[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Moritz Mühlenhoff jmm at inutil.org
Fri Jul 15 13:04:38 BST 2022


Source: onionshare
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for onionshare.

CVE-2021-41867[0]:
| An information disclosure vulnerability in OnionShare 2.3 before 2.4
| allows remote unauthenticated attackers to retrieve the full list of
| participants of a non-public OnionShare node via the --chat feature.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2021-41868[1]:
| OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
| upload files on a non-public node when using the --receive
| functionality.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2022-21688[2]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. Affected versions of the desktop application were
| found to be vulnerable to denial of service via an undisclosed
| vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
| memory consumption and this can be triggered multiple times. To be
| abused, this vulnerability requires rendering in the history tab, so
| some user interaction is required. An adversary with knowledge of the
| Onion service address in public mode or with authentication in private
| mode can perform a Denial of Service attack, which quickly results in
| out-of-memory for the server. This requires the desktop application
| with rendered history, therefore the impact is only elevated. This
| issue has been patched in version 2.5.

https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v

CVE-2022-21689[3]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions the receive mode limits
| concurrent uploads to 100 per second and blocks other uploads in the
| same second, which can be triggered by a simple script. An adversary
| with access to the receive mode can block file upload for others.
| There is no way to block this attack in public mode due to the
| anonymity properties of the tor network.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc

CVE-2022-21690[4]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions The path parameter of the
| requested URL is not sanitized before being passed to the QT frontend.
| This path is used in all components for displaying the server access
| history. This leads to a rendered HTML4 Subset (QT RichText editor) in
| the Onionshare frontend.

https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq

CVE-2022-21691[5]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions chat participants can spoof
| their channel leave message, tricking others into assuming they left
| the chatroom.

https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766

CVE-2022-21692[6]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions anyone with access to the chat
| environment can write messages disguised as another chat participant.

https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v

CVE-2022-21693[7]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions an adversary with a primitive
| that allows for filesystem access from the context of the Onionshare
| process can access sensitive files in the entire user home folder.
| This could lead to the leaking of sensitive data. Due to the automatic
| exclusion of hidden folders, the impact is reduced. This can be
| mitigated by usage of the flatpak release.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6

CVE-2022-21694[8]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. The website mode of the onionshare allows to use a
| hardened CSP, which will block any scripts and external resources. It
| is not possible to configure this CSP for individual pages and
| therefore the security enhancement cannot be used for websites using
| javascript or external resources like fonts or images.

https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
https://github.com/onionshare/onionshare/issues/1389

CVE-2022-21695[9]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions authenticated users (or
| unauthenticated in public mode) can send messages without being
| visible in the list of chat participants. This issue has been resolved
| in version 2.5.

https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4

CVE-2022-21696[10]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions it is possible to change the
| username to that of another chat participant with an additional space
| character at the end of the name string. An adversary with access to
| the chat environment can use the rename feature to impersonate other
| participants by adding whitespace characters at the end of the
| username.

https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
[1] https://security-tracker.debian.org/tracker/CVE-2021-41868
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
[2] https://security-tracker.debian.org/tracker/CVE-2022-21688
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
[3] https://security-tracker.debian.org/tracker/CVE-2022-21689
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
[4] https://security-tracker.debian.org/tracker/CVE-2022-21690
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
[5] https://security-tracker.debian.org/tracker/CVE-2022-21691
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
[6] https://security-tracker.debian.org/tracker/CVE-2022-21692
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
[7] https://security-tracker.debian.org/tracker/CVE-2022-21693
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
[8] https://security-tracker.debian.org/tracker/CVE-2022-21694
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
[9] https://security-tracker.debian.org/tracker/CVE-2022-21695
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
[10] https://security-tracker.debian.org/tracker/CVE-2022-21696
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696

Please adjust the affected versions in the BTS as needed.



More information about the Pkg-privacy-maintainers mailing list