed in 5.6.1. Please bump.
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:54 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:32:20 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:40:13 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:48:23 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:04:20 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:12:38 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2022-08-15 04:25:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c0821137568278280fc6bfee114f5924c546384

commit 4c0821137568278280fc6bfee114f5924c546384
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-15 04:25:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-15 04:25:14 +0000

    profiles: last rite app-crypt/keybase
    
    Bug: https://bugs.gentoo.org/772209
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2022-09-29 07:49:16 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa7c21416cd00b4093cdfc1348f12b0de816dd5d

commit fa7c21416cd00b4093cdfc1348f12b0de816dd5d
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-09-29 07:41:46 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-09-29 07:41:46 +0000

    app-crypt/keybase: treeclean
    
    Closes: https://bugs.gentoo.org/747811
    Closes: https://bugs.gentoo.org/844595
    Closes: https://bugs.gentoo.org/772209
    Closes: https://bugs.gentoo.org/682608
    Closes: https://bugs.gentoo.org/658676
    Closes: https://bugs.gentoo.org/667298
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 app-crypt/keybase/Manifest             |  1 -
 app-crypt/keybase/keybase-5.1.1.ebuild | 52 ----------------------------------
 app-crypt/keybase/keybase-9999.ebuild  | 52 ----------------------------------
 app-crypt/keybase/metadata.xml         | 11 -------
 profiles/package.mask                  |  5 ----
 5 files changed, 121 deletions(-)