CVE-2023-28686

NameCVE-2023-28686
DescriptionDino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5379-1
Debian Bugs1033370

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dino-im (PTS)bullseye (security), bullseye0.2.0-3+deb11u1fixed
bookworm0.4.2-1fixed
sid, trixie0.4.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dino-imsourcebuster(not affected)
dino-imsourcebullseye0.2.0-3+deb11u1DSA-5379-1
dino-imsource(unstable)0.4.2-11033370

Notes

[buster] - dino-im <not-affected> (Vulnerable code added in v0.1.0)
https://dino.im/security/cve-2023-28686/
Fixed by: https://github.com/dino/dino/commit/ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec
Fixed by: https://github.com/dino/dino/commit/baf96d9d9fac7480fed777ac87d917f8dec8f0f6 (v0.4.2)
Fixed by: https://github.com/dino/dino/commit/e02a443a4eaf02f0ab860b41d0bc7081d4110ab4 (v0.2.3)
Bookmark supported added in https://github.com/dino/dino/commit/74c29d4df19f97b9b67bbc3c1a963a8729be69fd (v0.1.0)

Search for package or bug name: Reporting problems