Hey, finally, I managed to prepare a patched version of nextcloud-desktop.
I fixed both open isses for nextcloud-desktop for bullseye. See my attached debdiff. * CVE-2021-22895 * CVE-2021-32728 Did I managed all field correctly (codename and urgency)? sid with be fixed with a new upload the next hours of 3.3.1-1. regards, hefee
diff -Nru nextcloud-desktop-3.1.1/debian/changelog nextcloud-desktop-3.1.1/debian/changelog
--- nextcloud-desktop-3.1.1/debian/changelog 2021-05-08 19:39:35.000000000 +0200
+++ nextcloud-desktop-3.1.1/debian/changelog 2021-08-22 19:59:32.000000000 +0200
@@ -1,3 +1,11 @@
+nextcloud-desktop (3.1.1-2+deb11u1) bullseye-security; urgency=high
+
+ * Add backported patch to fix CVE-2021-22895 (Closes: #989846).
+ * Add backported patch to fix CVE-2021-32728 with small modifications to
+ match for Debian.
+
+ -- Sandro Knauß <he...@debian.org> Sun, 22 Aug 2021 19:59:32 +0200
+
nextcloud-desktop (3.1.1-2) unstable; urgency=medium
* Add two upstream patches to fix CVE-2021-22879 (Closes: #987274):
diff -Nru nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch
--- nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.000000000 +0100
+++ nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 2021-08-22 19:59:32.000000000 +0200
@@ -0,0 +1,45 @@
+From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001
+From: Felix Weilbach <felix.weilb...@nextcloud.com>
+Date: Wed, 10 Feb 2021 09:53:57 +0100
+Subject: [PATCH] Validate the providers ssl certificate
+
+Signed-off-by: Felix Weilbach <felix.weilb...@nextcloud.com>
+---
+ src/gui/wizard/webview.cpp | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp
+index e03f86509..6c2207f48 100644
+--- a/src/gui/wizard/webview.cpp
++++ b/src/gui/wizard/webview.cpp
+@@ -52,9 +52,6 @@ public:
+
+ protected:
+ bool certificateError(const QWebEngineCertificateError &certificateError) override;
+-
+-private:
+- QUrl _rootUrl;
+ };
+
+ // We need a separate class here, since we cannot simply return the same WebEnginePage object
+@@ -191,15 +188,10 @@ QWebEnginePage * WebEnginePage::createWindow(QWebEnginePage::WebWindowType type)
+
+ void WebEnginePage::setUrl(const QUrl &url) {
+ QWebEnginePage::setUrl(url);
+- _rootUrl = url;
+ }
+
+-bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) {
+- if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid &&
+- certificateError.url().host() == _rootUrl.host()) {
+- return true;
+- }
+-
++bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError)
++{
+ /**
+ * TODO properly improve this.
+ * The certificate should be displayed.
+--
+2.33.0
+
diff -Nru nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch
--- nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.000000000 +0100
+++ nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 2021-08-22 19:59:32.000000000 +0200
@@ -0,0 +1,83 @@
+From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001
+From: Matthieu Gallien <matthieu_gall...@yahoo.fr>
+Date: Wed, 19 May 2021 15:36:47 +0200
+Subject: [PATCH] check e2ee public key against private one
+
+should ensure we have matching private/public keys
+
+Signed-off-by: Matthieu Gallien <matthieu_gall...@yahoo.fr>
+---
+ src/libsync/clientsideencryption.cpp | 30 +++++++++++++++++++++++++++-
+ src/libsync/clientsideencryption.h | 1 +
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/src/libsync/clientsideencryption.cpp
++++ b/src/libsync/clientsideencryption.cpp
+@@ -16,6 +16,7 @@
+
+ #include <map>
+ #include <string>
++#include <algorithm>
+
+ #include <cstdio>
+
+@@ -32,6 +33,7 @@
+ #include <QIODevice>
+ #include <QUuid>
+ #include <QScopeGuard>
++#include <QRandomGenerator>
+
+ #include <qt5keychain/keychain.h>
+ #include "common/utility.h"
+@@ -797,6 +799,32 @@ void ClientSideEncryption::fetchFromKeyC
+ job->start();
+ }
+
++ bool ClientSideEncryption::checkPublicKeyValidity() const
++ {
++ QByteArray data = EncryptionHelper::generateRandom(64);
++
++ Bio publicKeyBio;
++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem();
++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size());
++ auto publicKey = PKey::readPublicKey(publicKeyBio);
++
++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64());
++
++ Bio privateKeyBio;
++ QByteArray privateKeyPem = _account->e2e()->_privateKey;
++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size());
++ auto key = PKey::readPrivateKey(privateKeyBio);
++
++ QByteArray decryptResult = QByteArray::fromBase64(EncryptionHelper::decryptStringAsymmetric( key, QByteArray::fromBase64(encryptedData)));
++
++ if (data != decryptResult) {
++ qCInfo(lcCse()) << "invalid private key";
++ return false;
++ }
++
++ return true;
++ }
++
+ void ClientSideEncryption::publicKeyFetched(Job *incoming) {
+ auto *readJob = static_cast<ReadPasswordJob *>(incoming);
+
+@@ -1183,7 +1211,7 @@ void ClientSideEncryption::decryptPrivat
+
+ qCInfo(lcCse()) << "Private key: " << _privateKey;
+
+- if (!_privateKey.isNull()) {
++ if (!_privateKey.isNull() && checkPublicKeyValidity()) {
+ writePrivateKey();
+ writeCertificate();
+ writeMnemonic();
+--- a/src/libsync/clientsideencryption.h
++++ b/src/libsync/clientsideencryption.h
+@@ -118,6 +118,7 @@ private:
+
+ void fetchFromKeyChain();
+
++ bool checkPublicKeyValidity() const;
+ void writePrivateKey();
+ void writeCertificate();
+ void writeMnemonic();
diff -Nru nextcloud-desktop-3.1.1/debian/patches/series nextcloud-desktop-3.1.1/debian/patches/series
--- nextcloud-desktop-3.1.1/debian/patches/series 2021-05-08 19:39:35.000000000 +0200
+++ nextcloud-desktop-3.1.1/debian/patches/series 2021-08-22 19:59:32.000000000 +0200
@@ -4,3 +4,5 @@
0004-Revert-8fb673457b42-Add-a-button-to-create-a-debug-a.patch
0005-Please-blhc.patch
0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch
+0007-Validate-the-providers-ssl-certificate.patch
+0008-check-e2ee-public-key-against-private-one.patch
signature.asc
Description: This is a digitally signed message part.
