[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Clément Hermann nodens at debian.org
Mon Oct 24 17:26:30 BST 2022


Hi,

Le 23/10/2022 à 18:27, Clément Hermann a écrit :
> Hi,
>
> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
>
>> Thanks for the quick reply! (much appreciated). I think it would be
>> good to get a confirmation from upstream and if possible to have
>> those advisories updates. E.g.
>> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v 
>>
>> while mentioning "affected versions < 2.4" the patched version remains
>> "none". this might be that the < 2.4 just reflects the point in time
>> when the advisory was filled. OTOH you have arguments with the v2.5
>> release information that they might all be fixed.
>>
>> To be on safe side, explicitly confirming by upstream would be great.
>
> Agreed. And asked upstream: 
> https://github.com/onionshare/onionshare/issues/1633.

Upstream replied quickly (yay!) and confirms the known issues are fixed 
in 2.5.

Also, the detail of the vulnerable/patched versions has been updated. 
Quoting from the upstream issue:
>
> Only affected >= 2.3 - < 2.5: CVE-2021-41867 
> <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691 
> <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695 
> <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696 
> <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
> Only affected >= 2.2 - < 2.5: CVE-2022-21694 
> <https://github.com/advisories/GHSA-h29c-wcm8-883h>
> Only affected >=2.0 - < 2.5: CVE-2022-21689 
> <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
> Only affected >=2.0 - < 2.4: CVE-2021-41868 
> <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode bug, 
> fixed by changing the authentication from HTTP auth to using Client 
> Auth in Tor itself)
> All versions < 2.5: CVE-2022-21690 
> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly 
> depending on the Qt version, CVE-2022-21688 
> <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
>
> GHSA-jgm9-xpfj-4fq6 
> <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6> 
> is a complicated one, as a fix 
> <https://github.com/onionshare/onionshare/pull/1474> we reduced the 
> scope of access for Flatpak but you could argue that on 'native' 
> Debian the whole file system, or at least the parts accessible to the 
> user running OnionShare, is available not even in read-only mode. I'm 
> not sure there's really a 'fix' for the deb package.
>
The advisories on 
https://github.com/onionshare/onionshare/security/advisories have been 
updated to reflect this.

-- 
nodens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20221024/d4eff0c4/attachment.htm>


More information about the Pkg-privacy-maintainers mailing list