<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">Le 24/10/2022 à 18:26, Clément Hermann
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:050221b2-32f4-36d5-40b3-88a9fe37f5d6@debian.org">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Hi,<br>
<br>
<div class="moz-cite-prefix">Le 23/10/2022 à 18:27, Clément
Hermann a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:a118aedd-5788-87a9-736c-06b945d1a441@nodens.org">Hi, <br>
<br>
Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :<br>
<blockquote type="cite"> To be on safe side, explicitly
confirming by upstream would be great. <br>
</blockquote>
<br>
Agreed. And asked upstream: <a class="moz-txt-link-freetext"
href="https://github.com/onionshare/onionshare/issues/1633"
moz-do-not-send="true">https://github.com/onionshare/onionshare/issues/1633</a>.
<br>
</blockquote>
<br>
Upstream replied quickly (yay!) and confirms the known issues are
fixed in 2.5.<br>
<br>
Also, the detail of the vulnerable/patched versions has been
updated. Quoting from the upstream issue:<br>
<blockquote type="cite">
<p dir="auto">Only affected >= 2.3 - < 2.5: <a
title="CVE-2021-41867" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-6rvj-pw9w-jcvc/hovercard"
href="https://github.com/advisories/GHSA-6rvj-pw9w-jcvc"
moz-do-not-send="true">CVE-2021-41867</a>, <a
title="CVE-2022-21691" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-w9m4-7w72-r766/hovercard"
href="https://github.com/advisories/GHSA-w9m4-7w72-r766"
moz-do-not-send="true">CVE-2022-21691</a>, <a
title="CVE-2022-21695" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-99p8-9p2c-49j4/hovercard"
href="https://github.com/advisories/GHSA-99p8-9p2c-49j4"
moz-do-not-send="true">CVE-2022-21695</a>, <a
title="CVE-2022-21696" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-68vr-8f46-vc9f/hovercard"
href="https://github.com/advisories/GHSA-68vr-8f46-vc9f"
moz-do-not-send="true">CVE-2022-21696</a><br>
Only affected >= 2.2 - < 2.5: <a title="CVE-2022-21694"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-h29c-wcm8-883h/hovercard"
href="https://github.com/advisories/GHSA-h29c-wcm8-883h"
moz-do-not-send="true">CVE-2022-21694</a><br>
Only affected >=2.0 - < 2.5: <a title="CVE-2022-21689"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-jh82-c5jw-pxpc/hovercard"
href="https://github.com/advisories/GHSA-jh82-c5jw-pxpc"
moz-do-not-send="true">CVE-2022-21689</a><br>
Only affected >=2.0 - < 2.4: <a title="CVE-2021-41868"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-7g47-xxff-9p85/hovercard"
href="https://github.com/advisories/GHSA-7g47-xxff-9p85"
moz-do-not-send="true">CVE-2021-41868</a> (Receive mode bug,
fixed by changing the authentication from HTTP auth to using
Client Auth in Tor itself)<br>
All versions < 2.5: <a title="CVE-2022-21690"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"
href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq"
moz-do-not-send="true">CVE-2022-21690</a>, and possibly
depending on the Qt version, <a title="CVE-2022-21688"
data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-x7wr-283h-5h2v/hovercard"
href="https://github.com/advisories/GHSA-x7wr-283h-5h2v"
moz-do-not-send="true">CVE-2022-21688</a></p>
<p dir="auto"><a title="GHSA-jgm9-xpfj-4fq6"
href="https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6"
moz-do-not-send="true">GHSA-jgm9-xpfj-4fq6</a> is a
complicated one, as a <a
href="https://github.com/onionshare/onionshare/pull/1474"
data-hovercard-type="pull_request"
data-hovercard-url="/onionshare/onionshare/pull/1474/hovercard"
moz-do-not-send="true">fix</a> we reduced the scope of
access for Flatpak but you could argue that on 'native' Debian
the whole file system, or at least the parts accessible to the
user running OnionShare, is available not even in read-only
mode. I'm not sure there's really a 'fix' for the deb package.</p>
</blockquote>
The advisories on <a class="moz-txt-link-freetext"
href="https://github.com/onionshare/onionshare/security/advisories"
moz-do-not-send="true">https://github.com/onionshare/onionshare/security/advisories</a>
have been updated to reflect this.<br>
</blockquote>
<br>
I did more homework.<br>
<br>
So, to summarize:<br>
- <a title="CVE-2021-41867" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-6rvj-pw9w-jcvc/hovercard"
href="https://github.com/advisories/GHSA-6rvj-pw9w-jcvc">CVE-2021-41867</a>,
<a title="CVE-2022-21691" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-w9m4-7w72-r766/hovercard"
href="https://github.com/advisories/GHSA-w9m4-7w72-r766">CVE-2022-21691</a>,
<a title="CVE-2022-21695" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-99p8-9p2c-49j4/hovercard"
href="https://github.com/advisories/GHSA-99p8-9p2c-49j4">CVE-2022-21695</a>,
<a title="CVE-2022-21696" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-68vr-8f46-vc9f/hovercard"
href="https://github.com/advisories/GHSA-68vr-8f46-vc9f">CVE-2022-21696</a>
aren't affecting Debian (stable has 2.2, unstable has 2.5). Which is
good because the <br>
<br>
- <a title="CVE-2022-21694" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-h29c-wcm8-883h/hovercard"
href="https://github.com/advisories/GHSA-h29c-wcm8-883h">CVE-2022-21694</a>
affects Bullseye, but that might be an acceptable risk ? The issue
is that CSP can only be turned on or off, not configured to allow js
etc, so it is only useful for static websites. I believe that's the
most common usage of a website with onionshare, and it's arguably a
missing feature more than a vulnerability <i>per se</i>.<br>
<br>
- <a title="CVE-2022-21689" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-jh82-c5jw-pxpc/hovercard"
href="https://github.com/advisories/GHSA-jh82-c5jw-pxpc">CVE-2022-21689</a>
fix should be easy to backport, at a glance:
<a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377">https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377</a><br>
<br>
- <a title="CVE-2021-41868" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-7g47-xxff-9p85/hovercard"
href="https://github.com/advisories/GHSA-7g47-xxff-9p85">CVE-2021-41868</a>
doesn't affect 2.2 I think, it must have been a mistake from mig5. I
just asked for confirmation. I do hope so since it's a bad one.<br>
<br>
- <a title="CVE-2022-21690" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"
href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq">CVE-2022-21690</a>
seems like a one-line patch:
<a class="moz-txt-link-freetext" href="https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0">https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0</a><br>
<br>
- <a title="CVE-2022-21688" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-x7wr-283h-5h2v/hovercard"
href="https://github.com/advisories/GHSA-x7wr-283h-5h2v">CVE-2022-21688</a>
seems like it should be worked around with the <a
title="CVE-2022-21690" data-hovercard-type="advisory"
data-hovercard-url="/advisories/GHSA-ch22-x2v3-v6vq/hovercard"
href="https://github.com/advisories/GHSA-ch22-x2v3-v6vq">CVE-2022-21690</a>
fix (OTF-001)?<br>
<br>
I'd welcome input on those.<br>
<br>
Cheers,<br>
<pre class="moz-signature" cols="72">--
nodens</pre>
</body>
</html>