Skip to content

Use the correct sender key when checking shared secret #2730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 4, 2022
Merged

Use the correct sender key when checking shared secret #2730

merged 2 commits into from
Oct 4, 2022

Conversation

@uhoreg
Copy link
Member

@uhoreg uhoreg commented Oct 4, 2022
edited by github-actions bot
Loading

fixes element-hq/element-web#23374

Bug was introduced in the recent security release.

The incorrect code is checking the sender_key in the encrypted content, which is normally not set. It should have been checking the sender_key in the cleartext content, or event.getSenderKey().

Here's what your changelog entry will look like:

🐛 Bug Fixes

@uhoreg uhoreg requested a review from a team as a code owner October 4, 2022 16:44
@uhoreg uhoreg added the T-Defect label Oct 4, 2022
@turt2live
Copy link
Member

turt2live commented Oct 4, 2022

does this need including in the RC that went out today?

@uhoreg
Copy link
Member Author

uhoreg commented Oct 4, 2022

does this need including in the RC that went out today?

If possible, this would probably be a good one to get in.

@turt2live turt2live added the backport staging Label to automatically backport PR to staging branch label Oct 4, 2022
@uhoreg uhoreg merged commit 890a840 into matrix-org:develop Oct 4, 2022
@RiotRobot RiotRobot mentioned this pull request Oct 4, 2022
Merged
RiotRobot pushed a commit that referenced this pull request Oct 4, 2022
@uhoreg @github-actions
Use the correct sender key when checking shared secret (#2730)
75e7c8d 
(cherry picked from commit 890a840)
turt2live pushed a commit that referenced this pull request Oct 4, 2022
@RiotRobot @uhoreg
Use the correct sender key when checking shared secret (#2730) (#2731)
04c1dfe 
(cherry picked from commit 890a840)

Co-authored-by: Hubert Chathi <hubertc@matrix.org>
@Johennes
Copy link
Contributor

Johennes commented Oct 5, 2022

Can / should this receive test coverage?

odelcroi added a commit to tchapgouv/tchap-web-v4 that referenced this pull request Oct 6, 2022
@odelcroi
Merge tag 'v1.11.9-rc.2' into upgrade/upgrade/element-web-v1.11.9-rc.2
47a1848 
* Use the correct sender key when checking shared secret ([\#2730](matrix-org/matrix-js-sdk#2730)). Fixes element-hq/element-web#23374.
su-ex added a commit to SchildiChat/matrix-js-sdk that referenced this pull request Oct 29, 2022
@su-ex
Merge tag 'v21.0.0' into sc
9b20f5c 
* Changes the `uploadContent` API, kills off `request` and `browser-request` in favour of `fetch`, removed callback support on a lot of the methods, adds a lot of tests. ([\matrix-org#2719](matrix-org#2719)). Fixes matrix-org#2415 and matrix-org#801.
* Remove deprecated `m.room.aliases` references ([\matrix-org#2759](matrix-org#2759)). Fixes element-hq/element-web#12680.
* Remove node-specific crypto bits, use Node 16's WebCrypto ([\matrix-org#2762](matrix-org#2762)). Fixes matrix-org#2760.
* Export types for MatrixEvent and Room emitted events, and make event handler map types stricter ([\matrix-org#2750](matrix-org#2750)). Contributed by @stas-demydiuk.
* Use even more stable calls to `/room_keys` ([\matrix-org#2746](matrix-org#2746)).
* Upgrade to Olm 3.2.13 which has been repackaged to support Node 18 ([\matrix-org#2744](matrix-org#2744)).
* Fix `power_level_content_override` type ([\matrix-org#2741](matrix-org#2741)).
* Add custom notification handling for MSC3401 call events  ([\matrix-org#2720](matrix-org#2720)).
* Add support for unread thread notifications ([\matrix-org#2726](matrix-org#2726)).
* Load Thread List with server-side assistance (MSC3856) ([\matrix-org#2602](matrix-org#2602)).
* Use stable calls to `/room_keys` ([\matrix-org#2729](matrix-org#2729)). Fixes element-hq/element-web#22839.
* Fix POST data not being passed for registerWithIdentityServer ([\matrix-org#2769](matrix-org#2769)). Fixes matrix-org/element-web-rageshakes#16206.
* Fix IdentityPrefix.V2 containing spurious `/api` ([\matrix-org#2761](matrix-org#2761)). Fixes element-hq/element-web#23505.
* Always send back an httpStatus property if one is known ([\matrix-org#2753](matrix-org#2753)).
* Check for AbortError, not any generic connection error, to avoid tightlooping ([\matrix-org#2752](matrix-org#2752)).
* Correct the dir parameter of MSC3715 ([\matrix-org#2745](matrix-org#2745)). Contributed by @dhenneke.
* Fix sync init when thread unread notif is not supported ([\matrix-org#2739](matrix-org#2739)). Fixes element-hq/element-web#23435.
* Use the correct sender key when checking shared secret ([\matrix-org#2730](matrix-org#2730)). Fixes element-hq/element-web#23374.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turt2live turt2live turt2live approved these changes

@florianduros florianduros Awaiting requested review from florianduros florianduros was automatically assigned from matrix-org/element-web-reviewers

@kerryarchibald kerryarchibald Awaiting requested review from kerryarchibald kerryarchibald was automatically assigned from matrix-org/element-web-reviewers

Assignees

No one assigned

Labels

backport staging Label to automatically backport PR to staging branch T-Defect

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unable to decrypt old message with cross device verification

3 participants

@uhoreg @turt2live @Johennes