Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Tue, 25 Oct 2022 04:57:19 -0700 

Hi Moritz,

Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :

Hi Clément,


Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
suggestions, but I guess our choices are either uploading 2.5 to stable, if
that's possible. python-stem at least will need to be updated as well, from
1.8.0 to 1.8.1 which luckily is bugfix only.

With the upstream confirmation about affected states I had a look at the 
remaining
issues affecting Bullseye:


Thanks!


CVE-2022-21694 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
is not a vulnerability by itself, it's a lack of a feature at most. We can 
ignore it for
Bullseye.


Agreed, that's my reasoning too.


CVE-2022-21688 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
is just a stop gap, the actual issue is in QT and I'll reach out to upstream 
for more information
when this was fixed in QT so that it can be backported to Bullseye's QT 
packages.

Agreed. The fix for CVE-2022-21690 will provide a workaround as well.


This leaves:
https://security-tracker.debian.org/tracker/CVE-2022-21690
https://security-tracker.debian.org/tracker/CVE-2022-21689
https://security-tracker.debian.org/tracker/CVE-2021-41868

I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge 
case
and invasive to fix.
I'm not sure how much of an edge case it is. But I agree it's fair. We could provide a backport for users needing secure authentication, so they could use onion v3 auth for this usage (I didn't check yet how easy a backport would be, but I expect it'd be simple except maybe for the poetry build system part). 



This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which 
could be backported?


Yes.


Given that the primary use case for onionshare will be tails, my suggestion 
would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point release 
(which Tails will sync up
to). What do you think?
There are some users of onionshare beside in Tails, but that sounds like a viable plan. 

Cheers,

--
nodens

Reply via email to