Headline
CVE-2021-44538: Disclosure: buffer overflow in libolm and matrix-js-sdk | Matrix.org
The olm_session_describe function in Matrix libolm before 3.2.7 is vulnerable to a buffer overflow. The Olm session object represents a cryptographic channel between two parties. Therefore, its state is partially controllable by the remote party of the channel. Attackers can construct a crafted sequence of messages to manipulate the state of the receiver’s session in such a way that, for some buffer sizes, a buffer overflow happens on a call to olm_session_describe. Furthermore, safe buffer sizes were undocumented. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits. The known affected products are Element Web And SchildiChat Web.
Today we are releasing security updates to libolm, matrix-js-sdk, and several clients including Element Web / Desktop. Users are encouraged to upgrade as soon as possible. This resolves the pre-disclosure issued on December 3rd.
Fixed library versions are:
- libolm: 3.2.8
- matrix-js-sdk: 15.2.1
Client versions incorporating the fixes are:
- Element Web / Desktop: 1.9.7
- SchildiChat Web / Desktop: 1.9.7-sc.1
- Cinny: 1.6.0
These releases mitigate a buffer overflow in olm_session_describe
, a libolm debugging function used by matrix-js-sdk in its end-to-end encryption (E2EE) implementation. If you rely on matrix-js-sdk for E2EE, you are affected. This vulnerability has been assigned CVE-2021-44538.
Clients which do not use matrix-js-sdk for E2EE, like FluffyChat or Element Android / iOS, are not affected.
This issue has been present since the introduction of the olm_session_describe
function in October 2019 (commits: libolm, matrix-js-sdk).
We do not believe it is practical to successfully exploit this issue. However, upgrading remains important as the overflow can be triggered remotely.
Separately from the above vulnerability, we noticed during an internal audit that the libolm bindings in matrix-js-sdk were not zeroing out certain arrays containing entropy for cryptographic operations. This causes the entropy to remain resident in memory longer than necessary. As a defense-in-depth measure, this release of libolm now proactively overwrites those arrays when it is safe to do so.
Lastly, we are also taking this opportunity to update the version of Electron bundled with Element Desktop, pulling in the latest backported security fixes there.
The buffer overflow was found and reported by GitHub user @brevilo in the course of developing jOlm, a library of Java bindings to libolm; thank you. If you believe you’ve discovered a security vulnerability in Matrix or its implementations, please see our Security Disclosure Policy for how to get in touch.