deps: Update dependency matrix-js-sdk to v34 [SECURITY] #3185
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-matrix-js-sdk-vulnerability
branch
from
ab1c10c
to
6475787
Compare
renovate
bot
force-pushed
the
renovate/npm-matrix-js-sdk-vulnerability
branch
from
6475787
to
6790ae5
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^19.5.0->^34.0.0GitHub Vulnerability Alerts
CVE-2022-39236
Impact
Improperly formed beacon events (from MSC3488) can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.
Patches
This is patched in matrix-js-sdk v19.7.0
Workarounds
Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues.
Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
References
N/A - This was a logic error in the SDK.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
CVE-2022-39249
Impact
An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others.
This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end.
Key forwarding is a mechanism allowing clients to recover from “unable to decrypt” messages when they missed the initial key distribution, at the time the message was originally sent. Examples include accessing message history before they joined the room but also when some network/federation errors have occurred.
Patches
The default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices.
A unique exception to this rule is with the experimental MSC3061, that is forwarding room keys for past messages when invited in a room configured with the proper history visibility setting. Such key forwards are parked upon receipt and are only accepted if the SDK receives an invitation for that room from the inviter in a limited time window.
The SDK now sets a
trustedflag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key withtrusted = falseare decorated appropriately (for example, by showing a warning for such messages).Workarounds
As this attack requires coordination between a malicious homeserver and an attacker, if you trust your homeserver, no particular workaround is needed.
References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
CVE-2022-39251
Impact
An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield.
Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver.
These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm.
Patches
matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages.
Out of caution, several other checks have been audited or added:
m.room_key,m.forwarded_room_keyandm.secret.sendto_device messages are discarded.Workarounds
As this attack requires coordination between a malicious home server and an attacker, if you trust your home server no particular workaround is needed. Notice that the backup spoofing attack is a particularly sophisticated targeted attack.
We are not aware of this attack being used in the wild, though specifying a false positive-free way of noticing malicious key backups key is challenging.
As an abundance of caution, to avoid malicious backup attacks, you should not verify your new logins using emoji/QR verifications methods until patched. Prefer verifying with your security passphrase instead.
References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
CVE-2022-39250
Impact
An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one.
The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps.
Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable.
Patches
The matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key.
Workarounds
As this attack requires coordination between a malicious homeserver and an attacker -- if you trust your homeserver no particular workaround is needed.
As a potential way of detecting compromise, it’s possible to review your device list or the device list of other users for devices with IDs in the form of a base64 cross-signing key (
5XaczGNlfz0bl8R1IX5qn+tBoue2tWJqLMh+SDUuvCk) instead of classical device ID (SEHACYDHMG).References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org
CVE-2023-28427
Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the
Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
The issue has been patched in matrix-js-sdk 24.0.0.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
CVE-2023-29529
Impact
An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call.
This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case.
Legacy 1:1 calls are unaffected.
Workarounds
Users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.
CVE-2024-42369
Impact
A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's
getRoomUpgradeHistoryfunction will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L) we classify this as High severity issue.
Patches
This was patched in matrix-js-sdk 34.3.1.
Workarounds
Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either
getRoomUpgradeHistoryorleaveRoomChain.References
N/A.
CVE-2024-47080
Impact
In matrix-js-sdk versions 9.11.0 through 34.7.0, the method
MatrixClient.sendSharedHistoryKeysis vulnerable to interception by malicious homeservers. The method implements functionality proposed in MSC3061 and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room.However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks.
Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call
MatrixClient.initRustCrypto()instead ofMatrixClient.initCrypto()) are unaffected by this vulnerability, becauseMatrixClient.sendSharedHistoryKeys()raises an exception in such environments.Patches
Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality.
Workarounds
Remove use of affected functionality from clients.
References
For more information
If you have any questions or comments about this advisory, please email us at security at matrix.org.
CVE-2024-50336
Summary
matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.
Details
The Matrix specification demands homeservers to perform validation of the
server-nameandmedia-idcomponents of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.Patches
Fixed in matrix-js-sdk 34.11.1.
Workarounds
None.
References
Release Notes
matrix-org/matrix-js-sdk (matrix-js-sdk)
v34.11.1Compare Source
====================================================================================================
v34.10.0Compare Source
====================================================================================================
🦖 Deprecations
CreateSecretStorageOpts.keyBackupInfoused inCryptoApi.bootstrapSecretStorage.(#4474). Contributed by @florianduros.MatrixClient.getDehydratedDevice(#4467). Contributed by @florianduros.✨ Features
<sender>|<session>notation in log messages (#4473). Contributed by @richvdh.🐛 Bug Fixes
v34.9.0Compare Source
==================================================================================================
🦖 Deprecations
🐛 Bug Fixes
v34.8.0Compare Source
==================================================================================================
This release removes insecure functionality, resolving CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c.
v34.7.0Compare Source
==================================================================================================
🦖 Deprecations
✨ Features
CryptoApi.pinCurrentUserIdentityandUserIdentity.needsUserApproval(#4415). Contributed by @richvdh.v34.6.0Compare Source
==================================================================================================
🦖 Deprecations
✨ Features
v34.5.0Compare Source
==================================================================================================
🦖 Deprecations
CryptoCallbacks.onSecretRequestedandCryptoCallbacks.getDehydrationKey(#4376). Contributed by @richvdh.v34.4.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v34.3.1Compare Source
==================================================================================================
v34.3.0Compare Source
==================================================================================================
✨ Features
m.room_key.withheldmessages (#4310). Contributed by @richvdh.🐛 Bug Fixes
v34.2.0Compare Source
==================================================================================================
🐛 Bug Fixes
v34.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v34.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
✨ Features
🐛 Bug Fixes
v33.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v33.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
🦖 Deprecations
✨ Features
initRustCrypto: allow app to pass in the store key directly (#4210). Contributed by @richvdh.🐛 Bug Fixes
v32.4.0Compare Source
==================================================================================================
v32.3.0Compare Source
==================================================================================================
✨ Features
decodeIdToken(#4193). Contributed by @t3chguy.🐛 Bug Fixes
m.room.redactionevents withoutredacts(#4192). Contributed by @t3chguy.v32.2.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v32.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v32.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
✨ Features
decryptExistingEventtest helper (#4133). Contributed by @richvdh.sendEvent(#4108). Contributed by @t3chguy.sendStateEvent(#4105). Contributed by @t3chguy.🐛 Bug Fixes
IPowerLevelsContentandhasSufficientPowerLevelFor(#4128). Contributed by @galash13.v31.6.1Compare Source
==================================================================================================
🐛 Bug Fixes
v31.6.0Compare Source
==================================================================================================
✨ Features
.m.rule.is_room_mentionpush rule to DEFAULT_OVERRIDE_RULES (#4100). Contributed by @t3chguy.🐛 Bug Fixes
v31.5.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v31.4.0Compare Source
==================================================================================================
✨ Features
account_management_uriandaccount_management_actions_supportedfrom OIDC Issuer well-known (#4074). Contributed by @t3chguy.🐛 Bug Fixes
v31.3.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
timelinea getter (#4022). Contributed by @florianduros.v31.2.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
roomKeyCountsless often (#4015). Contributed by @BillCarsonFr.v31.1.0Compare Source
==================================================================================================
✨ Features
v31.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
✨ Features
🐛 Bug Fixes
bootstrapSecretStoragenot resetting key backup when requested (#3976). Contributed by @uhoreg.v30.3.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v30.2.0Compare Source
==================================================================================================
✨ Features
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.