Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 809311 (CVE-2021-32728) - <net-misc/nextcloud-client-3.3.4: lacking SSL certificate validation (CVE-2021-32728)
Summary: <net-misc/nextcloud-client-3.3.4: lacking SSL certificate validation (CVE-202...
Status: RESOLVED FIXED
Alias: CVE-2021-32728
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/nextcloud/security...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-21 02:19 UTC by John Helmert III
Modified: 2022-02-15 14:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-21 02:19:30 UTC
CVE-2021-32728:

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

Please bump to 3.3.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-02-14 08:54:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa2fce3ee3c2f60b38c962da8d4d1260039a1206

commit fa2fce3ee3c2f60b38c962da8d4d1260039a1206
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2022-02-14 08:54:24 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2022-02-14 08:54:32 +0000

    net-misc/nextcloud-client: drop vulnerable version
    
    Bug: https://bugs.gentoo.org/809311
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 net-misc/nextcloud-client/Manifest                 |  1 -
 .../nextcloud-client/nextcloud-client-3.1.3.ebuild | 89 ----------------------
 2 files changed, 90 deletions(-)
Comment 2 Bernard Cafarelli gentoo-dev 2022-02-14 08:56:13 UTC
Sorry this bug had slipped under my radar, I just found it checking open bugs for nextcloud-client.

The good thing is since bug opening, 3.3.6 was stabled so vulnerable version is now dropped
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-15 14:41:44 UTC
Thanks! Minimal impact/complex to exploit so no GLSA. All done!