| Summary: | Discover: Missing URI scheme validation : CVE-2021-28117 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Lécureuil <mageia> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | bequimao.de, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | discover-5.20.4-3.1.mga8 | CVE: | CVE-2021-28117 |
| Status comment: | |||
| Bug Depends on: | 27126 | ||
| Bug Blocks: | |||
5.15.x (Mageia 7) is also affected. Whiteboard:
(none) =>
MGA7TOO fixed in mga7 too now:
src:
- discover-5.15.4-2.1.mga7Assignee:
mageia =>
qa-bugs remember that discover needs to be rebuilt for flatpak, so if you intend to push new flatpak there, then discover will need a rebuild again then... (In reply to Thomas Backlund from comment #3) > remember that discover needs to be rebuilt for flatpak, so if you intend to > push new flatpak there, then discover will need a rebuild again then... Note that: discover-5.20.4-3.1.mga8.src.rpm as a timestamp of 2021-Mar-10 22:21:13 and flatpak-1.10.2-1.mga8.src.rpm 2021-Mar-10 19:04:39 This needs a proper advisory. CC:
(none) =>
ouaurelien Packages list: discover-5.15.4-2.2.mga7 discover-5.20.4-3.1.mga8 Depends on:
(none) =>
27126 Advisory: ======================== Updated discover package fixes security vulnerability: Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only makes sense for http/https links. Opening links that the user has clicked on is not very problematic but can be used to chain to other attack vectors. Given the intended functionality of the feature is just for http/https links it makes sense to do that verification (CVE-2021-28117). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28117 https://kde.org/info/security/advisory-20210310-1.txt Installed Packages discover.x86_64 5.20.4-3.1.mga8 @updates_testing-x86_64 Tested an upgrade with discover successfully. Clicking on programs and display of contests looks fine. Ulrich Whiteboard:
MGA7TOO =>
MGA7TOO MGA8-64-OK Installed Packages discover.x86_64 5.15.4-2.2.mga7 @updates_testing-x86_64 Mga7 ditto. No regression found. Note that I did not test flatpack. Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA7-64-OK MGA8-64-OK Same for M8 on x86_64 Plasma. Still get: https://bugs.mageia.org/show_bug.cgi?id=27647 on opening Discover. Basic usage on my system is to handle flatpak apps. PackageKit's DNF backend does not seem to runs well on my system since a while. Need somewhat a reinstall or a cache delete somewhere. MGA8-64-OK MGA7-64-OK No PoC, because no flatpak app listed with bogus potential link in App's description. Validating. Advisory pushed to SVN. CVE:
(none) =>
CVE-2021-28117 An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0146.html Status:
NEW =>
RESOLVED |
Advsory: Discover fetches the description and related texts of some applications/plugins from store.kde.org. That text is displayed to the user, after turning into a clickable link any part of the text that looks like a link. This is done for any kind of link, be it smb:// nfs:// etc. when in fact it only makes sense for http/https links. src: - discover-5.20.4-3.1.mga8