| Name | CVE-2021-34813 |
| Description | Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 989997 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| olm (PTS) | buster | 2.2.2+git20170526.0fd768e+dfsg-1 | vulnerable |
| bullseye | 3.2.1~dfsg-7 | vulnerable |
| bookworm | 3.2.13~dfsg-1 | fixed |
| sid, trixie | 3.2.16+dfsg-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| olm | source | experimental | 3.2.3~dfsg-1 | | | |
| olm | source | (unstable) | 3.2.3~dfsg-3 | | | 989997 |
Notes
[bullseye] - olm <no-dsa> (Minor issue)
[buster] - olm <no-dsa> (Minor issue)
https://gitlab.matrix.org/matrix-org/olm/-/commit/ccc0d122ee1b4d5e5ca4ec1432086be17d5f901b
https://gitlab.matrix.org/matrix-org/olm/-/releases/3.2.3
https://matrix.org/blog/2021/06/14/adventures-in-fuzzing-libolm