Update matrix-js-sdk to v19.4.0
Categories
(Chat Core :: Matrix, task)
Tracking
(thunderbird_esr102 fixed, thunderbird105 fixed, thunderbird106 fixed)
People
(Reporter: clokep, Assigned: freaktechnik)
References
()
Details
(Keywords: sec-moderate)
Attachments
(1 file, 1 obsolete file)
|
48 bytes,
text/x-phabricator-request
|
wsmwk
:
approval-comm-beta+
wsmwk
:
approval-comm-esr102+
|
Details | Review |
There's going to be an upcoming release of matrix-js-sdk with security fixes. I'm not 100% certain this will be v19.4.0, but I think it will be.
We're going to want to land this ASAP and uplift to beta & ESR 102. (ESR 91 doesn't have Matrix enabled by default and is soon EOL, so can be skipped.)
- comm-esr102 has matrix-js-sdk v17.2.0 (bug 1764160).
- comm-beta and comm-central have matrix-js-sdk v19.0.0 (bug 1778328).
The steps to do this are:
- Uplifting bug 1773497 and bug 1778328 to comm-esr102.
- A new patch to update from v19.0.0 to v19.4.0 for comm-central. (I don't see any breaking changes at https://github.com/matrix-org/matrix-js-sdk/releases/ since v19.0.0 -- hopefully that's accurate.)
- Uplifting that to comm-beta and comm-esr102.
|
Reporter | |
Comment 1•2 years ago
|
||
I'm also unsure when our next ESR build is going to be, but will want to coordinate that.
|
Assignee | |
Comment 2•2 years ago
|
||
CVEs will be CVE-2022-36059 and CVE-2022-36060
|
|
Reporter | |
Comment 3•2 years ago
|
||
I think one of those is for the matrix-react-sdk, which we don't use. Unsure which at the moment.
|
||
Comment 4•2 years ago
|
||
We plan to build beta on Tuesday. I am hoping to do esr 102.2.1 this week. Wednesday or Thursday?
|
|
Assignee | |
Comment 5•2 years ago
|
||
The expected release of the js-sdk security fix will be Wednesday.
|
|
Reporter | |
Comment 6•2 years ago
|
||
(In reply to Martin Giger [:freaktechnik] from comment #2)
CVEs will be CVE-2022-36059 and CVE-2022-36060
I confirmed that only CVE-2022-36059 will affect us. Release should be coming later today for matrix-js-sdk and it looks like Martin requested uplift of the dependent bugs.
|
|
Reporter | |
Comment 7•2 years ago
|
||
Note that details of the CVE will not be made public at this time (due to giving people time to upgrade and since a thorough audit is taking place of similar code paths), the overall impact is it fixes a denial of service attack.
|
|
Reporter | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 9•2 years ago
|
||
Comment on attachment 9292480 [details]
Bug 1787741 - Update matrix-js-sdk to version 19.4.0. r=clokep
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: Security issue in library
Testing completed (on c-c, etc.): Tested that account connects, can send/receive messages, tests and lint passes.
Risk to taking this patch (and alternatives if risky): Low risk, library update without any relevant changes to the public API surface.
|
|
Assignee | |
Comment 10•2 years ago
|
||
Comment on attachment 9292480 [details]
Bug 1787741 - Update matrix-js-sdk to version 19.4.0. r=clokep
This patch applies cleanly ontop of ESR with bug 1773497 and bug 1778328 applied.
[Approval Request Comment]
Regression caused by (bug #):
User impact if declined: Security issue in library
Testing completed (on c-c, etc.): Tested locally ensuring account setup/connection and messages works, linting and tests pass.
Risk to taking this patch (and alternatives if risky): Low risk, library changes only.
|
||
Comment 11•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 12•2 years ago
|
||
The URL link to the blog post isn't quite live yet, but you can see the full contents at https://github.com/matrix-org/matrix.org/blob/0faf4ad59d8eeb3d5e1279d48c218e167691994e/gatsby/content/blog/2022/08/2022-08-31-js-react-sdk-security-release.mdx.
|
|
||
Comment 13•2 years ago
|
||
I wrote up an MFSA as we did for bug 1744056. Based on the blog post.
CVE-2022-36059:
title: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack
impact:
reporter: Val Lorentz
publish: false
description: |
Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack.
An adversary sharing a room with a user had the ability to carry out an attack against affected clients,
making it not show all of a user's rooms or spaces and/or causing minor temporary corruption.
bugs:
- url: 1787741
|
|
Reporter | |
Comment 14•2 years ago
|
||
(In reply to Rob Lemley [:rjl] from comment #13)
I wrote up an MFSA as we did for bug 1744056. Based on the blog post.
CVE-2022-36059: title: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack impact: reporter: Val Lorentz publish: false description: | Thunderbird users who use the Matrix chat protocol were vulnerable to a denial-of-service attack. An adversary sharing a room with a user had the ability to carry out an attack against affected clients, making it not show all of a user's rooms or spaces and/or causing minor temporary corruption. bugs: - url: 1787741
Thanks! Based on https://wiki.mozilla.org/Security_Severity_Ratings/Client I would suggest using an impact of moderate due to the denial of service possibility.
|
|
||
Comment 15•2 years ago
|
||
Thunderbird 102.2.1:
https://hg.mozilla.org/releases/comm-esr102/rev/fb355eb9c051
|
|
Assignee | |
Comment 16•2 years ago
•
|
||
I had an ESR build with my three Matrix patches running and confirmed the same manual functional tests I did for c-c.
|
||
Comment 17•2 years ago
|
||
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 18•2 years ago
|
||
Comment on attachment 9292480 [details]
Bug 1787741 - Update matrix-js-sdk to version 19.4.0. r=clokep
[Triage Comment]
Approved for both beta and esr102 (and already shipped)
|
|
||
Comment 19•2 years ago
|
||
Updated suggested MFSA based on information from Patrick.
|
|
||
Comment 20•2 years ago
|
||
Comment on attachment 9296511 [details]
mfsa2022-43.yml
wrong bug :(
|
|
||
Comment 21•2 years ago
|
||
Patrick suggested to open this bug to the general public.
Seems fine to me.
|
|
Reporter | |
Comment 22•2 years ago
|
||
(In reply to Kai Engert (:KaiE:) from comment #21)
Patrick suggested to open this bug to the general public.
Seems fine to me.
Actually, I think we should wait on this one: the blog post about this mentions that the advisory for this will be disclosed "at a later date". I think related fixes are coming in the next release (see bug 1822595). I suspect we should wait in-case there's something mentioned above that isn't quite public yet.
|
|
Reporter | |
Comment 23•3 months ago
|
||
I think this has been long enough now -- this was fixed before the current ESR and the remaining fixes landed in bug 1822595. The full details were released in a blog post (https://matrix.org/blog/2023/03/28/security-releases-matrix-js-sdk-24-0-0-and-matrix-react-sdk-3-69-0/) back in 2023 from matrix.org.
|
||
Updated•3 months ago
|
Description
•