Bug 27349 - kdeconnect-kde new security issue CVE-2020-26164
Summary: kdeconnect-kde new security issue CVE-2020-26164
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-02 22:31 CEST by David Walser
Modified: 2020-11-13 22:22 CET (History)
5 users (show)

See Also:
Source RPM: kdeconnect-kde-20.08.1-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-02 22:31:20 CEST
KDE has issued an advisory today (October 2):
https://kde.org/info/security/advisory-20201002-1.txt

The issue is fixed upstream in 20.08.2.  Upstream commits are linked from the advisory above.

Mageia 7 is also affected.
David Walser 2020-10-02 22:31:26 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-10-13 16:01:25 CEST
Lots of more details have been posted about this:
https://www.openwall.com/lists/oss-security/2020/10/13/4
Comment 2 David Walser 2020-10-13 19:50:57 CEST
openSUSE has issued an advisory for this on October 7:
https://lists.opensuse.org/opensuse-security-announce/2020-10/msg00014.html
Comment 3 David GEIGER 2020-11-08 16:30:12 CET
Fixed for Cauldron with kdeconnect-kde-20.08.2-1.mga8

CC: (none) => geiger.david68210
Version: Cauldron => 7

Comment 4 David GEIGER 2020-11-08 16:51:37 CET
Done for mga7!
Comment 5 David Walser 2020-11-09 23:24:46 CET
Advisory:
========================

Updated kdeconnect-kde packages fix security vulnerability:

An attacker on your local network could send maliciously crafted packets to
other hosts running kdeconnect on the network, causing them to use large
amounts of CPU, memory or network connections, which could be used in a Denial
of Service attack within the network (CVE-2020-26164).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26164
https://www.openwall.com/lists/oss-security/2020/10/13/4
https://kde.org/info/security/advisory-20201002-1.txt
========================

Updated packages in core/updates_testing:
========================
kdeconnect-kde-1.3.4-2.1.mga7
kdeconnect-kde-handbook-1.3.4-2.1.mga7
kdeconnect-kde-nautilus-1.3.4-2.1.mga7
libkdeconnectcore1-1.3.4-2.1.mga7
libkdeconnectinterfaces1-1.3.4-2.1.mga7
libkdeconnectpluginkcm1-1.3.4-2.1.mga7

from kdeconnect-kde-1.3.4-2.1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: kde => qa-bugs

Comment 6 PC LX 2020-11-11 15:15:15 CET
Installed and tested without issues.


Tested on a Plasma DE and LXQt DE. Connected to an Android phone and an Android tablet, using WiFi with an without WireGuard VPN. Tested most features, including sending and receiving files, controlling media player, controlling mouse, executing command, sending and receiving notification.

No issues found.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep kdeconnect | sort
kdeconnect-kde-1.3.4-2.1.mga7
kdeconnect-kde-handbook-1.3.4-2.1.mga7
lib64kdeconnectcore1-1.3.4-2.1.mga7
lib64kdeconnectinterfaces1-1.3.4-2.1.mga7
lib64kdeconnectpluginkcm1-1.3.4-2.1.mga7

CC: (none) => mageia

Comment 7 Thomas Andrews 2020-11-11 20:51:43 CET
Sounds good enough to me. Giving it an OK and validating. Advisory in Comment 5.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Aurelien Oudelet 2020-11-12 20:41:40 CET
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-11-13 22:22:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0416.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.