Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835862 (CVE-2022-23242)

Summary: <net-misc/teamviewer-15.28.6: connection password leakage after crash
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: martin.dummer, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.teamviewer.com/en/trust-center/security-bulletins/TV-2022-1001/
See Also: https://github.com/gentoo/gentoo/pull/24747
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-23 18:28:10 UTC 
CVE-2022-23242:

TeamViewer Linux versions before 15.28 do not properly execute a deletion command for the connection password in case of a process crash. Knowledge of the crash event and the TeamViewer ID as well as either possession of the pre-crash connection password or local authenticated access to the machine would have allowed to establish a remote connection by reusing the not properly deleted connection password.

Please bump to 15.28.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-26 13:54:36 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05fe3e0e2a1707912510a3ef593b180e44855b11

commit 05fe3e0e2a1707912510a3ef593b180e44855b11
Author:     Martin Dummer <martin.dummer@gmx.net>
AuthorDate: 2022-03-25 16:49:40 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-26 13:27:32 +0000

    net-misc/teamviewer: version bump to 15.28.6
    
    add RDEPEND for sys-libs/glibc to avoid installation on musl profile
    systems
    this version should fix CVE-2022-23242 - connection password leakage after crash
    
    Bug: https://bugs.gentoo.org/835862
    Closes: https://bugs.gentoo.org/832558
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Martin Dummer <martin.dummer@gmx.net>
    Closes: https://github.com/gentoo/gentoo/pull/24747
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-misc/teamviewer/Manifest                  |   4 +
 net-misc/teamviewer/teamviewer-15.28.6.ebuild | 156 ++++++++++++++++++++++++++
 2 files changed, 160 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-26 21:34:42 UTC 
Thanks, all done!