[Pkg-owncloud-maintainers] Bug#1034184: Bug#1034184: nextcloud-desktop: CVE-2023-28999

Tue Apr 11 15:47:49 BST 2023

control: tags -1 + moreinfo 

Hey,

thanks for your intial work in this bug. I added some more digging work into 
it that ends up with a lot of question marks...

Do you know for sure, that the merge request #5560 fixes the CVE-2023-28999? At 
least I looked at the merge request and it is a very big one that touches 34 
files (660 lines added/483 lines removed) and the commits have white space 
changes and add a new metadata version (1.2). Do we need this new metadata 
version in order to fix the CVE? In total this does not looks like just a bugfix 
but as a feature branch. It does not looks like, we can simply ship this big 
patch to bookworm/bullseye :( 

The commit that adds a new metadata version:
https://github.com/nextcloud/desktop/pull/5560/commits/
1b0a93eabc8f1322ef299cba3c4db81944c7d2c6

At least there are other merge requests that touches E2EE in Nextcloud 
Desktop:
https://github.com/nextcloud/desktop/pull/5534

and than there are these new issues with 3.8.0 and EE2E, that scares me to 
back port additionally:
https://github.com/nextcloud/desktop/issues/5564

Additionally it does not apply clean on the v3.7.3 - so more work needs to put 
into getting this into Debian. 

regards,

hefee

> The following vulnerability was published for nextcloud-desktop.
> 
> CVE-2023-28999[0]:
> | Nextcloud is an open-source productivity platform. In Nextcloud
> | Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until
> | 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server
> | administrator can gain full access to an end-to-end encrypted folder.
> | They can decrypt files, recover the folder structure and add new
> | files.&#8203; This issue is fixed in Nextcloud Desktop 3.8.0,
> | Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known
> | workarounds are available.
> 
> https://github.com/nextcloud/security-advisories/security/advisories/GHSA-88
> 75-wxww-3rr8 https://github.com/nextcloud/desktop/pull/5560
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2023-28999
>     https://www.cve.org/CVERecord?id=CVE-2023-28999
> 
> Please adjust the affected versions in the BTS as needed.
> 
> _______________________________________________
> Pkg-owncloud-maintainers mailing list
> Pkg-owncloud-maintainers at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-owncloud-mainta
> iners

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-owncloud-maintainers/attachments/20230411/d982049a/attachment-0001.sig>