Merge branch 'v0.10.2-fixes'

This commit is contained in:
Nicolas Werner 2022-09-28 14:27:54 +02:00
commit 2fde381a82
No known key found for this signature in database
GPG key ID: C8D75E610773F2D9
5 changed files with 45 additions and 21 deletions

View file

@ -1,5 +1,18 @@
# Changelog # Changelog
## [0.10.2] -- 2022-09-22
### Security release
- Fixes potential secret poisoning by the homeserver
- A crash when validation malicious html
Thanks to the matrix.org security team for disclosing this issue.
An update is highly recommended. Otherwise you can temporarily protect against
this issue by not verifying your own devices and not pressing the request button
in the setting.
## [0.10.1] -- 2022-09-07 ## [0.10.1] -- 2022-09-07
### Highlights ### Highlights

View file

@ -107,7 +107,7 @@ include(GNUInstallDirs)
set(CPACK_PACKAGE_VERSION_MAJOR "0") set(CPACK_PACKAGE_VERSION_MAJOR "0")
set(CPACK_PACKAGE_VERSION_MINOR "10") set(CPACK_PACKAGE_VERSION_MINOR "10")
set(CPACK_PACKAGE_VERSION_PATCH "1") set(CPACK_PACKAGE_VERSION_PATCH "2")
set(PROJECT_VERSION_MAJOR ${CPACK_PACKAGE_VERSION_MAJOR}) set(PROJECT_VERSION_MAJOR ${CPACK_PACKAGE_VERSION_MAJOR})
set(PROJECT_VERSION_MINOR ${CPACK_PACKAGE_VERSION_MINOR}) set(PROJECT_VERSION_MINOR ${CPACK_PACKAGE_VERSION_MINOR})
set(PROJECT_VERSION_PATCH ${CPACK_PACKAGE_VERSION_PATCH}) set(PROJECT_VERSION_PATCH ${CPACK_PACKAGE_VERSION_PATCH})

View file

@ -1,6 +1,6 @@
--- ---
version: 0.10.1-{build} version: 0.10.2-{build}
configuration: Release configuration: Release
image: Visual Studio 2022 image: Visual Studio 2022
@ -29,8 +29,8 @@ build_script:
# VERSION format: branch-master/branch-1.2 # VERSION format: branch-master/branch-1.2
# INSTVERSION format: x.y.z # INSTVERSION format: x.y.z
# WINVERSION format: 9999.0.0.123/1.2.0.234 # WINVERSION format: 9999.0.0.123/1.2.0.234
- if "%APPVEYOR_REPO_TAG%"=="false" set INSTVERSION=0.10.1 - if "%APPVEYOR_REPO_TAG%"=="false" set INSTVERSION=0.10.2
- if "%APPVEYOR_REPO_TAG%"=="false" set VERSION=0.10.1 - if "%APPVEYOR_REPO_TAG%"=="false" set VERSION=0.10.2
- if "%APPVEYOR_REPO_TAG%"=="false" if "%APPVEYOR_REPO_BRANCH%"=="master" set INSTVERSION=9999.0 - if "%APPVEYOR_REPO_TAG%"=="false" if "%APPVEYOR_REPO_BRANCH%"=="master" set INSTVERSION=9999.0
- if "%APPVEYOR_REPO_TAG%"=="false" set WINVERSION=%INSTVERSION%.0.%APPVEYOR_BUILD_NUMBER% - if "%APPVEYOR_REPO_TAG%"=="false" set WINVERSION=%INSTVERSION%.0.%APPVEYOR_BUILD_NUMBER%
# VERSION format: v1.2.3/v1.3.4 # VERSION format: v1.2.3/v1.3.4
@ -92,8 +92,8 @@ after_build:
- copy %BUILD%\deploy\installer\gui\package.xml installer\packages\io.github.nhekoreborn.nheko\meta - copy %BUILD%\deploy\installer\gui\package.xml installer\packages\io.github.nhekoreborn.nheko\meta
- copy %BUILD%\deploy\installer\gui\installscript.qs installer\packages\io.github.nhekoreborn.nheko\meta - copy %BUILD%\deploy\installer\gui\installscript.qs installer\packages\io.github.nhekoreborn.nheko\meta
# Amend version and date # Amend version and date
- sed -i "s/__VERSION__/0.10.1/" installer\config\config.xml - sed -i "s/__VERSION__/0.10.2/" installer\config\config.xml
- sed -i "s/__VERSION__/0.10.1/" installer\packages\io.github.nhekoreborn.nheko\meta\package.xml - sed -i "s/__VERSION__/0.10.2/" installer\packages\io.github.nhekoreborn.nheko\meta\package.xml
- sed -i "s/__DATE__/%DATE%/" installer\packages\io.github.nhekoreborn.nheko\meta\package.xml - sed -i "s/__DATE__/%DATE%/" installer\packages\io.github.nhekoreborn.nheko\meta\package.xml
# Copy nheko data # Copy nheko data
- xcopy NhekoData\*.* installer\packages\io.github.nhekoreborn.nheko\data\*.* /s /e /c /y - xcopy NhekoData\*.* installer\packages\io.github.nhekoreborn.nheko\data\*.* /s /e /c /y

View file

@ -61,6 +61,7 @@
<url type="homepage">https://github.com/Nheko-Reborn/nheko</url> <url type="homepage">https://github.com/Nheko-Reborn/nheko</url>
<update_contact>https://github.com/Nheko-Reborn</update_contact> <update_contact>https://github.com/Nheko-Reborn</update_contact>
<releases> <releases>
<release date="2022-09-28" version="0.10.2"/>
<release date="2022-09-07" version="0.10.1"/> <release date="2022-09-07" version="0.10.1"/>
<release date="2022-07-22" version="0.10.0"/> <release date="2022-07-22" version="0.10.0"/>
<release date="2022-03-25" version="0.9.3"/> <release date="2022-03-25" version="0.9.3"/>

View file

@ -342,10 +342,13 @@ handle_olm_message(const OlmMessage &msg, const UserKeyCache &otherUserDeviceKey
if (msg.sender != local_user.to_string()) if (msg.sender != local_user.to_string())
return; return;
auto secret_name = request_id_to_secret_name.find(e->content.request_id); auto secret_name_it = request_id_to_secret_name.find(e->content.request_id);
if (secret_name != request_id_to_secret_name.end()) { if (secret_name_it != request_id_to_secret_name.end()) {
nhlog::crypto()->info("Received secret: {}", secret_name->second); auto secret_name = secret_name_it->second;
request_id_to_secret_name.erase(secret_name_it);
nhlog::crypto()->info("Received secret: {}", secret_name);
mtx::events::msg::SecretRequest secretRequest{}; mtx::events::msg::SecretRequest secretRequest{};
secretRequest.action = mtx::events::msg::RequestAction::Cancellation; secretRequest.action = mtx::events::msg::RequestAction::Cancellation;
@ -358,15 +361,24 @@ handle_olm_message(const OlmMessage &msg, const UserKeyCache &otherUserDeviceKey
return; return;
auto deviceKeys = cache::userKeys(local_user.to_string()); auto deviceKeys = cache::userKeys(local_user.to_string());
if (!deviceKeys)
return;
std::string sender_device_id; std::string sender_device_id;
if (deviceKeys) { for (auto &[dev, key] : deviceKeys->device_keys) {
for (auto &[dev, key] : deviceKeys->device_keys) { if (key.keys["curve25519:" + dev] == msg.sender_key) {
if (key.keys["curve25519:" + dev] == msg.sender_key) { sender_device_id = dev;
sender_device_id = dev; break;
break;
}
} }
} }
if (!verificationStatus->verified_devices.count(sender_device_id) ||
!verificationStatus->verified_device_keys.count(msg.sender_key) ||
verificationStatus->verified_device_keys.at(msg.sender_key) !=
crypto::Trust::Verified) {
nhlog::net()->critical(
"Received secret from unverified device {}! Ignoring!", sender_device_id);
return;
}
std::map<mtx::identifiers::User, std::map<mtx::identifiers::User,
std::map<std::string, mtx::events::msg::SecretRequest>> std::map<std::string, mtx::events::msg::SecretRequest>>
@ -380,19 +392,17 @@ handle_olm_message(const OlmMessage &msg, const UserKeyCache &otherUserDeviceKey
http::client()->send_to_device<mtx::events::msg::SecretRequest>( http::client()->send_to_device<mtx::events::msg::SecretRequest>(
http::client()->generate_txn_id(), http::client()->generate_txn_id(),
body, body,
[name = secret_name->second](mtx::http::RequestErr err) { [secret_name](mtx::http::RequestErr err) {
if (err) { if (err) {
nhlog::net()->error("Failed to send request cancellation " nhlog::net()->error("Failed to send request cancellation "
"for secrect " "for secrect "
"'{}'", "'{}'",
name); secret_name);
} }
}); });
nhlog::crypto()->info("Storing secret {}", secret_name->second); nhlog::crypto()->info("Storing secret {}", secret_name);
cache::client()->storeSecret(secret_name->second, e->content.secret); cache::client()->storeSecret(secret_name, e->content.secret);
request_id_to_secret_name.erase(secret_name);
} }
} else if (auto sec_req = std::get_if<DeviceEvent<msg::SecretRequest>>(&device_event)) { } else if (auto sec_req = std::get_if<DeviceEvent<msg::SecretRequest>>(&device_event)) {