Bug 1194020 - (CVE-2021-44538) VUL-0: CVE-2021-44538: element-web,element-desktop: buffer overflow in olm_session_describe() via a crafted sequence of messages
(CVE-2021-44538)
VUL-0: CVE-2021-44538: element-web,element-desktop: buffer overflow in olm_se...
Status: REOPENED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/317477/
CVSSv3.1:SUSE:CVE-2021-4126:5.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-22 16:37 UTC by Gabriele Sonnu
Modified: 2022-03-01 20:24 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-12-22 16:37:03 UTC
The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver's session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.

Reference:
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2033690
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44538
https://matrix.org/blog/2021/12/13/disclosure-buffer-overflow-in-libolm-and-matrix-js-sdk
https://gitlab.matrix.org/matrix-org/olm/-/tags
Comment 1 Gabriele Sonnu 2021-12-22 16:37:44 UTC
openSUSE binaries already fixed, closing.
Comment 2 Gianluca Gabrielli 2022-01-04 13:39:34 UTC
This is also affecting Mozilla Thunderbird < 91.4.1 due to the Matrix chat library libolm bundled with Thunderbird.
Comment 3 Swamp Workflow Management 2022-01-12 14:16:48 UTC
SUSE-SU-2022:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194020,1194215
CVE References: CVE-2021-4126,CVE-2021-44538
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-91.4.1-8.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2022-01-12 14:18:00 UTC
openSUSE-SU-2022:0058-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1194020,1194215
CVE References: CVE-2021-4126,CVE-2021-44538
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-91.4.1-8.48.1
Comment 5 Swamp Workflow Management 2022-03-01 20:24:14 UTC
openSUSE-SU-2022:0058-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1144018,1181400,1194020,1194215,1194681
CVE References: CVE-2020-15803,CVE-2021-27927,CVE-2021-4126,CVE-2021-44538,CVE-2022-23134
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-91.4.1-8.48.1
openSUSE Backports SLE-15-SP3 (src):    zabbix-4.0.38-bp153.2.3.1