[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Salvatore Bonaccorso carnil at debian.org
Sat Oct 22 12:49:15 BST 2022 

Hi,

On Fri, Jul 15, 2022 at 02:04:38PM +0200, Moritz Mühlenhoff wrote:
> Source: onionshare
> X-Debbugs-CC: team at security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for onionshare.
> 
> CVE-2021-41867[0]:
> | An information disclosure vulnerability in OnionShare 2.3 before 2.4
> | allows remote unauthenticated attackers to retrieve the full list of
> | participants of a non-public OnionShare node via the --chat feature.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2021-41868[1]:
> | OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
> | upload files on a non-public node when using the --receive
> | functionality.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2022-21688[2]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. Affected versions of the desktop application were
> | found to be vulnerable to denial of service via an undisclosed
> | vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
> | memory consumption and this can be triggered multiple times. To be
> | abused, this vulnerability requires rendering in the history tab, so
> | some user interaction is required. An adversary with knowledge of the
> | Onion service address in public mode or with authentication in private
> | mode can perform a Denial of Service attack, which quickly results in
> | out-of-memory for the server. This requires the desktop application
> | with rendered history, therefore the impact is only elevated. This
> | issue has been patched in version 2.5.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> 
> CVE-2022-21689[3]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions the receive mode limits
> | concurrent uploads to 100 per second and blocks other uploads in the
> | same second, which can be triggered by a simple script. An adversary
> | with access to the receive mode can block file upload for others.
> | There is no way to block this attack in public mode due to the
> | anonymity properties of the tor network.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
> 
> CVE-2022-21690[4]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions The path parameter of the
> | requested URL is not sanitized before being passed to the QT frontend.
> | This path is used in all components for displaying the server access
> | history. This leads to a rendered HTML4 Subset (QT RichText editor) in
> | the Onionshare frontend.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq
> 
> CVE-2022-21691[5]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions chat participants can spoof
> | their channel leave message, tricking others into assuming they left
> | the chatroom.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766
> 
> CVE-2022-21692[6]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions anyone with access to the chat
> | environment can write messages disguised as another chat participant.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v
> 
> CVE-2022-21693[7]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions an adversary with a primitive
> | that allows for filesystem access from the context of the Onionshare
> | process can access sensitive files in the entire user home folder.
> | This could lead to the leaking of sensitive data. Due to the automatic
> | exclusion of hidden folders, the impact is reduced. This can be
> | mitigated by usage of the flatpak release.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6
> 
> CVE-2022-21694[8]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. The website mode of the onionshare allows to use a
> | hardened CSP, which will block any scripts and external resources. It
> | is not possible to configure this CSP for individual pages and
> | therefore the security enhancement cannot be used for websites using
> | javascript or external resources like fonts or images.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
> https://github.com/onionshare/onionshare/issues/1389
> 
> CVE-2022-21695[9]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions authenticated users (or
> | unauthenticated in public mode) can send messages without being
> | visible in the list of chat participants. This issue has been resolved
> | in version 2.5.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4
> 
> CVE-2022-21696[10]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions it is possible to change the
> | username to that of another chat participant with an additional space
> | character at the end of the name string. An adversary with access to
> | the chat environment can use the rename feature to impersonate other
> | participants by adding whitespace characters at the end of the
> | username.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
> [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
> [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
> [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
> [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
> [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
> [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
> [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
> [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
> [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
> [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696

>From the reported list CVE-2021-41867 and CVE-2021-41868 were
addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
though likely as well those who contain "has been patched in 2.5". I
have not found any indication that this there is really the case.

Any more insights OTOH from you on those?

Regards,
Salvatore

More information about the Pkg-privacy-maintainers mailing list