Update dependency matrix-js-sdk to v34 [SECURITY] #21
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^32.0.0->^34.0.0GitHub Vulnerability Alerts
CVE-2024-42369
Impact
A malicious homeserver can craft a room or room structure such that the predecessors form a cycle. The matrix-js-sdk's
getRoomUpgradeHistoryfunction will infinitely recurse in this case, causing the code to hang. This method is public but also called by the 'leaveRoomChain()' method, so leaving a room will also trigger the bug.Even if the CVSS score would be 4.1 (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L) we classify this as High severity issue.
Patches
This was patched in matrix-js-sdk 34.3.1.
Workarounds
Sanity check rooms before passing them to the matrix-js-sdk or avoid calling either
getRoomUpgradeHistoryorleaveRoomChain.References
N/A.
CVE-2024-47080
Impact
In matrix-js-sdk versions 9.11.0 through 34.7.0, the method
MatrixClient.sendSharedHistoryKeysis vulnerable to interception by malicious homeservers. The method implements functionality proposed in MSC3061 and can be used by clients to share historical message keys with newly invited users, granting them access to past messages in the room.However, it unconditionally sends these "shared" keys to all of the invited user's devices, regardless of whether the user's cryptographic identity is verified or whether the user's devices are signed by that identity. This allows the attacker to potentially inject its own devices to receive sensitive historical keys without proper security checks.
Note that this only affects clients running the SDK with the legacy crypto stack. Clients using the new Rust cryptography stack (i.e. those that call
MatrixClient.initRustCrypto()instead ofMatrixClient.initCrypto()) are unaffected by this vulnerability, becauseMatrixClient.sendSharedHistoryKeys()raises an exception in such environments.Patches
Fixed in matrix-js-sdk 34.8.0 by removing the vulnerable functionality.
Workarounds
Remove use of affected functionality from clients.
References
For more information
If you have any questions or comments about this advisory, please email us at security at matrix.org.
CVE-2024-50336
Summary
matrix-js-sdk before 34.11.0 is vulnerable to client-side path traversal via crafted MXC URIs. A malicious room member can trigger clients based on the matrix-js-sdk to issue arbitrary authenticated GET requests to the client's homeserver.
Details
The Matrix specification demands homeservers to perform validation of the
server-nameandmedia-idcomponents of MXC URIs with the intent to prevent path traversal. However, it is not mentioned that a similar check must also be performed on the client to prevent client-side path traversal. matrix-js-sdk fails to perform this validation.Patches
Fixed in matrix-js-sdk 34.11.1.
Workarounds
None.
References
Release Notes
matrix-org/matrix-js-sdk (matrix-js-sdk)
v34.11.1Compare Source
====================================================================================================
v34.10.0Compare Source
====================================================================================================
🦖 Deprecations
CreateSecretStorageOpts.keyBackupInfoused inCryptoApi.bootstrapSecretStorage.(#4474). Contributed by @florianduros.MatrixClient.getDehydratedDevice(#4467). Contributed by @florianduros.✨ Features
<sender>|<session>notation in log messages (#4473). Contributed by @richvdh.🐛 Bug Fixes
v34.9.0Compare Source
==================================================================================================
🦖 Deprecations
🐛 Bug Fixes
v34.8.0Compare Source
==================================================================================================
This release removes insecure functionality, resolving CVE-2024-47080 / GHSA-4jf8-g8wp-cx7c.
v34.7.0Compare Source
==================================================================================================
🦖 Deprecations
✨ Features
CryptoApi.pinCurrentUserIdentityandUserIdentity.needsUserApproval(#4415). Contributed by @richvdh.v34.6.0Compare Source
==================================================================================================
🦖 Deprecations
✨ Features
v34.5.0Compare Source
==================================================================================================
🦖 Deprecations
CryptoCallbacks.onSecretRequestedandCryptoCallbacks.getDehydrationKey(#4376). Contributed by @richvdh.v34.4.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v34.3.1Compare Source
==================================================================================================
v34.3.0Compare Source
==================================================================================================
✨ Features
m.room_key.withheldmessages (#4310). Contributed by @richvdh.🐛 Bug Fixes
v34.2.0Compare Source
==================================================================================================
🐛 Bug Fixes
v34.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v34.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
✨ Features
🐛 Bug Fixes
v33.1.0Compare Source
==================================================================================================
✨ Features
🐛 Bug Fixes
v33.0.0Compare Source
==================================================================================================
🚨 BREAKING CHANGES
🦖 Deprecations
✨ Features
initRustCrypto: allow app to pass in the store key directly (#4210). Contributed by @richvdh.🐛 Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.