Headline
GHSA-r5vf-wf4h-82gg: matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity
Impact
Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user’s cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.
Patches
matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed.
Workarounds
N/A
References
- Patch: https://github.com/matrix-org/matrix-rust-sdk/pull/3795
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-52813
matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity
Moderate severity GitHub Reviewed Published Jan 7, 2025 in matrix-org/matrix-rust-sdk • Updated Jan 7, 2025
Package
cargo matrix-sdk-crypto (Rust)
Affected versions
< 0.8.0
Impact
Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user’s cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes.
Patches
matrix-sdk-crypto 0.8.0 adds a new VerificationLevel::VerificationViolation enum variant which indicates that a previously verified identity has been changed.
Workarounds
N/A
References
- Patch: matrix-org/matrix-rust-sdk#3795
References
- GHSA-r5vf-wf4h-82gg
- matrix-org/matrix-rust-sdk#3795
Published to the GitHub Advisory Database
Jan 7, 2025