Bug 914765 (CVE-2023-41335, CVE-2023-42453)

Summary:	<net-im/synapse-1.93.0: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Petr Vaněk <arkamar>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	arkamar, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/33076 https://github.com/gentoo/gentoo/pull/33279
Whiteboard:	B3 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	916010
Bug Blocks:

Description Petr Vaněk gentoo-dev

2023-09-26 20:15:44 UTC

GHSA-4f74-84v3-j9q5 / CVE-2023-41335 - Low Severity
Temporary storage of plaintext passwords during password changes:

When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any added capabilities—it already learns the users' passwords as part of the authentication process—it does disrupt the expectation that passwords won't be stored in the database. As a result, these passwords could inadvertently be captured in database backups for a longer duration.

These temporarily stored passwords are automatically erased after a 48-hour window.


GHSA-7565-cq32-vx2x / CVE-2023-42453 - Low Severity
Improper validation of receipts allows forged read receipts:

Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the events, but simply mark it as read. This could be confusing as clients will show the event as read by the user, even if they are not in the room.

Comment 1 Larry the Git Cow gentoo-dev

2023-09-26 20:47:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fac914d542d409b61503fb44d4a55713632de066

commit fac914d542d409b61503fb44d4a55713632de066
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-09-26 20:39:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-26 20:44:35 +0000

    net-im/synapse: drop 1.88.0
    
    Bug: https://bugs.gentoo.org/914765
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/33076
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest              |  10 --
 net-im/synapse/synapse-1.88.0.ebuild | 210 -----------------------------------
 2 files changed, 220 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1a3c6a063d96b19d670055e4475337a400d4f3f6

commit 1a3c6a063d96b19d670055e4475337a400d4f3f6
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-09-26 20:18:53 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-26 20:44:35 +0000

    net-im/synapse: add 1.93.0
    
    Upstream has set a restriction on pillow to be >=10.0.1 due to libwebp
    CVE-2023-4863. While they mention the possibility of lowering the
    restriction to >=5.4.0 if the issue is addressed downstream (which we
    have done), it seems to be unnecessary since we already have the
    pillow-10 line stabilized.
    
    Bug: https://bugs.gentoo.org/914765
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest              |   5 +
 net-im/synapse/synapse-1.93.0.ebuild | 210 +++++++++++++++++++++++++++++++++++
 2 files changed, 215 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-10-27 02:59:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c559bb7c5683fd991d317ca697c899915619423

commit 7c559bb7c5683fd991d317ca697c899915619423
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-10-19 15:48:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-27 02:53:12 +0000

    net-im/synapse: drop 1.90.0, 1.92.2
    
    Bug: https://bugs.gentoo.org/914765
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest              |  14 ---
 net-im/synapse/synapse-1.90.0.ebuild | 210 -----------------------------------
 net-im/synapse/synapse-1.92.2.ebuild | 210 -----------------------------------
 3 files changed, 434 deletions(-)

Comment 3 Larry the Git Cow gentoo-dev

2024-01-07 10:31:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=17e2b155a748af5cd1276229d389b4641fec18c7

commit 17e2b155a748af5cd1276229d389b4641fec18c7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 10:31:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 10:31:54 +0000

    [ GLSA 202401-12 ] Synapse: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/914765
    Bug: https://bugs.gentoo.org/916609
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)