[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Clément Hermann
nodens at debian.org
Mon Oct 24 19:41:58 BST 2022
Le 24/10/2022 à 18:26, Clément Hermann a écrit :
> Hi,
>
> Le 23/10/2022 à 18:27, Clément Hermann a écrit :
>> Hi,
>>
>> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
>>> To be on safe side, explicitly confirming by upstream would be great.
>>
>> Agreed. And asked upstream:
>> https://github.com/onionshare/onionshare/issues/1633.
>
> Upstream replied quickly (yay!) and confirms the known issues are
> fixed in 2.5.
>
> Also, the detail of the vulnerable/patched versions has been updated.
> Quoting from the upstream issue:
>>
>> Only affected >= 2.3 - < 2.5: CVE-2021-41867
>> <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691
>> <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695
>> <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696
>> <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
>> Only affected >= 2.2 - < 2.5: CVE-2022-21694
>> <https://github.com/advisories/GHSA-h29c-wcm8-883h>
>> Only affected >=2.0 - < 2.5: CVE-2022-21689
>> <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
>> Only affected >=2.0 - < 2.4: CVE-2021-41868
>> <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode
>> bug, fixed by changing the authentication from HTTP auth to using
>> Client Auth in Tor itself)
>> All versions < 2.5: CVE-2022-21690
>> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly
>> depending on the Qt version, CVE-2022-21688
>> <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
>>
>> GHSA-jgm9-xpfj-4fq6
>> <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6>
>> is a complicated one, as a fix
>> <https://github.com/onionshare/onionshare/pull/1474> we reduced the
>> scope of access for Flatpak but you could argue that on 'native'
>> Debian the whole file system, or at least the parts accessible to the
>> user running OnionShare, is available not even in read-only mode. I'm
>> not sure there's really a 'fix' for the deb package.
>>
> The advisories on
> https://github.com/onionshare/onionshare/security/advisories have been
> updated to reflect this.
I did more homework.
So, to summarize:
- CVE-2021-41867 <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>,
CVE-2022-21691 <https://github.com/advisories/GHSA-w9m4-7w72-r766>,
CVE-2022-21695 <https://github.com/advisories/GHSA-99p8-9p2c-49j4>,
CVE-2022-21696 <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
aren't affecting Debian (stable has 2.2, unstable has 2.5). Which is
good because the
- CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h>
affects Bullseye, but that might be an acceptable risk ? The issue is
that CSP can only be turned on or off, not configured to allow js etc,
so it is only useful for static websites. I believe that's the most
common usage of a website with onionshare, and it's arguably a missing
feature more than a vulnerability /per se/.
- CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc> fix
should be easy to backport, at a glance:
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
- CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85>
doesn't affect 2.2 I think, it must have been a mistake from mig5. I
just asked for confirmation. I do hope so since it's a bad one.
- CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>
seems like a one-line patch:
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
- CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
seems like it should be worked around with the CVE-2022-21690
<https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?
I'd welcome input on those.
Cheers,
--
nodens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20221024/1bf1c0ad/attachment-0001.htm>
More information about the Pkg-privacy-maintainers
mailing list