Source: sox X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for sox. CVE-2022-39236[0]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Starting with version 17.1.0-rc.1, improperly formed beacon events can | disrupt or impede the matrix-js-sdk from functioning properly, | potentially impacting the consumer's ability to process data safely. | Note that the matrix-js-sdk can appear to be operating normally but be | excluding or corrupting runtime data presented to the consumer. This | is patched in matrix-js-sdk v19.7.0. Redacting applicable events, | waiting for the sync processor to store data, and restarting the | client are possible workarounds. Alternatively, redacting the | applicable events and clearing all storage will fix the further | perceived issues. Downgrading to an unaffected version, noting that | such a version may be subject to other vulnerabilities, will | additionally resolve the issue. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://github.com/matrix-org/matrix-spec-proposals/pull/3488 CVE-2022-39249[1]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Prior to version 19.7.0, an attacker cooperating with a malicious | homeserver can construct messages appearing to have come from another | person. Such messages will be marked with a grey shield on some | platforms, but this may be missing in others. This attack is possible | due to the matrix-js-sdk implementing a too permissive key forwarding | strategy on the receiving end. Starting with version 19.7.0, the | default policy for accepting key forwards has been made more strict in | the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys | in response to previously issued requests and only from own, verified | devices. The SDK now sets a `trusted` flag on the decrypted message | upon decryption, based on whether the key used to decrypt the message | was received from a trusted source. Clients need to ensure that | messages decrypted with a key with `trusted = false` are decorated | appropriately, for example, by showing a warning for such messages. | This attack requires coordination between a malicious homeserver and | an attacker, and those who trust your homeservers do not need a | workaround. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://github.com/matrix-org/matrix-spec-proposals/pull/3061 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients CVE-2022-39251[2]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Prior to version 19.7.0, an attacker cooperating with a malicious | homeserver can construct messages that legitimately appear to have | come from another person, without any indication such as a grey | shield. Additionally, a sophisticated attacker cooperating with a | malicious homeserver could employ this vulnerability to perform a | targeted attack in order to send fake to-device messages appearing to | originate from another user. This can allow, for example, to inject | the key backup secret during a self-verification, to make a targeted | device start using a malicious key backup spoofed by the homeserver. | These attacks are possible due to a protocol confusion vulnerability | that accepts to-device messages encrypted with Megolm instead of Olm. | Starting with version 19.7.0, matrix-js-sdk has been modified to only | accept Olm-encrypted to-device messages. Out of caution, several other | checks have been audited or added. This attack requires coordination | between a malicious home server and an attacker, so those who trust | their home servers do not need a workaround. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39236 https://www.cve.org/CVERecord?id=CVE-2022-39236 [1] https://security-tracker.debian.org/tracker/CVE-2022-39249 https://www.cve.org/CVERecord?id=CVE-2022-39249 [2] https://security-tracker.debian.org/tracker/CVE-2022-39251 https://www.cve.org/CVERecord?id=CVE-2022-39251 Please adjust the affected versions in the BTS as needed.