Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771684 (CVE-2021-27351) - <net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)
Summary: <net-im/telegram-desktop-2.4.11: insecure session termination (CVE-2021-27351)
Status: RESOLVED FIXED
Alias: CVE-2021-27351
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://0ffsecninja.github.io/Telegra...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-19 22:15 UTC by John Helmert III
Modified: 2021-05-26 08:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-19 22:15:55 UTC
CVE-2021-27351:

The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.


Evidently there's not much information on this, but in any case we should
probably go ahead and stabilize 2.4.11 anyway. Please continue when ready.
Comment 1 NATTkA bot gentoo-dev 2021-02-19 22:16:56 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-02-28 21:00:52 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-02-28 21:04:54 UTC Comment hidden (obsolete)
Comment 4 Sam James archtester gentoo-dev Security 2021-03-25 23:46:16 UTC
amd64 done

all arches done
Comment 5 John Helmert III gentoo-dev Security 2021-03-25 23:48:55 UTC
Please cleanup.
Comment 6 NATTkA bot gentoo-dev 2021-03-25 23:53:09 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 7 Larry the Git Cow gentoo-dev 2021-04-23 19:06:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=599beaa6d3b62e8849fde028fea9b37f1a183deb

commit 599beaa6d3b62e8849fde028fea9b37f1a183deb
Author:     Esteve Varela Colominas <esteve.varela@gmail.com>
AuthorDate: 2021-04-22 16:22:00 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-04-23 19:05:38 +0000

    net-im/telegram-desktop: drop old
    
    Bug: https://bugs.gentoo.org/771684
    Signed-off-by: Esteve Varela Colominas <esteve.varela@gmail.com>
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 net-im/telegram-desktop/Manifest                   |   2 -
 .../telegram-desktop/files/no-webrtc-build.patch   |  96 ------------
 net-im/telegram-desktop/metadata.xml               |   2 -
 .../telegram-desktop-2.4.11.ebuild                 | 174 ---------------------
 .../telegram-desktop-2.4.7-r1.ebuild               | 173 --------------------
 5 files changed, 447 deletions(-)
Comment 8 John Helmert III gentoo-dev Security 2021-04-24 02:24:01 UTC
Thanks!
Comment 9 Thomas Deutschmann gentoo-dev Security 2021-05-25 20:09:37 UTC
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:31:08 UTC
This issue was resolved and addressed in
 GLSA 202105-07 at https://security.gentoo.org/glsa/202105-07
by GLSA coordinator Thomas Deutschmann (whissi).