Bug 1096833 – VUL-0: CVE-2018-12291: matrix-synapse: event visibility rules not applied correctly

Bug 1096833 - (CVE-2018-12291) VUL-0: CVE-2018-12291: matrix-synapse: event visibility rules not applied correctly

(CVE-2018-12291)
Summary:	VUL-0: CVE-2018-12291: matrix-synapse: event visibility rules not applied cor...

Status:	RESOLVED FIXED
Duplicates:	1096832 (view as bug list)

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Security
Version:	Leap 15.0
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	obs:running:11212:moderate
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-06-10 15:14 UTC by Andreas Stieger
Modified:	2022-11-24 14:25 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2018-06-10 15:14:34 UTC

from https://github.com/matrix-org/synapse/releases/tag/v0.31.1

Changes in synapse v0.31.1 (2018-06-08)

v0.31.1 fixes a security bug in the get_missing_events federation API
where event visibility rules were not applied correctly.

We are not aware of it being actively exploited but please upgrade asap.

Bug Fixes:

    Fix event filtering in get_missing_events handler (PR #3371)

https://github.com/matrix-org/synapse/commit/ad9edd1d968f19dd4d7c65102fe552076ca9bc5a

Comment 1 Andreas Stieger 2018-06-11 13:37:12 UTC

*** Bug 1096832 has been marked as a duplicate of this bug. ***

Comment 2 Andreas Stieger 2018-06-11 13:48:22 UTC

to backport, run osc mbranch matrix-synapse, and apply the following patch:

https://github.com/matrix-org/synapse/pull/3371/commits/0834b49c6a9b6c597a154d4b2dfcf8fff90699ec

Comment 3 Oliver Kurz 2018-06-13 11:57:23 UTC

https://build.opensuse.org/request/show/616521

Comment 4 Oliver Kurz 2018-06-13 12:00:08 UTC

I meant https://build.opensuse.org/request/show/616522 (with the patch file)

Comment 5 Oliver Kurz 2018-06-13 12:10:38 UTC

back to security then according to astieger

Comment 6 Karol Babioch 2018-06-13 13:33:44 UTC

CVE-2018-12291 was assigned to this.

Comment 7 Swamp Workflow Management 2018-06-20 19:10:53 UTC

openSUSE-SU-2018:1767-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1096833
CVE References: CVE-2018-12291
Sources used:
openSUSE Leap 15.0 (src):    matrix-synapse-0.28.1-lp150.2.4.1, matrix-synapse-test-0.28.1-lp150.2.4.1

Comment 8 Marcus Meissner 2018-07-09 15:17:40 UTC

released

Comment 9 OBSbugzilla Bot 2022-11-24 14:25:03 UTC

This is an autogenerated message for OBS integration:
This bug (1096833) was mentioned in
https://build.opensuse.org/request/show/1037916 Backports:SLE-15-SP4 / matrix-synapse