Bug 27349

Summary: kdeconnect-kde new security issue CVE-2020-26164
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, mageia, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: kdeconnect-kde-20.08.1-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-10-02 22:31:20 CEST 
KDE has issued an advisory today (October 2):
https://kde.org/info/security/advisory-20201002-1.txt

The issue is fixed upstream in 20.08.2.  Upstream commits are linked from the advisory above.

Mageia 7 is also affected.
David Walser 2020-10-02 22:31:26 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-13 16:01:25 CEST 
Lots of more details have been posted about this:
https://www.openwall.com/lists/oss-security/2020/10/13/4
Comment 2 David Walser 2020-10-13 19:50:57 CEST 
openSUSE has issued an advisory for this on October 7:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00014.html
Comment 3 David GEIGER 2020-11-08 16:30:12 CET 
Fixed for Cauldron with kdeconnect-kde-20.08.2-1.mga8

CC: (none) => geiger.david68210
Version: Cauldron => 7

Comment 4 David GEIGER 2020-11-08 16:51:37 CET 
Done for mga7!
Comment 5 David Walser 2020-11-09 23:24:46 CET 
Advisory:
========================

Updated kdeconnect-kde packages fix security vulnerability:

An attacker on your local network could send maliciously crafted packets to
other hosts running kdeconnect on the network, causing them to use large
amounts of CPU, memory or network connections, which could be used in a Denial
of Service attack within the network (CVE-2020-26164).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26164
https://www.openwall.com/lists/oss-security/2020/10/13/4
https://kde.org/info/security/advisory-20201002-1.txt
========================

Updated packages in core/updates_testing:
========================
kdeconnect-kde-1.3.4-2.1.mga7
kdeconnect-kde-handbook-1.3.4-2.1.mga7
kdeconnect-kde-nautilus-1.3.4-2.1.mga7
libkdeconnectcore1-1.3.4-2.1.mga7
libkdeconnectinterfaces1-1.3.4-2.1.mga7
libkdeconnectpluginkcm1-1.3.4-2.1.mga7

from kdeconnect-kde-1.3.4-2.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: kde => qa-bugs

Comment 6 PC LX 2020-11-11 15:15:15 CET 
Installed and tested without issues.


Tested on a Plasma DE and LXQt DE. Connected to an Android phone and an Android tablet, using WiFi with an without WireGuard VPN. Tested most features, including sending and receiving files, controlling media player, controlling mouse, executing command, sending and receiving notification.

No issues found.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep kdeconnect | sort
kdeconnect-kde-1.3.4-2.1.mga7
kdeconnect-kde-handbook-1.3.4-2.1.mga7
lib64kdeconnectcore1-1.3.4-2.1.mga7
lib64kdeconnectinterfaces1-1.3.4-2.1.mga7
lib64kdeconnectpluginkcm1-1.3.4-2.1.mga7

CC: (none) => mageia

Comment 7 Thomas Andrews 2020-11-11 20:51:43 CET 
Sounds good enough to me. Giving it an OK and validating. Advisory in Comment 5.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Aurelien Oudelet 2020-11-12 20:41:40 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-11-13 22:22:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0416.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED