deps: Update dependency matrix-js-sdk to v24 [SECURITY] #3185
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-matrix-js-sdk-vulnerability
branch
from
ab1c10c
to
6475787
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^19.5.0->^24.0.0GitHub Vulnerability Alerts
CVE-2022-39236
Impact
Improperly formed beacon events (from MSC3488) can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer.
Patches
This is patched in matrix-js-sdk v19.7.0
Workarounds
Redacting applicable events, waiting for the sync processor to store data, and restarting the client can often fix it. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues.
Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.
References
N/A - This was a logic error in the SDK.
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
CVE-2022-39249
Impact
An attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others.
This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end.
Key forwarding is a mechanism allowing clients to recover from “unable to decrypt” messages when they missed the initial key distribution, at the time the message was originally sent. Examples include accessing message history before they joined the room but also when some network/federation errors have occurred.
Patches
The default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices.
A unique exception to this rule is with the experimental MSC3061, that is forwarding room keys for past messages when invited in a room configured with the proper history visibility setting. Such key forwards are parked upon receipt and are only accepted if the SDK receives an invitation for that room from the inviter in a limited time window.
The SDK now sets a
trustedflag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key withtrusted = falseare decorated appropriately (for example, by showing a warning for such messages).Workarounds
As this attack requires coordination between a malicious homeserver and an attacker, if you trust your homeserver, no particular workaround is needed.
References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
CVE-2022-39251
Impact
An attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield.
Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver.
These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm.
Patches
matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages.
Out of caution, several other checks have been audited or added:
m.room_key,m.forwarded_room_keyandm.secret.sendto_device messages are discarded.Workarounds
As this attack requires coordination between a malicious home server and an attacker, if you trust your home server no particular workaround is needed. Notice that the backup spoofing attack is a particularly sophisticated targeted attack.
We are not aware of this attack being used in the wild, though specifying a false positive-free way of noticing malicious key backups key is challenging.
As an abundance of caution, to avoid malicious backup attacks, you should not verify your new logins using emoji/QR verifications methods until patched. Prefer verifying with your security passphrase instead.
References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
CVE-2022-39250
Impact
An attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities, leading to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one.
The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps.
Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable.
Patches
The matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key.
Workarounds
As this attack requires coordination between a malicious homeserver and an attacker -- if you trust your homeserver no particular workaround is needed.
As a potential way of detecting compromise, it’s possible to review your device list or the device list of other users for devices with IDs in the form of a base64 cross-signing key (
5XaczGNlfz0bl8R1IX5qn+tBoue2tWJqLMh+SDUuvCk) instead of classical device ID (SEHACYDHMG).References
Blog post: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org
CVE-2023-28427
Impact
In certain configurations, data sent by remote servers containing special strings in key locations could cause modifications of the
Object.prototype, disrupting matrix-js-sdk functionality, causing denial of service and potentially affecting program logic.(This is part 2, where CVE-2022-36059 / GHSA-rfv9-x7hh-xc32 is part 1. Part 2 covers remaining vectors not covered by part 1, found in a codebase audit scheduled after part 1.)
Patches
The issue has been patched in matrix-js-sdk 24.0.0.
Workarounds
None.
References
For more information
If you have any questions or comments about this advisory please email us at security at matrix.org.
CVE-2023-29529
Impact
An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call.
This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. Affected versions do not restrict access to the user's outbound media in this case.
Legacy 1:1 calls are unaffected.
Workarounds
Users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present.
Release Notes
matrix-org/matrix-js-sdk (matrix-js-sdk)
v24.1.0Compare Source
==================================================================================================
✨ Features
closedevent when IndexedDB closes unexpectedly (#3218).processBeaconEventshotpath (#3200).🐛 Bug Fixes
eventShouldLiveIn) (#3227). Contributed by @jryans.v24.0.0Compare Source
==================================================================================================
🔒 Security
v23.5.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
m.relates_to(#3178).v23.4.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v23.3.0Compare Source
==================================================================================================
✨ Features
MegolmEncrypter#prepareToEncrypt's return type has changed fromvoidto() => void. (#3035). Contributed by @clarkf.🐛 Bug Fixes
opponentDeviceInfo(#3107).v23.2.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v23.1.1Compare Source
==================================================================================================
🐛 Bug Fixes
v23.1.0Compare Source
==================================================================================================
🦖 Deprecations
✨ Features
device_idto/account/whoamitypes (#3005).🐛 Bug Fixes
v23.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
m.room.encryptionevents before emittingRoomMemberevents (#2914). Fixes vector-im/element-web#23819.callsonGroupCall(#2941).✨ Features
🐛 Bug Fixes
v22.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
🦖 Deprecations
✨ Features
🐛 Bug Fixes
v21.2.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
initialiseState()(#2846).initLocalCallFeedandleave(#2826).v21.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
instanceof ArraywithArray.isArray(#2812). Fixes #2811.v21.0.1Compare Source
==================================================================================================
🐛 Bug Fixes
Authorization: Bearer undefinedfor password resets (#2822). Fixes vector-im/element-web#23655.v21.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
uploadContentAPI, kills offrequestandbrowser-requestin favour offetch, removed callback support on a lot of the methods, adds a lot of tests. (#2719). Fixes #2415 and #801.m.room.aliasesreferences (#2759). Fixes vector-im/element-web#12680.✨ Features
/room_keys(#2746).power_level_content_overridetype (#2741)./room_keys(#2729). Fixes vector-im/element-web#22839.🐛 Bug Fixes
/api(#2761). Fixes vector-im/element-web#23505.v20.1.0Compare Source
============================================================================================================
✨ Features
🐛 Bug Fixes
v20.0.2Compare Source
==================================================================================================
🐛 Bug Fixes
v20.0.1Compare Source
==================================================================================================
🐛 Bug Fixes
v20.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
v19.7.0Compare Source
==================================================================================================
🔒 Security
v19.6.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.