| Name | CVE-2023-28686 |
| Description | Dino before 0.2.3, 0.3.x before 0.3.2, and 0.4.x before 0.4.2 allows attackers to modify the personal bookmark store via a crafted message. The attacker can change the display of group chats or force a victim to join a group chat; the victim may then be tricked into disclosing sensitive information. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5379-1 |
| Debian Bugs | 1033370 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| dino-im (PTS) | buster, buster (security) | 0.0.git20181129-1+deb10u1 | fixed |
| bullseye (security), bullseye | 0.2.0-3+deb11u1 | fixed | |
| bookworm | 0.4.2-1 | fixed | |
| sid | 0.4.3-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| dino-im | source | buster | (not affected) | |||
| dino-im | source | bullseye | 0.2.0-3+deb11u1 | DSA-5379-1 | ||
| dino-im | source | (unstable) | 0.4.2-1 | 1033370 |
[buster] - dino-im <not-affected> (Vulnerable code added in v0.1.0)
https://dino.im/security/cve-2023-28686/
Fixed by: https://github.com/dino/dino/commit/ef8fb0e94ce79d5fde2943e433ad0422eb7f70ec
Fixed by: https://github.com/dino/dino/commit/baf96d9d9fac7480fed777ac87d917f8dec8f0f6 (v0.4.2)
Fixed by: https://github.com/dino/dino/commit/e02a443a4eaf02f0ab860b41d0bc7081d4110ab4 (v0.2.3)
Bookmark supported added in https://github.com/dino/dino/commit/74c29d4df19f97b9b67bbc3c1a963a8729be69fd (v0.1.0)