Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749288 (CVE-2020-25824) - <net-im/telegram-desktop{,-bin}-2.4.4: Export Telegram Data wizard vulnerability (CVE-2020-25824)
Summary: <net-im/telegram-desktop{,-bin}-2.4.4: Export Telegram Data wizard vulnerabil...
Status: RESOLVED FIXED
Alias: CVE-2020-25824
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/soheilsamanabadi/v...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on: 739466
Blocks: CVE-2020-17448
  Show dependency tree
 
Reported: 2020-10-15 13:25 UTC by filip ambroz
Modified: 2021-01-27 16:14 UTC (History)
4 users (show)

See Also:
Package list:
net-im/telegram-desktop-2.4.6 amd64 media-libs/libtgvoip-2.4.4_p20201030 amd64 media-libs/tg_owt-0_pre20201030 amd64
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-10-15 13:25:36 UTC
Telegram Desktop through 2.4.3 does not require passcode entry upon pushing the Export key within the Export Telegram Data wizard. The threat model is a victim who has voluntarily opened Export Wizard but is then distracted. An attacker then approaches the unattended desktop and pushes the Export key. This attacker may consequently gain access to all chat conversation and media files.

Links:
https://nvd.nist.gov/vuln/detail/CVE-2020-25824

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2020-10-26 08:03:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4364658df0ff6f92297648a32dbd28efac732e80

commit 4364658df0ff6f92297648a32dbd28efac732e80
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-10-26 08:00:00 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-10-26 08:01:28 +0000

    net-im/telegram-desktop: bump to 2.4.4
    
    webrtc is imposibble to turn off for now, unfortunately.
    webrtc alsa and pulseaudio will be forced on for now.
    add system-rlottie useflag.
    
    for now tg_owt bundles the following:
    openh264
    abseil-cpp
    libsrtp
    libvpx
    libyuv
    pffft
    rnnoise
    usrsctp
    
    Bug: https://bugs.gentoo.org/736774
    Bug: https://bugs.gentoo.org/749288
    Closes: https://bugs.gentoo.org/739466
    Closes: https://bugs.gentoo.org/707272
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   2 +
 net-im/telegram-desktop/metadata.xml               |   2 +
 .../telegram-desktop/telegram-desktop-2.4.4.ebuild | 184 +++++++++++++++++++++
 3 files changed, 188 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2020-10-29 03:27:04 UTC
CVE references list the Github release for 2.4.3, but we should have already stabilized for bug 736774 so we'll go ahead and stabilize -desktop here. 

gyakovlev, please proceed with stabilization when ready.
Comment 3 NATTkA bot gentoo-dev 2020-10-29 03:28:55 UTC
Sanity check failed:

> net-im/telegram-desktop-2.4.4
>   depend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (2 total)
>     ~media-libs/libtgvoip-2.4.4_p20200818[alsa,pulseaudio]
Comment 4 NATTkA bot gentoo-dev 2020-10-29 03:48:50 UTC
Unable to check for sanity:

> invalid package spec: media-libs/libtgvoip2.4.4_p20200818
Comment 5 Georgy Yakovlev gentoo-dev 2020-10-31 21:21:30 UTC
updating to 2.4.5 as it has split pulse and split webrtc deps.
Comment 6 Sam James archtester gentoo-dev Security 2020-11-01 05:30:28 UTC
amd64 done

all arches done
Comment 7 Sam James archtester gentoo-dev Security 2020-11-01 05:43:14 UTC
Please cleanup, thanks!
Comment 8 Georgy Yakovlev gentoo-dev 2020-11-01 05:45:45 UTC
I'd wait at least 3 days before cleanup in case of unexpected regressions as this version was a bit rushed due to this security thing.
Comment 9 Sam James archtester gentoo-dev Security 2020-11-01 06:59:35 UTC
(In reply to Georgy Yakovlev from comment #8)
> I'd wait at least 3 days before cleanup in case of unexpected regressions as
> this version was a bit rushed due to this security thing.

no problem, of course
Comment 10 Larry the Git Cow gentoo-dev 2020-11-02 19:14:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=398c40130021de759ec95b211689e9318c25ece9

commit 398c40130021de759ec95b211689e9318c25ece9
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2020-11-02 19:13:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2020-11-02 19:14:29 +0000

    net-im/telegram-desktop: security cleanup
    
    Bug: https://bugs.gentoo.org/749288
    Bug: https://bugs.gentoo.org/736774
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   2 -
 .../telegram-desktop-2.1.13.ebuild                 | 145 -------------------
 .../telegram-desktop-2.2.0-r1.ebuild               | 153 ---------------------
 3 files changed, 300 deletions(-)
Comment 11 NATTkA bot gentoo-dev 2020-11-03 09:08:55 UTC
Unable to check for sanity:

> no match for package: net-im/telegram-desktop-2.4.5
Comment 12 NATTkA bot gentoo-dev 2020-11-10 21:24:56 UTC
Unable to check for sanity:

> no match for package: net-im/telegram-desktop-2.4.6
Comment 13 John Helmert III gentoo-dev Security 2020-12-27 08:13:58 UTC
Cleanup for both is done. All done!


commit 4e65e44184f8eec7213588530568456fb6c6e9e0
Author: Henning Schild <henning@hennsch.de>
Date:   Fri Nov 6 07:40:38 2020 +0100

    net-im/telegram-desktop-bin: cleanup old

    Signed-off-by: Henning Schild <henning@hennsch.de>
    Closes: https://github.com/gentoo/gentoo/pull/18143
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 delete mode 100644 net-im/telegram-desktop-bin/telegram-desktop-bin-2.3.2.ebuild
 delete mode 100644 net-im/telegram-desktop-bin/telegram-desktop-bin-2.4.0.ebuild
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-01-27 16:14:17 UTC
This issue was resolved and addressed in
 GLSA 202101-34 at https://security.gentoo.org/glsa/202101-34
by GLSA coordinator Aaron Bauman (b-man).