Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 943876 (CVE-2024-51749, CVE-2024-51750) - <net-im/element-desktop-bin-1.11.86: multiple vulnerabilities
Summary: <net-im/element-desktop-bin-1.11.86: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2024-51749, CVE-2024-51750
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://github.com/element-hq/element...
Whiteboard: ~2 [cleanup noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2024-11-19 02:28 UTC by Christopher Fore
Modified: 2024-11-21 14:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-11-19 02:28:31 UTC
CVE-2024-51749 (https://github.com/element-hq/element-web/security/advisories/GHSA-5486-384g-mcx2):

Versions of Element Web and Desktop earlier than 1.11.85 do not check if thumbnails for attachments, stickers and images are coherent. It is possible to add thumbnails to events trigger a file download once clicked.

CVE-2024-51750 (https://github.com/element-hq/element-web/security/advisories/GHSA-w36j-v56h-q9pc):

A malicious homeserver can send invalid messages over federation which can prevent Element Web and Desktop from rendering single messages or the entire room containing them.


The above is fixed in 1.11.85.
Comment 1 Larry the Git Cow gentoo-dev 2024-11-21 06:13:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9a5b19588777fe7e1cf63b42e9a5c4ef7ddff9af

commit 9a5b19588777fe7e1cf63b42e9a5c4ef7ddff9af
Author:     Joe Kappus <joe@wt.gd>
AuthorDate: 2024-11-15 04:13:56 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-11-21 06:12:07 +0000

    net-im/element-desktop-bin: add 1.11.86
    
    Bug: https://bugs.gentoo.org/943876
    Signed-off-by: Joe Kappus <joe@wt.gd>
    Closes: https://github.com/gentoo/gentoo/pull/39327
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 net-im/element-desktop-bin/Manifest                |  1 +
 .../element-desktop-bin-1.11.86.ebuild             | 83 ++++++++++++++++++++++
 2 files changed, 84 insertions(+)