771684 – (CVE-2021-27351) <net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)

Bug 771684 (CVE-2021-27351) - <net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)

Summary: <net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)

Status:	RESOLVED FIXED

Alias:	CVE-2021-27351

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://0ffsecninja.github.io/Telegra...
Whiteboard:	B4 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-02-19 22:15 UTC by John Helmert III
Modified:	2021-05-26 08:31 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-19 22:15:55 UTC

CVE-2021-27351:

The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.


Evidently there's not much information on this, but in any case we should
probably go ahead and stabilize 2.4.11 anyway. Please continue when ready.

Comment 1 NATTkA bot gentoo-dev

2021-02-19 22:16:56 UTC Comment hidden (obsolete)

Sanity check failed:

> net-im/telegram-desktop-2.4.11
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   depend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]
>   rdepend amd64 stable profile default/linux/amd64/17.1 (15 total)
>     ~media-libs/tg_owt-0_pre20201112[pulseaudio]

Comment 2 NATTkA bot gentoo-dev

2021-02-28 21:00:52 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/tg_owt-0_pre2021112

Comment 3 NATTkA bot gentoo-dev

2021-02-28 21:04:54 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 4 Sam James archtester

2021-03-25 23:46:16 UTC

amd64 done

all arches done

Comment 5 John Helmert III archtester

2021-03-25 23:48:55 UTC

Please cleanup.

Comment 6 NATTkA bot gentoo-dev

2021-03-25 23:53:09 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 7 Larry the Git Cow gentoo-dev

2021-04-23 19:06:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=599beaa6d3b62e8849fde028fea9b37f1a183deb

commit 599beaa6d3b62e8849fde028fea9b37f1a183deb
Author:     Esteve Varela Colominas <esteve.varela@gmail.com>
AuthorDate: 2021-04-22 16:22:00 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-23 19:05:38 +0000

    net-im/telegram-desktop: drop old
    
    Bug: https://bugs.gentoo.org/771684
    Signed-off-by: Esteve Varela Colominas <esteve.varela@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   2 -
 .../telegram-desktop/files/no-webrtc-build.patch   |  96 ------------
 net-im/telegram-desktop/metadata.xml               |   2 -
 .../telegram-desktop-2.4.11.ebuild                 | 174 ---------------------
 .../telegram-desktop-2.4.7-r1.ebuild               | 173 --------------------
 5 files changed, 447 deletions(-)

Comment 8 John Helmert III archtester

2021-04-24 02:24:01 UTC

Thanks!

Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 20:09:37 UTC

New GLSA request filed.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 08:31:08 UTC

This issue was resolved and addressed in
 GLSA 202105-07 at https://security.gentoo.org/glsa/202105-07
by GLSA coordinator Thomas Deutschmann (whissi).