Bug 29043 - nextcloud-client update to 3.3.3 (fixes CVE-2021-22895 and CVE-2021-32728)
Summary: nextcloud-client update to 3.3.3 (fixes CVE-2021-22895 and CVE-2021-32728)
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://github.com/nextcloud/desktop/...
Whiteboard: MGA8-64-OK MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2021-05-30 10:18 CEST by Morgan Leijström
Modified: 2021-09-23 21:55 CEST (History)
9 users (show)

See Also:
Source RPM: nextcloud-client-3.1.3-1.mga8.src.rpm
Status comment:

fix-build.patch (5.45 KB, patch)
2021-07-30 17:45 CEST, Sander Lepik
Details | Diff
Spec changes (1.83 KB, patch)
2021-07-30 17:46 CEST, Sander Lepik
Details | Diff

Description Morgan Leijström 2021-05-30 10:18:58 CEST
We have 3.1.3

3.2 series bring a lot of advancements such as major engine update, Status feature, Virtual files (yet experimental on Linux for 3.2.0, I dont know for 3.2.2)

3.2.2 is getting released now

From to history we learned that .0 versions can be problematic, but now at second bugfix release i think it is time we get it in as update for our users.

Comment 1 Morgan Leijström 2021-05-30 10:31:37 CEST
CC people from previous update, Bug 28241

CC: (none) => brtians1, joequant, mageia, mageia

Comment 2 Lewis Smith 2021-05-30 21:15:45 CEST
Thank you for the prompt & information.
This looks good to assign to NicolasL.

CC: mageia => (none)
Assignee: bugsquad => mageia

Comment 3 Morgan Leijström 2021-07-06 11:24:25 CEST
3.2.3 released 11 days ago
Comment 4 Morgan Leijström 2021-07-27 22:35:13 CEST
3.2.4 19 days ago.

It is really about time we get 3.2.x out.

Assignee: mageia => pkg-bugs

Comment 5 Nicolas Lécureuil 2021-07-30 15:34:02 CEST
i started to look but it does not build yet.

CC: (none) => mageia

Comment 6 Sander Lepik 2021-07-30 17:45:15 CEST
Created attachment 12879 [details]

Fix for building on mga8
Comment 7 Sander Lepik 2021-07-30 17:46:19 CEST
Created attachment 12880 [details]
Spec changes

Source is probably wrong as I had to download manually but didn't have time to search for correct link.
Comment 8 Sander Lepik 2021-07-30 17:47:00 CEST
@Nicolas, maybe my patches will help a bit, I made it compile on mga8 with these.

CC: (none) => mageia

Morgan Leijström 2021-07-30 18:03:15 CEST

Summary: nextcloud-client update to 3.2.2 => nextcloud-client update to 3.2.latest

Comment 9 Morgan Leijström 2021-09-12 18:31:36 CEST
3.3.3 is out since 9 days.
As it is kind of third bugfix for 3.3 i think we should go for 3.3.latest now.


I dont think users need 3.2.x in between, correct me if I am wrong.

@Christian, as you are interested in having a go at the server package, maybe you are also interested in trying to package this client?

Summary: nextcloud-client update to 3.2.latest => nextcloud-client update
CC: (none) => chb0

Comment 10 christian barranco 2021-09-13 08:55:19 CEST
(In reply to Morgan Leijström from comment #9)
> @Christian, as you are interested in having a go at the server package,
> maybe you are also interested in trying to package this client?
I'll have a look.
Comment 11 christian barranco 2021-09-17 14:39:08 CEST
I just succeeded to build nextcloud-client 3.3.3 
Indeed, a few adjustments were needed with buildrequires, lib and patch.
I tested it and it works.
I have the src.rpm
Let me know what else I should do now, when you have a chance.
Comment 12 Morgan Leijström 2021-09-18 11:25:28 CEST
Great, Christian!

Now for mentor or another packager to help next step.
Comment 13 Nicolas Lécureuil 2021-09-18 18:00:06 CEST
i am looking for the review today :)
Comment 14 Nicolas Lécureuil 2021-09-18 23:35:36 CEST
modifications validated and pushed in cauldron.

In mageia8 where do you want it ?  updates ? backports ?
Comment 15 Dave Hodgins 2021-09-19 02:55:11 CEST
Does it require manual intervention for it to work for users who currently have
nextcloud-client-3.1.3-1.mga8 installed?

CC: (none) => davidwhodgins

Comment 16 christian barranco 2021-09-19 07:47:07 CEST
(In reply to Dave Hodgins from comment #15)
> Does it require manual intervention for it to work for users who currently
> have
> nextcloud-client-3.1.3-1.mga8 installed?

No. I have tested both new installation and update. Both work and update process is transparent for the user.
Comment 17 Morgan Leijström 2021-09-19 12:51:15 CEST
Put it in updates testing, and i will test too, update, the 64 bit.
Comment 18 Dave Hodgins 2021-09-19 15:12:45 CEST
Then it should also go in core updates testing like
nextcloud-client-3.1.3-1.mga8 did.
Comment 19 Morgan Leijström 2021-09-19 18:10:19 CEST
I meant it should go in core updates testing...  :)
to be released in core updates after testing
Comment 20 Nicolas Lécureuil 2021-09-20 09:40:24 CEST
i just pushed it into mageia 8 updates_testing
Nicolas Lécureuil 2021-09-20 09:57:54 CEST

Assignee: pkg-bugs => qa-bugs

Comment 21 Morgan Leijström 2021-09-20 14:04:50 CEST
Clean update;

Had 3.1.3 installed and did not shut it down.
Using drakrpm, updated to
- lib64nextcloudsync0-3.3.3-1.mga8.x86_64
- lib64ocsync0-3.3.3-1.mga8.x86_64
- nextcloud-client-3.3.3-1.mga8.x86_64
- nextcloud-client-dolphin-3.3.3-1.mga8.x86_64

Logged out and in, 3.3.3 started  (I use my own autostart script btw to start several apps with pauses and order between...).  Using kwallet for password.
It continued to run set up syncs from two servers, and the paused ones kept paused.
Swedish locale, Plasma.

Did not test: attaching to new server, new shares, etc


How can a user enable virtual files?

I see in settings "Using virtual files plugin: off"
Comment 22 Morgan Leijström 2021-09-20 15:23:47 CEST
(In reply to Morgan Leijström from comment #21)
> How can a user enable virtual files?


$ cat ~/.config/Nextcloud/nextcloud.cfg | grep virt

Maybe i will play and set it on later, but it is still experimental.
Comment 23 Brian Rockwell 2021-09-20 20:13:13 CEST
MGA8-64, Gnome

$ uname -a
Linux localhost.localdomain 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 14:47:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

this is an upgrade from prior Nextcloud-client on machine

The following 3 packages are going to be installed:

- lib64nextcloudsync0-3.3.3-1.mga8.x86_64
- lib64ocsync0-3.3.3-1.mga8.x86_64
- nextcloud-client-3.3.3-1.mga8.x86_64

--- I rebooted machine

It required me to re-validate with server, but after that it sync'd without issue.

Works as designed for me.
Comment 24 Brian Rockwell 2021-09-20 20:18:51 CEST
MGA8-64, Gnome

The following 3 packages are going to be installed:

- lib64nautilus-gir3.0-3.38.2-1.mga8.x86_64
- nautilus-python-1.2.3-4.mga8.x86_64
- nextcloud-client-nautilus-3.3.3-1.mga8.x86_64

It appears to be integrating with Nautilus with no issues.
Comment 25 David Walser 2021-09-20 20:45:46 CEST
This update fixes CVE-2021-22895 (fixed in 3.3.1), CVE-2021-32728 (3.3.0):

Summary: nextcloud-client update => nextcloud-client update to 3.3.3 (fixes CVE-2021-22895 and CVE-2021-32728)
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 26 Brian Rockwell 2021-09-20 21:33:17 CEST
MG8-64, Xfce

Nextcloud Client Upgrade


- lib64nextcloudsync0-3.3.3-1.mga8.x86_64
- lib64ocsync0-3.3.3-1.mga8.x86_64
- nextcloud-client-3.3.3-1.mga8.x86_64

-- rebooted

Working as designed
Comment 27 Brian Rockwell 2021-09-21 17:59:26 CEST
MGA8-64, Plasma

Fresh build of Nextcloud Licent and Dolphin extensions

The following 17 packages are going to be installed:

- gcr-3.38.0-1.mga8.x86_64
- gnome-keyring-3.36.0-3.mga8.x86_64
- lib64cloudproviders0-0.3.1-1.mga8.x86_64
- lib64gcr-ui3_1-3.38.0-1.mga8.x86_64
- lib64gnome-keyring-3.36.0-3.mga8.x86_64
- lib64gnome-keyring0-3.12.0-12.mga8.x86_64
- lib64handy1_0-1.0.3-1.mga8.x86_64
- lib64nextcloudsync0-3.3.3-1.mga8.x86_64
- lib64ocsync0-3.3.3-1.mga8.x86_64
- lib64qt5keychain1-0.11.1-2.mga8.x86_64
- lib64qt5websockets5-5.15.2-1.mga8.x86_64
- libgnome-keyring-i18n-3.12.0-12.mga8.noarch
- libhandy-common-1.0.3-1.mga8.x86_64
- nextcloud-client-3.3.3-1.mga8.x86_64
- nextcloud-client-dolphin-3.3.3-1.mga8.x86_64
- pinentry-gnome3-1.1.1-1.mga8.x86_64
- seahorse-

27MB of additional disk space will be used.

Afterwards I was able to start nextcloud-client and set up a connection to the test server.  Everything sync'd.  Also the dolphin client worked as expected ... showing synchronization status on folders and files.

Approving this.
Comment 28 Brian Rockwell 2021-09-22 00:36:00 CEST
MGA8-32, Mate

$ uname -a
Linux localhost.localdomain 5.10.62-desktop-1.mga8 #1 SMP Fri Sep 3 15:03:25 UTC 2021 i686 i686 i386 GNU/Linux

New install

qtsvg5-5.15.2-1.1.mga8.i586: success
libqt5svg5-5.15.2-1.1.mga8.i586: success
libqt5quicktemplates2_5-5.15.2-1.mga8.i586: success
libqt5quickcontrols2_5-5.15.2-1.mga8.i586: success
libqt5webchannel5-5.15.2-1.mga8.i586: success
libqt5keychain1-0.11.1-2.mga8.i586: success
libocsync0-3.3.3-1.mga8.i586: success
libcaja-gir2.0-1.24.1-1.mga8.i586: success
qtquickcontrols25-5.15.2-1.mga8.i586: success
libqt5websockets5-5.15.2-1.mga8.i586: success
libnextcloudsync0-3.3.3-1.mga8.i586: success
libminizip1-1.2.11-9.mga8.i586: success
libqt5pdf5-5.15.6-1.mga8.i586: success
libqt5positioning5-5.15.2-1.mga8.i586: success
libcloudproviders0-0.3.1-1.mga8.i586: success
libsnappy1-1.1.8-2.mga8.i586: success
python3-caja-1.24.0-2.mga8.i586: success
libqt5quickwidgets5-5.15.2-1.mga8.i586: success
libre2_9-20201101-2.mga8.i586: success
qtwebengine5-5.15.6-1.mga8.i586: success
libqt5webenginecore5-5.15.6-1.mga8.i586: success
libqt5webengine5-5.15.6-1.mga8.i586: success
libqt5webenginewidgets5-5.15.6-1.mga8.i586: success
nextcloud-client-3.3.3-1.mga8.i586: success
nextcloud-client-caja-3.3.3-1.mga8.i586: success


Nextcloud was able to link to server and sync
Caja recognized that nextcloud folders were updated

Working as designed.

Whiteboard: (none) => MGA8-64-OK MGA8-32-OK

Comment 29 Thomas Andrews 2021-09-22 14:10:50 CEST

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 30 Morgan Leijström 2021-09-22 14:13:02 CEST
Thanks all :)
And welcome to the party, Christian!
Comment 31 christian barranco 2021-09-22 18:27:33 CEST
(In reply to Morgan Leijström from comment #30)
> Thanks all :)
> And welcome to the party, Christian!

Thanks Morgan.
Coming next, Nextcloud server ;).
Stay tuned :)
Comment 32 Morgan Leijström 2021-09-22 18:53:37 CEST
Apprentice, do we have an advisory for this one written?
Comment 33 christian barranco 2021-09-22 19:23:34 CEST
(In reply to Morgan Leijström from comment #32)
> Apprentice, do we have an advisory for this one written?
> https://wiki.mageia.org/en/How_to_create_an_update_advisory


I have made a few comments on the change log to explain packaging updates.
However, I have not pasted the release notes of this new 3.3.3 version. Should I?
Comment 34 Dave Hodgins 2021-09-22 22:19:08 CEST
Advisory based on above info committed to svn as ...
type: security
subject: Updated nextcloud-client packages fix security vulnerability
 - CVE-2021-22895
 - CVE-2021-32728
     - nextcloud-client-3.3.3-1.mga8
description: |
  Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate
  validation due to lack of SSL certificate verification when using the
  "Register with a Provider" flow. (CVE-2021-22895)
  In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if
  a private key belongs to previously downloaded public certificate. If the
  Nextcloud instance serves a malicious public key, the data would be
  encrypted for this key and thus could be accessible to a malicious actor.
  This issue is fixed in Nextcloud Desktop Client version 3.3.0

Keywords: (none) => advisory

Comment 35 Mageia Robot 2021-09-23 06:51:43 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 36 christian barranco 2021-09-23 09:38:25 CEST
(In reply to Dave Hodgins from comment #34)
> Advisory based on above info committed to svn as ...
> type: security
> subject: Updated nextcloud-client packages fix security vulnerability
> CVE:
>  - CVE-2021-22895
>  - CVE-2021-32728
> .......

Thanks Dave for the work done. Should I do it next time or is there a dedicated team in charge?

Actually, we might have another opportunity as 3.3.4 is out

or is it too early to propose it?

Side note: I think it would be better, packaging wise, not to jump too many versions to track the potential changes required to build.
Comment 37 Morgan Leijström 2021-09-23 13:58:25 CEST
David Walser is effectively our security guru, and point out new security issues by starting new bugs or adding to existing.

Dave and some other people jump in here and there :)

But it is very good if the packager could regularly check for eventual security updates, and other updates too, for the packages he cater for, and start the packaging work by create bug, then package.  And write Advisory or just propose an advisory text in the bug.

As for update frequency it depends on what package, and severity of bugs.

We dont have manpower to ship every version of every program we package - not only for packagers, but also for QA limitations.

This nextcloud client took too long, we should have shipped one 3.2.x too.
We have burnt us on both server and client x.x.0 versions, so always wait one or two bugfix releases.  Mageia style is more reliability than cutting edge.

But already 3.3.4?  If you wish :) good repeat exercise, and i can test it.

A few packages see several releases in our testing, like Thunderbird recently , kernels and some stuff even get built sometimes several revision before we even start a bug.  For new packaging of nextcloud server i would not be surprised if we need more than one try.
Comment 38 Morgan Leijström 2021-09-23 14:00:19 CEST
"see several releases in our testing,"
I mean we sometimes test more than one update iteration in testing before we ship out.
Comment 39 christian barranco 2021-09-23 21:08:01 CEST
I just packaged 3.3.4
Actually, packaging wise, nothing to do after all the adjustments made to upgrade from 3.1.

Nicolas, the src.rpm is available at the usual location.

I just tested it on MGA8 Cinnamon, Gnome and KDE. Update went smoothly from 3.3.3.
Of course, more comprehensive tests are required. I would be surprised if any issue, but it is never 100% granted.

Advisory wise, I have not noted any CVE. 
Bug fixes reported in the announcement:

https://github.com/nextcloud/desktop/pull/3757 5[stable-3.3] prevent
infinte recursion when closing a websocket in case of SSL errors

https://github.com/nextcloud/desktop/pull/3791 3[stable-3.3] Accept
nc scheme in provider page

And, just now, I am wondering whether it is the right place where to post this, or should I issue a new "bug" report?
Comment 40 Morgan Leijström 2021-09-23 21:38:01 CEST
Nice Christian.

Yes please open a new report for 3.3.4, because this bug already resulted in shipment of 3.3.3.
Comment 41 Dave Hodgins 2021-09-23 21:55:31 CEST
(In reply to christian barranco from comment #36)
> Thanks Dave for the work done. Should I do it next time or is there a
> dedicated team in charge?

In the bug report, there should be an advisory in one of the comments.
For a security update, it should list each cve, along with a brief summary.
For bugfix updates, it should list each issue that's fixed.
There should also be a list of the rpm packages, and the srpm packages.
That way qa knows what to install, and what to look for when testing.

The srpm list is used when committing the formal advisory to svn. The svn
advisory srpm list controls what gets moved from updates testing to updates
when the update is "pushed". It's also used to generate the advisories that
get published to https://advisories.mageia.org/index.html and the updates
announce mailing list. The svn advisories must be very carefully formatted.
Things like a trailing space on a line can cause it to be rejected by the
push script. There are only a few people who take care of that.

If you'd like to volunteer to help with that in addition to normal packaging,
see https://wiki.mageia.org/en/Mgaadv and post a msg to the qa-discuss mailing

Note You need to log in before you can comment on or make changes to this bug.