Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 746401 (CVE-2020-26164) - <kde-misc/kdeconnect-20.04.3-r1: Denial of service (CVE-2020-26164)
Summary: <kde-misc/kdeconnect-20.04.3-r1: Denial of service (CVE-2020-26164)
Status: RESOLVED FIXED
Alias: CVE-2020-26164
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://kde.org/info/security/advisor...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-03 23:42 UTC by Sam James
Modified: 2021-01-22 16:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-10-03 23:42:38 UTC
Description:
"An attacker on your local network could send maliciously crafted packets to other hosts running
kdeconnect on the network, causing them to use large amounts of CPU, memory or network
connections, which could be used in a Denial of Service attack within the network."
Comment 2 Larry the Git Cow gentoo-dev 2020-10-04 16:07:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bb81637747a3a0d3cc36bd19f73250d32dfc8b6c

commit bb81637747a3a0d3cc36bd19f73250d32dfc8b6c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-04 08:35:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-04 15:54:07 +0000

    kde-misc/kdeconnect: Fix CVE-2020-26164
    
    See also: https://kde.org/info/security/advisory-20201002-1.txt
    
    Bug: https://bugs.gentoo.org/746401
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 ...re-SSL-errors-except-for-self-signed-cert.patch |  65 +++++++++++++
 ...ot-leak-the-local-user-in-the-device-name.patch |  32 +++++++
 ...fter-free-in-LanLinkProvider-connectError.patch |  28 ++++++
 ...20.04.3-04-Limit-identity-packets-to-8KiB.patch |  36 ++++++++
 ...lanlink-connections-stay-open-for-long-wi.patch |  37 ++++++++
 ...3-06-Don-t-brute-force-reading-the-socket.patch | 102 +++++++++++++++++++++
 ...r-of-connected-sockets-from-unpaired-devi.patch |  42 +++++++++
 ...mber-more-than-a-few-identity-packets-at-.patch |  54 +++++++++++
 ...orts-we-try-to-connect-to-to-the-port-ran.patch |  32 +++++++
 ...ace-connections-for-a-given-deviceId-if-t.patch |  58 ++++++++++++
 kde-misc/kdeconnect/kdeconnect-20.04.3-r1.ebuild   |  98 ++++++++++++++++++++
 kde-misc/kdeconnect/kdeconnect-20.08.1-r1.ebuild   |  99 ++++++++++++++++++++
 12 files changed, 683 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2020-10-04 16:11:50 UTC
Thanks. Stable when ready, ofc.
Comment 4 Sam James archtester gentoo-dev Security 2020-10-06 13:04:46 UTC
arm64 done
Comment 5 Agostino Sarubbo gentoo-dev 2020-10-07 06:43:32 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-10-07 07:12:46 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2020-10-07 10:07:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=40a1ba6db3e5a581340be31c380f670821ff5389

commit 40a1ba6db3e5a581340be31c380f670821ff5389
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-10-07 10:06:46 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-10-07 10:06:46 +0000

    kde-misc/kdeconnect: Cleanup vulnerable 20.04.3 (r0)
    
    Bug: https://bugs.gentoo.org/746401
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 kde-misc/kdeconnect/kdeconnect-20.04.3.ebuild | 84 ---------------------------
 1 file changed, 84 deletions(-)
Comment 8 NATTkA bot gentoo-dev 2020-11-25 18:17:51 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-01-18 00:41:00 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-01-22 16:17:14 UTC
This issue was resolved and addressed in
 GLSA 202101-16 at https://security.gentoo.org/glsa/202101-16
by GLSA coordinator Aaron Bauman (b-man).