Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-10044

Source

Debian Bug report logs - #927711
CVE-2019-10044

Package: telegram-desktop; Maintainer for telegram-desktop is Nicholas Guriev <guriev-ns@ya.ru>; Source for telegram-desktop is src:telegram-desktop (PTS, buildd, popcon).

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Sun, 21 Apr 2019 20:21:02 UTC

Severity: important

Tags: fixed-upstream, security

Found in version telegram-desktop/1.5.11-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Nicholas Guriev <guriev-ns@ya.ru>:
Bug#927711; Package telegram-desktop. (Sun, 21 Apr 2019 20:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Nicholas Guriev <guriev-ns@ya.ru>. (Sun, 21 Apr 2019 20:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: telegram-desktop
Severity: grave
Tags: security

This was assigned CVE-2019-10044 and is claimed to be fixed in 1.5.12:
https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt

Cheers,
        Moritz

Severity set to 'important' from 'grave' Request was from Mattia Rizzolo <mattia@mapreri.org> to control@bugs.debian.org. (Sun, 21 Apr 2019 21:21:02 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from Mattia Rizzolo <mattia@mapreri.org> to control@bugs.debian.org. (Sun, 21 Apr 2019 21:21:03 GMT) (full text, mbox, link).

Marked as found in versions telegram-desktop/1.5.11-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 22 Apr 2019 07:12:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>:
Bug#927711; Package telegram-desktop. (Thu, 09 May 2019 20:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>. (Thu, 09 May 2019 20:45:03 GMT) (full text, mbox, link).

Message #16 received at 927711@bugs.debian.org (full text, mbox, reply):

On Sun, Apr 21, 2019 at 10:18:12PM +0200, Moritz Muehlenhoff wrote:
> Package: telegram-desktop
> Severity: grave
> Tags: security
> 
> This was assigned CVE-2019-10044 and is claimed to be fixed in 1.5.12:
> https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt

What's the status? Has upstream been contacted for an isolated fix, are
you planning to address this for buster?

Cheers,
       Moritz
>

Information forwarded to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>:
Bug#927711; Package telegram-desktop. (Sat, 11 May 2019 14:48:02 GMT) (full text, mbox, link).

Acknowledgement sent to Коля Гурьев <guriev-ns@ya.ru>:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>. (Sat, 11 May 2019 14:48:03 GMT) (full text, mbox, link).

Message #21 received at 927711@bugs.debian.org (full text, mbox, reply):

Hi,

09.05.2019 23:42, Moritz Mühlenhoff пишет:
> What's the status? Has upstream been contacted for an isolated fix, are
> you planning to address this for buster?


As John Preston said, there was no a special fix of the issue in 1.5.12.
It is mistake that this version is considered to contain the fix.
And as far as I can see, Telegram Desktop has no a fix of this CVE yet.

At least some code[1] in HistoryWebPage checks for hidden URLs. But it
does not always work properly. For example, it shows a confirmation
for https://www.аррӏе.com/ (https://www.xn--80ak6aa92e.com/) but not
for http://blаzeinfosec.com (http://xn--blzeinfosec-zij.com).

 [1]: https://sources.debian.org/src/telegram-desktop/1.5.11-1/Telegram/SourceFiles/history/media/history_media_web_page.cpp/#L133

Information forwarded to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>:
Bug#927711; Package telegram-desktop. (Fri, 14 Jun 2019 14:33:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>. (Fri, 14 Jun 2019 14:33:09 GMT) (full text, mbox, link).

Message #26 received at 927711@bugs.debian.org (full text, mbox, reply):

On Sat, May 11, 2019 at 05:38:50PM +0300, Коля Гурьев wrote:
> As John Preston said, there was no a special fix of the issue in 1.5.12.
> It is mistake that this version is considered to contain the fix.
> And as far as I can see, Telegram Desktop has no a fix of this CVE yet.

Ack, ok.

Cheers,
        Moritz

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:39:46 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-10044

Debian Bug report logs - #927711
CVE-2019-10044

Vulmon Search

About

Products

Connect

CVE-2019-10044

Debian Bug report logs - #927711 CVE-2019-10044

Vulmon Search

About

Products

Connect

Debian Bug report logs - #927711
CVE-2019-10044