Arch Linux Security Advisory ASA-202106-51

Severity: Medium
Date : 2021-06-22
CVE-ID : CVE-2021-32659
Package : matrix-appservice-irc
Type : insufficient validation
Remote : Yes
Link : https://security.archlinux.org/AVG-2076

Summary

The package matrix-appservice-irc before version 0.27.0-1 is vulnerable
to insufficient validation.

Resolution

Upgrade to 0.27.0-1.

pacman -Syu “matrix-appservice-irc>=0.27.0-1”

The problem has been fixed upstream in version 0.27.0.

Workaround

As a workaround, disabling the automatic room upgrade handling can be
done by removing the roomUpgradeOpts key from the Bridge class
options.

Description

In versions 2.6.0 and earlier of matrix-appservice-bridge, as included
in matrix-appservice-irc before version 0.27.0, if a bridge has room
upgrade handling turned on in the configuration (the roomUpgradeOpts
key when instantiating a new Bridge instance.), any
m.room.tombstone event it encounters will be used to unbridge the
current room and bridge into the target room. However, the target room
m.room.create event is not checked to verify if the predecessor
field contains the previous room. This means that any malicious admin
of a bridged room can repoint the traffic to a different room without
the new room being aware. Versions 2.6.1 and greater are patched. As a
workaround, disabling the automatic room upgrade handling can be done
by removing the roomUpgradeOpts key from the Bridge class options.

Impact

A malicious admin of a bridged room can repoint the traffic to a
different room without the new room being aware.

References

https://github.com/matrix-org/matrix-appservice-bridge/security/advisories/GHSA-35g4-qx3c-vjhx
https://github.com/matrix-org/matrix-appservice-irc/releases/tag/0.27.0
https://github.com/matrix-org/matrix-appservice-bridge/pull/330
https://github.com/matrix-org/matrix-appservice-bridge/commit/b69e745584a34fcfd858df33e4631e420da07b9f
https://security.archlinux.org/CVE-2021-32659