Bug 1205801 (CVE-2022-39334) - VUL-0: CVE-2022-39334: nextcloud-desktop: Client incorrectly trusts invalid TLS certificates
Summary: VUL-0: CVE-2022-39334: nextcloud-desktop: Client incorrectly trusts invalid T...
Status: RESOLVED FIXED
Alias: CVE-2022-39334
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/348953/
Whiteboard:
Keywords:
Depends on:
Blocks: 1213080
  Show dependency treegraph
 
Reported: 2022-11-28 08:15 UTC by Cathy Hu
Modified: 2023-07-10 16:14 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2022-11-28 08:15:15 UTC 
CVE-2022-39334

Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to
3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle
attack is possible in case a user can be made running a nextcloudcmd CLI command
locally. It is recommended that the Nextcloud Desktop client is upgraded to
3.6.1. There are no known workarounds for this vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39334
https://www.cve.org/CVERecord?id=CVE-2022-39334
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
http://www.cvedetails.com/cve/CVE-2022-39334/
https://github.com/nextcloud/desktop/pull/5022
https://github.com/nextcloud/desktop/issues/4927
https://hackerone.com/reports/1699740
Comment 1 Cathy Hu 2022-11-28 08:15:57 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP3/nextcloud-desktop  3.1.3 
- openSUSE:Backports:SLE-15-SP4/nextcloud-desktop  3.3.6 

Not Affected:
- openSUSE:Factory/nextcloud-desktop               3.6.2
Comment 2 OBSbugzilla Bot 2023-04-01 10:15:09 UTC 
This is an autogenerated message for OBS integration:
This bug (1205801) was mentioned in
https://build.opensuse.org/request/show/1076605 Backports:SLE-15-SP4 / nextcloud-desktop
Comment 3 Marcus Meissner 2023-04-13 15:33:56 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 4 Marcus Meissner 2023-04-13 15:38:50 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 5 Marcus Meissner 2023-04-13 15:42:20 UTC 
done
Comment 6 Andreas Stieger 2023-07-06 16:32:06 UTC 
fro bug 1213080, update missing in 15.5
Comment 7 Andreas Stieger 2023-07-06 16:44:53 UTC 
submitted the 15.4 update to 15.5. Eric please approve the maintenance request review when it gets to you, and assign the bugs back to security-team@suse.de for processing.
Comment 8 OBSbugzilla Bot 2023-07-06 17:05:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1205801) was mentioned in
https://build.opensuse.org/request/show/1097432 Backports:SLE-15-SP5 / nextcloud-desktop
Comment 9 Andreas Stieger 2023-07-07 06:11:13 UTC 
Picking a random project maintainer.

Please review https://build.opensuse.org/request/show/1097432
This puts the 15.4 package into 15.5.

Then assign to security-team@suse.de

The package has a bugowner @ecsos who is not maintainer. This is not consistent. See SR#1097478 for the permission. (same problem as the "state maintainer" problem)

The distro has no structured mechanism to detect missed updates. You should fix this.
Comment 10 Marcus Meissner 2023-07-10 16:06:20 UTC 
openSUSE-SU-2023:0171-1: An update that fixes 5 vulnerabilities is now available.\n\nCategory: security (important)\nBug References: 1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    nextcloud-desktop-3.8.0-bp155.2.3.1\n\n
Comment 11 Andreas Stieger 2023-07-10 16:14:22 UTC 
Done for 15.5 now too, closing