[Pkg-privacy-maintainers] Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
Clément Hermann
nodens at debian.org
Tue Oct 25 12:53:07 BST 2022
Hi Moritz,
Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :
> Hi Clément,
>
>> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
>> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
>> suggestions, but I guess our choices are either uploading 2.5 to stable, if
>> that's possible. python-stem at least will need to be updated as well, from
>> 1.8.0 to 1.8.1 which luckily is bugfix only.
> With the upstream confirmation about affected states I had a look at the remaining
> issues affecting Bullseye:
Thanks!
> CVE-2022-21694 (https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
> is not a vulnerability by itself, it's a lack of a feature at most. We can ignore it for
> Bullseye.
Agreed, that's my reasoning too.
> CVE-2022-21688 (https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
> is just a stop gap, the actual issue is in QT and I'll reach out to upstream for more information
> when this was fixed in QT so that it can be backported to Bullseye's QT packages.
Agreed. The fix for CVE-2022-21690 will provide a workaround as well.
> This leaves:
> https://security-tracker.debian.org/tracker/CVE-2022-21690
> https://security-tracker.debian.org/tracker/CVE-2022-21689
> https://security-tracker.debian.org/tracker/CVE-2021-41868
>
> I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge case
> and invasive to fix.
I'm not sure how much of an edge case it is. But I agree it's fair. We
could provide a backport for users needing secure authentication, so
they could use onion v3 auth for this usage (I didn't check yet how easy
a backport would be, but I expect it'd be simple except maybe for the
poetry build system part).
>
> This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which could be backported?
Yes.
> Given that the primary use case for onionshare will be tails, my suggestion would be that CVE-2022-21689
> and CVE-2022-21690 get backported fixes for the next Bullseye point release (which Tails will sync up
> to). What do you think?
There are some users of onionshare beside in Tails, but that sounds like
a viable plan.
Cheers,
--
nodens
More information about the Pkg-privacy-maintainers
mailing list