Bug#991681: unblock: telegram-desktop/2.8.10+ds-1 (pre-approval)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#991681: unblock: telegram-desktop/2.8.10+ds-1 (pre-approval)
From: Nicholas Guriev <nicholas@guriev.su>
Date: Fri, 30 Jul 2021 11:49:09 +0300
Message-id: <[🔎] 581a2c7f6fc38bea724960bf9c4af1f0a276b86c.camel@guriev.su>
Reply-to: Nicholas Guriev <nicholas@guriev.su>, 991681@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: 991493@bugs.debian.org

Dear release team,

This request is for discuss the present situation with the telegram-desktop
package. On July 16, under CVE-2021-36769 were disclosed some weakness of the
MtProto implementation in Telegram Desktop before 2.8.8. So the version
currently in testing, 2.6.1, has the security issue.

I examined commits from an upstream Git repository which potentially may fix
the issue, and I found they do not apply cleanly on top of 2.6.1 version. Even
if they have applied, or if I have solved merge conflicts with them, I could
not guarantee the efficiency in light of the issue.

So I see two possible options here:

1. Update the package to the latest upstream release. That is what this request
is about. The release brings a lot of new code and many new features which we
will not be able to test carefully on tight deadlines before bullseye. We will
need to update satellite packages also, libtgowt with fresh upstream commit and
libtgvoip with no-source-change rebuild. Approximate size of debdiffes is about
20MB. You can currently view the difference in Git on salsa.d.o.

https://salsa.debian.org/debian/telegram-desktop/-/merge_requests/37
https://salsa.debian.org/debian/libtgowt/-/merge_requests/6

This type of issue is that it is better to have the fix now than not to fix at
all. If you permit the update, I will proceed and properly supplement this bug
report with complete diffes. But on the other hand...

2. We can do nothing at the moment. And fix the issue later for bookworm. And
then backport the update to bullseye and buster. Telegram team assured me the
issue is not too risky in practice and it has only theoretical interest.


[ Reason ]
Fix security issue in implementation of underlying Telegram protocol, MtProto.
CVE-2021-36769.

[ Tests ]
Not fully, only manual smoke-test has been done. The app still starts.

[ Risks ]
Complex code in leaf and related packages. The libtgowt and the libtgvoip
packages carry static libraries. Their update does not affect anything
immediately. We also need to rebuild the telegram-desktop package.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [ ] I reviewed all changes and I approve them
  [ ] attach debdiff against the package in testing


unblock telegram-desktop/2.8.10+ds-1
unblock libtgowt/0~git20210627.91d836d+dfsg-1
unblock libtgvoip/2.4.4+git20210101.13a5fcb+ds-3

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: Bug#991660: marked as done (unblock: libhttp-cookiejar-perl/0.010-2)
Next by Date: libapache2-mod-auth-openidc in Bullseye
Previous by thread: Bug#991674: marked as done (unblock: python-uflash/1.2.4+dfsg-8)
Next by thread: libapache2-mod-auth-openidc in Bullseye
Index(es):
- Date
- Thread