[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Clément Hermann
nodens at debian.org
Mon Oct 24 17:26:30 BST 2022
Hi,
Le 23/10/2022 à 18:27, Clément Hermann a écrit :
> Hi,
>
> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
>
>> Thanks for the quick reply! (much appreciated). I think it would be
>> good to get a confirmation from upstream and if possible to have
>> those advisories updates. E.g.
>> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
>>
>> while mentioning "affected versions < 2.4" the patched version remains
>> "none". this might be that the < 2.4 just reflects the point in time
>> when the advisory was filled. OTOH you have arguments with the v2.5
>> release information that they might all be fixed.
>>
>> To be on safe side, explicitly confirming by upstream would be great.
>
> Agreed. And asked upstream:
> https://github.com/onionshare/onionshare/issues/1633.
Upstream replied quickly (yay!) and confirms the known issues are fixed
in 2.5.
Also, the detail of the vulnerable/patched versions has been updated.
Quoting from the upstream issue:
>
> Only affected >= 2.3 - < 2.5: CVE-2021-41867
> <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691
> <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695
> <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696
> <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
> Only affected >= 2.2 - < 2.5: CVE-2022-21694
> <https://github.com/advisories/GHSA-h29c-wcm8-883h>
> Only affected >=2.0 - < 2.5: CVE-2022-21689
> <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
> Only affected >=2.0 - < 2.4: CVE-2021-41868
> <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode bug,
> fixed by changing the authentication from HTTP auth to using Client
> Auth in Tor itself)
> All versions < 2.5: CVE-2022-21690
> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly
> depending on the Qt version, CVE-2022-21688
> <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
>
> GHSA-jgm9-xpfj-4fq6
> <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6>
> is a complicated one, as a fix
> <https://github.com/onionshare/onionshare/pull/1474> we reduced the
> scope of access for Flatpak but you could argue that on 'native'
> Debian the whole file system, or at least the parts accessible to the
> user running OnionShare, is available not even in read-only mode. I'm
> not sure there's really a 'fix' for the deb package.
>
The advisories on
https://github.com/onionshare/onionshare/security/advisories have been
updated to reflect this.
--
nodens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20221024/d4eff0c4/attachment.htm>
More information about the Pkg-privacy-maintainers
mailing list