[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Moritz Muehlenhoff
jmm at inutil.org
Tue Oct 25 10:15:29 BST 2022
Hi Clément,
> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
> suggestions, but I guess our choices are either uploading 2.5 to stable, if
> that's possible. python-stem at least will need to be updated as well, from
> 1.8.0 to 1.8.1 which luckily is bugfix only.
With the upstream confirmation about affected states I had a look at the remaining
issues affecting Bullseye:
CVE-2022-21694 (https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
is not a vulnerability by itself, it's a lack of a feature at most. We can ignore it for
Bullseye.
CVE-2022-21688 (https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
is just a stop gap, the actual issue is in QT and I'll reach out to upstream for more information
when this was fixed in QT so that it can be backported to Bullseye's QT packages.
This leaves:
https://security-tracker.debian.org/tracker/CVE-2022-21690
https://security-tracker.debian.org/tracker/CVE-2022-21689
https://security-tracker.debian.org/tracker/CVE-2021-41868
I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge case
and invasive to fix.
This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which could be backported?
Given that the primary use case for onionshare will be tails, my suggestion would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point release (which Tails will sync up
to). What do you think?
Cheers,
Moritz
More information about the Pkg-privacy-maintainers
mailing list