Details at $URL. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Agostino, could you check this bug in 1.1.2 (could be installed just copying ebuild with a required version). I don't have .TelegramDesktop folder any more and .telegram has sane permissions: peter@i7 ~ $ ls -dalh .telegram/ drwx------ 3 peter peter 4.0K мар 26 2014 .telegram/ Looks like something changed to the best. Yet upstream bug report was closed for comments and I have no chance asking there: https://github.com/telegramdesktop/tdesktop/issues/2666 Could you try?
ago@wanheda ~ $ find . -type d -iname "*telegram*" ./.local/share/TelegramDesktop ago@wanheda ~ $ ls -la ./.local/share/TelegramDesktop total 73728 drwxr-xr-x 4 ago ago 4096 giu 9 08:53 . ago@wanheda ~ $ su test Password: test@wanheda ~ $ ls -la /home/ago/.local/share/TelegramDesktop/ total 73728 drwxr-xr-x 4 ago ago 4096 giu 9 08:53 . drwxr-xr-x 34 ago ago 4096 giu 7 10:13 .. drwxr-xr-x 2 ago ago 4096 mag 27 18:04 fontconfig -rw-r--r-- 1 ago ago 4030 giu 9 09:15 log.txt drwxr-xr-x 5 ago ago 4096 giu 9 08:53 tdata -rwxr-xr-x 1 ago ago 75282056 mag 16 16:55 Telegram -rwxr-xr-x 1 ago ago 190881 mag 16 16:55 Updater
It seems it's fixed in master[1] but not released yet. BTW, on my system ~/.local has drwx------ permissions, so ~/.local/share/TelegramDesktop can't be accessed from another user. [1] https://github.com/telegramdesktop/tdesktop/pull/3842
This was fixed upstream, the following PR drops the last affected version https://github.com/gentoo/gentoo/pull/6562
To be honest i can not see the problem with the permissions on that directory. Before the upstream patch - that Agostino initiated - the directory was probably created according to "umask". It would be an issue if umask was not "0022". But my wild guess is that Agostino has indeed "0022" and that any "mkdir" in his $HOME would result in "0755". In that case the whole CVE is pointless and i am tempted to get the upstream patch reverted. Because it now effectively violates "umask" and maybe someone actually wants to share that directory.
I have Telegram 1.2.0 installed with "Telegram auto-update" disabled. In terminal, I do: $ stat -c '%a' ~/.local/share/TelegramDesktop 700 Don't think there's a bug really.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=50a6cce2126c700148259a473bff7a4e5a5bd5b0 commit 50a6cce2126c700148259a473bff7a4e5a5bd5b0 Author: Henning Schild <henning@hennsch.de> AuthorDate: 2017-12-15 22:35:30 +0000 Commit: NP-Hardass <NP-Hardass@gentoo.org> CommitDate: 2017-12-27 22:01:48 +0000 net-im/telegram-desktop-bin: clean up old. Closes: https://bugs.gentoo.org/618024 Signed-off-by: Henning Schild <henning@hennsch.de> net-im/telegram-desktop-bin/Manifest | 3 -- .../telegram-desktop-bin-1.1.23-r1.ebuild | 58 ---------------------- 2 files changed, 61 deletions(-)