Debian Bug report logs -
#927711
CVE-2019-10044
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 21 Apr 2019 20:21:02 UTC
Severity: important
Tags: fixed-upstream, security
Found in version telegram-desktop/1.5.11-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Nicholas Guriev <guriev-ns@ya.ru>
:
Bug#927711
; Package telegram-desktop
.
(Sun, 21 Apr 2019 20:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Nicholas Guriev <guriev-ns@ya.ru>
.
(Sun, 21 Apr 2019 20:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: telegram-desktop
Severity: grave
Tags: security
This was assigned CVE-2019-10044 and is claimed to be fixed in 1.5.12:
https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
Cheers,
Moritz
Severity set to 'important' from 'grave'
Request was from Mattia Rizzolo <mattia@mapreri.org>
to control@bugs.debian.org
.
(Sun, 21 Apr 2019 21:21:02 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Mattia Rizzolo <mattia@mapreri.org>
to control@bugs.debian.org
.
(Sun, 21 Apr 2019 21:21:03 GMT) (full text, mbox, link).
Marked as found in versions telegram-desktop/1.5.11-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 22 Apr 2019 07:12:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>
:
Bug#927711
; Package telegram-desktop
.
(Thu, 09 May 2019 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>
.
(Thu, 09 May 2019 20:45:03 GMT) (full text, mbox, link).
Message #16 received at 927711@bugs.debian.org (full text, mbox, reply):
On Sun, Apr 21, 2019 at 10:18:12PM +0200, Moritz Muehlenhoff wrote:
> Package: telegram-desktop
> Severity: grave
> Tags: security
>
> This was assigned CVE-2019-10044 and is claimed to be fixed in 1.5.12:
> https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
What's the status? Has upstream been contacted for an isolated fix, are
you planning to address this for buster?
Cheers,
Moritz
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>
:
Bug#927711
; Package telegram-desktop
.
(Sat, 11 May 2019 14:48:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Коля Гурьев <guriev-ns@ya.ru>
:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>
.
(Sat, 11 May 2019 14:48:03 GMT) (full text, mbox, link).
Message #21 received at 927711@bugs.debian.org (full text, mbox, reply):
Hi,
09.05.2019 23:42, Moritz Mühlenhoff пишет:
> What's the status? Has upstream been contacted for an isolated fix, are
> you planning to address this for buster?
As John Preston said, there was no a special fix of the issue in 1.5.12.
It is mistake that this version is considered to contain the fix.
And as far as I can see, Telegram Desktop has no a fix of this CVE yet.
At least some code[1] in HistoryWebPage checks for hidden URLs. But it
does not always work properly. For example, it shows a confirmation
for https://www.аррӏе.com/ (https://www.xn--80ak6aa92e.com/) but not
for http://blаzeinfosec.com (http://xn--blzeinfosec-zij.com).
[1]: https://sources.debian.org/src/telegram-desktop/1.5.11-1/Telegram/SourceFiles/history/media/history_media_web_page.cpp/#L133
Information forwarded
to debian-bugs-dist@lists.debian.org, Nicholas Guriev <guriev-ns@ya.ru>
:
Bug#927711
; Package telegram-desktop
.
(Fri, 14 Jun 2019 14:33:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Nicholas Guriev <guriev-ns@ya.ru>
.
(Fri, 14 Jun 2019 14:33:09 GMT) (full text, mbox, link).
Message #26 received at 927711@bugs.debian.org (full text, mbox, reply):
On Sat, May 11, 2019 at 05:38:50PM +0300, Коля Гурьев wrote:
> As John Preston said, there was no a special fix of the issue in 1.5.12.
> It is mistake that this version is considered to contain the fix.
> And as far as I can see, Telegram Desktop has no a fix of this CVE yet.
Ack, ok.
Cheers,
Moritz
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.