Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-matrix-js-sdk: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251

Related Vulnerabilities: CVE-2022-39236   CVE-2022-39249   CVE-2022-39251  

Source

Debian Bug report logs - #1021136
node-matrix-js-sdk: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251

Package: node-matrix-js-sdk; Maintainer for node-matrix-js-sdk is Matrix Packaging Team <pkg-matrix-maintainers@lists.alioth.debian.org>; Source for node-matrix-js-sdk is src:node-matrix-js-sdk (PTS, buildd, popcon).

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Sun, 2 Oct 2022 18:09:02 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#1021136; Package src:sox. (Sun, 02 Oct 2022 18:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Sun, 02 Oct 2022 18:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: sox: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251
Date: Sun, 2 Oct 2022 20:04:58 +0200
Source: sox
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for sox.

CVE-2022-39236[0]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Starting with version 17.1.0-rc.1, improperly formed beacon events can
| disrupt or impede the matrix-js-sdk from functioning properly,
| potentially impacting the consumer's ability to process data safely.
| Note that the matrix-js-sdk can appear to be operating normally but be
| excluding or corrupting runtime data presented to the consumer. This
| is patched in matrix-js-sdk v19.7.0. Redacting applicable events,
| waiting for the sync processor to store data, and restarting the
| client are possible workarounds. Alternatively, redacting the
| applicable events and clearing all storage will fix the further
| perceived issues. Downgrading to an unaffected version, noting that
| such a version may be subject to other vulnerabilities, will
| additionally resolve the issue.

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-spec-proposals/pull/3488

CVE-2022-39249[1]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Prior to version 19.7.0, an attacker cooperating with a malicious
| homeserver can construct messages appearing to have come from another
| person. Such messages will be marked with a grey shield on some
| platforms, but this may be missing in others. This attack is possible
| due to the matrix-js-sdk implementing a too permissive key forwarding
| strategy on the receiving end. Starting with version 19.7.0, the
| default policy for accepting key forwards has been made more strict in
| the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys
| in response to previously issued requests and only from own, verified
| devices. The SDK now sets a `trusted` flag on the decrypted message
| upon decryption, based on whether the key used to decrypt the message
| was received from a trusted source. Clients need to ensure that
| messages decrypted with a key with `trusted = false` are decorated
| appropriately, for example, by showing a warning for such messages.
| This attack requires coordination between a malicious homeserver and
| an attacker, and those who trust your homeservers do not need a
| workaround.

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

CVE-2022-39251[2]:
| Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.
| Prior to version 19.7.0, an attacker cooperating with a malicious
| homeserver can construct messages that legitimately appear to have
| come from another person, without any indication such as a grey
| shield. Additionally, a sophisticated attacker cooperating with a
| malicious homeserver could employ this vulnerability to perform a
| targeted attack in order to send fake to-device messages appearing to
| originate from another user. This can allow, for example, to inject
| the key backup secret during a self-verification, to make a targeted
| device start using a malicious key backup spoofed by the homeserver.
| These attacks are possible due to a protocol confusion vulnerability
| that accepts to-device messages encrypted with Megolm instead of Olm.
| Starting with version 19.7.0, matrix-js-sdk has been modified to only
| accept Olm-encrypted to-device messages. Out of caution, several other
| checks have been audited or added. This attack requires coordination
| between a malicious home server and an attacker, so those who trust
| their home servers do not need a workaround.

https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-39236
    https://www.cve.org/CVERecord?id=CVE-2022-39236
[1] https://security-tracker.debian.org/tracker/CVE-2022-39249
    https://www.cve.org/CVERecord?id=CVE-2022-39249
[2] https://security-tracker.debian.org/tracker/CVE-2022-39251
    https://www.cve.org/CVERecord?id=CVE-2022-39251

Please adjust the affected versions in the BTS as needed.

Bug reassigned from package 'src:sox' to 'node-matrix-js-sdk'. Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Sun, 02 Oct 2022 18:21:02 GMT) (full text, mbox, link).

Changed Bug title to 'node-matrix-js-sdk: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251' from 'sox: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251'. Request was from Moritz Muehlenhoff <jmm@debian.org> to control@bugs.debian.org. (Sun, 02 Oct 2022 18:21:05 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 02 Oct 2022 18:51:20 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Oct 3 13:22:03 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started