[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Clément Hermann
nodens at debian.org
Tue Oct 25 08:02:57 BST 2022
Le 24/10/2022 à 20:41, Clément Hermann a écrit :
>
> - CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h>
> affects Bullseye, but that might be an acceptable risk ? The issue is
> that CSP can only be turned on or off, not configured to allow js etc,
> so it is only useful for static websites. I believe that's the most
> common usage of a website with onionshare, and it's arguably a missing
> feature more than a vulnerability /per se/.
>
> - CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
> fix should be easy to backport, at a glance:
> https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
>
> - CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85>
> doesn't affect 2.2 I think, it must have been a mistake from mig5. I
> just asked for confirmation. I do hope so since it's a bad one.
Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
tested and reproduced on Bullseye. We do need to fix it. Upstream has a
few suggestions, but I guess our choices are either uploading 2.5 to
stable, if that's possible. python-stem at least will need to be updated
as well, from 1.8.0 to 1.8.1 which luckily is bugfix only.
> - CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>
> seems like a one-line patch:
> https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
>
> - CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
> seems like it should be worked around with the CVE-2022-21690
> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?
>
> I'd welcome input on those.
>
Of course if we choose to update onionshare to 2.5 in stable, we fix
those as well.
[0]
https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350
Cheers,
--
nodens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-privacy-maintainers/attachments/20221025/41b8be58/attachment.htm>
More information about the Pkg-privacy-maintainers
mailing list