{ "schema_version": "1.7.0", "id": "MGASA-2020-0475", "published": "2020-12-29T11:57:17Z", "modified": "2020-12-29T10:48:11Z", "summary": "Updated kdeconnect-kde packages improve security", "details": "For the pairing procedure, the GUI component only presented the friendly\n'deviceName' to identify peer devices, which is completely under attacker\ncontrol. Furthermore the 'deviceName' is transmitted in cleartext in UDP\nbroadcast messages for all other nodes in the network segment to see.\nTherefore malicious devices can attempt to confuse users by requesting a\npairing under the same 'deviceName' to gain access to a system.\n\nNow, a sha256 fingerprint of the concatenated public keys of the two involved\ncertificates is displayed. In the initial popup, a prefix of 8 hex digits of\nthe fingerprint is displayed. The full fingerprint is reachable via an\nadditional \"view key\" button.\n", "references": [ { "type": "ADVISORY", "url": "https://advisories.mageia.org/MGASA-2020-0475.html" }, { "type": "REPORT", "url": "https://bugs.mageia.org/show_bug.cgi?id=27700" }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2020/11/30/1" }, { "type": "WEB", "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7S5MEH3CXBXVT2KJAPUZFFUHVVXK6BN7/" } ], "affected": [ { "package": { "ecosystem": "Mageia:7", "name": "kdeconnect-kde", "purl": "pkg:rpm/mageia/kdeconnect-kde?arch=source&distro=mageia-7" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "1.3.4-2.2.mga7" } ] } ], "ecosystem_specific": { "section": "core" } } ], "credits": [ { "name": "Mageia", "type": "COORDINATOR", "contact": [ "https://wiki.mageia.org/en/Packages_Security_Team" ] } ] }