[Pkg-privacy-maintainers] Bug#1022725: onionshare: Please provide Apparmor profiles (GHSA-jgm9-xpfj-4fq6)
Clément Hermann
nodens at debian.org
Mon Oct 24 17:36:17 BST 2022
Package: onionshare
Version: 2.5-2
Severity: wishlist
Quoting https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6
> Between September 26, 2021 and October 8, 2021, Radically Open
> Security conducted a penetration test of OnionShare 2.4, funded by the
> Open Technology Fund's Red Team lab. This is an issue from that
> penetration test.
> Vulnerability ID: OTF-013
> Vulnerability type: Improper Hardening
> Threat level: Low
> Description:
>
> The filesystem restriction could be hardened and should only allow for
> pre-defined subfolders.
Upstream uses Flatpak to mitigate this, which of course makes little
sense on Debian.
However, we could provide something similar using Apparmor.
Cheers,
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.0.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages onionshare depends on:
ii onionshare-cli 2.5-2
ii python3 3.10.6-1
ii python3-pyside2.qtcore 5.15.2-2.3+b2
ii python3-pyside2.qtwidgets 5.15.2-2.3+b2
ii python3-qrcode 7.3.1-1
onionshare recommends no packages.
onionshare suggests no packages.
-- no debconf information
More information about the Pkg-privacy-maintainers
mailing list