Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 736649 (CVE-2020-8189, CVE-2020-8224, CVE-2020-8227) - <net-misc/nextcloud-client-2.6.5: Multiple vulnerabilities (CVE-2020-{8189,8224,8227,8229})
Summary: <net-misc/nextcloud-client-2.6.5: Multiple vulnerabilities (CVE-2020-{8189,82...
Status: RESOLVED FIXED
Alias: CVE-2020-8189, CVE-2020-8224, CVE-2020-8227
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-10 16:48 UTC by John Helmert III (ajak)
Modified: 2020-09-13 23:42 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/nextcloud-client-2.6.5 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-08-10 16:48:26 UTC
CVE-2020-8224 (https://nextcloud.com/security/advisory/?id=NC-SA-2020-030):

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.

CVE-2020-8229 (https://nextcloud.com/security/advisory/?id=NC-SA-2020-034):

A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.



Maintainer, please stabilize 2.6.5 when ready.
Comment 1 Bernard Cafarelli gentoo-dev 2020-08-18 10:00:55 UTC
2.6.5 was added on July 11 and no bug report, so it looks to go stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-08-22 05:47:05 UTC
amd64 stable
Comment 3 John Helmert III (ajak) 2020-08-23 00:39:14 UTC
CVE-2020-8189:

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.

CVE-2020-8227:

Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-08-30 01:33:31 UTC
x86 stable
Comment 5 Sam James gentoo-dev Security 2020-08-30 01:45:07 UTC
Please cleanup.
Comment 6 Thomas Deutschmann gentoo-dev Security 2020-09-12 20:26:18 UTC
Removing CVE-2020-8229 -- Windows only.

New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-09-13 23:42:19 UTC
This issue was resolved and addressed in
 GLSA 202009-09 at https://security.gentoo.org/glsa/202009-09
by GLSA coordinator Thomas Deutschmann (whissi).