Bug 27700 - kdeconnect-kde new security improvement for device pairing
Summary: kdeconnect-kde new security improvement for device pairing
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-02 00:29 CET by David Walser
Modified: 2020-12-29 12:58 CET (History)
5 users (show)

See Also:
Source RPM: kdeconnect-kde-1.3.4-2.1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-12-02 00:29:06 CET 
+++ This bug was initially created as a clone of Bug #27349 +++

An additional commit was made upstream that should be backported:
https://www.openwall.com/lists/oss-security/2020/11/30/1
Comment 1 David Walser 2020-12-28 00:09:16 CET 
openSUSE has issued an advisory for this on December 26:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7S5MEH3CXBXVT2KJAPUZFFUHVVXK6BN7/

They fixed it in this commit:
https://build.opensuse.org/request/show/858379
Comment 2 David GEIGER 2020-12-28 09:43:05 CET 
Done for mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2020-12-28 13:01:01 CET 
kdeconnect-kde-1.3.4-2.2.mga7
kdeconnect-kde-handbook-1.3.4-2.2.mga7
kdeconnect-kde-nautilus-1.3.4-2.2.mga7
libkdeconnectcore1-1.3.4-2.2.mga7
libkdeconnectinterfaces1-1.3.4-2.2.mga7
libkdeconnectpluginkcm1-1.3.4-2.2.mga7

from kdeconnect-kde-1.3.4-2.2.mga7.src.rpm

Assignee: kde => qa-bugs

Comment 4 PC LX 2020-12-28 14:47:29 CET 
Installed and tested without issues.

Tested on Plasma DE and LXQt DE. Connected to an android phone and tablet. Tested with and without WireGuard VPN. Tested sending and receiving files, controlling media player, controlling mouse, executing command, sending and receiving notification.

No issues found.


System: Mageia 7, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia-current proprietary driver.


$ uname -a
Linux marte 5.7.19-desktop-3.mga7 #1 SMP Sun Oct 18 15:46:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep kdeconnect | sort
kdeconnect-kde-1.3.4-2.2.mga7
kdeconnect-kde-handbook-1.3.4-2.2.mga7
lib64kdeconnectcore1-1.3.4-2.2.mga7
lib64kdeconnectinterfaces1-1.3.4-2.2.mga7
lib64kdeconnectpluginkcm1-1.3.4-2.2.mga7

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-12-28 22:03:50 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2020-12-28 22:17:08 CET 
Advisory:
--------

Updated kdeconnect-kde packages fix security vulnerability:

For the pairing procedure, the GUI component only presented the friendly
'deviceName' to identify peer devices, which is completely under attacker
control. Furthermore the 'deviceName' is transmitted in cleartext in UDP
broadcast messages for all other nodes in the network segment to see.
Therefore malicious devices can attempt to confuse users by requesting a
pairing under the same 'deviceName' to gain access to a system.

Now, a sha256 fingerprint of the concatenated public keys of the two involved certificates is displayed. In the initial popup, a prefix of 8 hex digits of
the fingerprint is displayed. The full fingerprint is reachable via an
additional "view key" button.

References:
https://www.openwall.com/lists/oss-security/2020/11/30/1
Comment 7 Aurelien Oudelet 2020-12-29 10:56:46 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2020-12-29 12:58:44 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0475.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.