Hey, finally, I managed to prepare a patched version of nextcloud-desktop.
I fixed both open isses for nextcloud-desktop for bullseye. See my attached debdiff. * CVE-2021-22895 * CVE-2021-32728 Did I managed all field correctly (codename and urgency)? sid with be fixed with a new upload the next hours of 3.3.1-1. regards, hefee
diff -Nru nextcloud-desktop-3.1.1/debian/changelog nextcloud-desktop-3.1.1/debian/changelog --- nextcloud-desktop-3.1.1/debian/changelog 2021-05-08 19:39:35.000000000 +0200 +++ nextcloud-desktop-3.1.1/debian/changelog 2021-08-22 19:59:32.000000000 +0200 @@ -1,3 +1,11 @@ +nextcloud-desktop (3.1.1-2+deb11u1) bullseye-security; urgency=high + + * Add backported patch to fix CVE-2021-22895 (Closes: #989846). + * Add backported patch to fix CVE-2021-32728 with small modifications to + match for Debian. + + -- Sandro Knauß <he...@debian.org> Sun, 22 Aug 2021 19:59:32 +0200 + nextcloud-desktop (3.1.1-2) unstable; urgency=medium * Add two upstream patches to fix CVE-2021-22879 (Closes: #987274): diff -Nru nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch --- nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 2021-08-22 19:59:32.000000000 +0200 @@ -0,0 +1,45 @@ +From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001 +From: Felix Weilbach <felix.weilb...@nextcloud.com> +Date: Wed, 10 Feb 2021 09:53:57 +0100 +Subject: [PATCH] Validate the providers ssl certificate + +Signed-off-by: Felix Weilbach <felix.weilb...@nextcloud.com> +--- + src/gui/wizard/webview.cpp | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp +index e03f86509..6c2207f48 100644 +--- a/src/gui/wizard/webview.cpp ++++ b/src/gui/wizard/webview.cpp +@@ -52,9 +52,6 @@ public: + + protected: + bool certificateError(const QWebEngineCertificateError &certificateError) override; +- +-private: +- QUrl _rootUrl; + }; + + // We need a separate class here, since we cannot simply return the same WebEnginePage object +@@ -191,15 +188,10 @@ QWebEnginePage * WebEnginePage::createWindow(QWebEnginePage::WebWindowType type) + + void WebEnginePage::setUrl(const QUrl &url) { + QWebEnginePage::setUrl(url); +- _rootUrl = url; + } + +-bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) { +- if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid && +- certificateError.url().host() == _rootUrl.host()) { +- return true; +- } +- ++bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) ++{ + /** + * TODO properly improve this. + * The certificate should be displayed. +-- +2.33.0 + diff -Nru nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch --- nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 2021-08-22 19:59:32.000000000 +0200 @@ -0,0 +1,83 @@ +From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001 +From: Matthieu Gallien <matthieu_gall...@yahoo.fr> +Date: Wed, 19 May 2021 15:36:47 +0200 +Subject: [PATCH] check e2ee public key against private one + +should ensure we have matching private/public keys + +Signed-off-by: Matthieu Gallien <matthieu_gall...@yahoo.fr> +--- + src/libsync/clientsideencryption.cpp | 30 +++++++++++++++++++++++++++- + src/libsync/clientsideencryption.h | 1 + + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/src/libsync/clientsideencryption.cpp ++++ b/src/libsync/clientsideencryption.cpp +@@ -16,6 +16,7 @@ + + #include <map> + #include <string> ++#include <algorithm> + + #include <cstdio> + +@@ -32,6 +33,7 @@ + #include <QIODevice> + #include <QUuid> + #include <QScopeGuard> ++#include <QRandomGenerator> + + #include <qt5keychain/keychain.h> + #include "common/utility.h" +@@ -797,6 +799,32 @@ void ClientSideEncryption::fetchFromKeyC + job->start(); + } + ++ bool ClientSideEncryption::checkPublicKeyValidity() const ++ { ++ QByteArray data = EncryptionHelper::generateRandom(64); ++ ++ Bio publicKeyBio; ++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem(); ++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size()); ++ auto publicKey = PKey::readPublicKey(publicKeyBio); ++ ++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64()); ++ ++ Bio privateKeyBio; ++ QByteArray privateKeyPem = _account->e2e()->_privateKey; ++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size()); ++ auto key = PKey::readPrivateKey(privateKeyBio); ++ ++ QByteArray decryptResult = QByteArray::fromBase64(EncryptionHelper::decryptStringAsymmetric( key, QByteArray::fromBase64(encryptedData))); ++ ++ if (data != decryptResult) { ++ qCInfo(lcCse()) << "invalid private key"; ++ return false; ++ } ++ ++ return true; ++ } ++ + void ClientSideEncryption::publicKeyFetched(Job *incoming) { + auto *readJob = static_cast<ReadPasswordJob *>(incoming); + +@@ -1183,7 +1211,7 @@ void ClientSideEncryption::decryptPrivat + + qCInfo(lcCse()) << "Private key: " << _privateKey; + +- if (!_privateKey.isNull()) { ++ if (!_privateKey.isNull() && checkPublicKeyValidity()) { + writePrivateKey(); + writeCertificate(); + writeMnemonic(); +--- a/src/libsync/clientsideencryption.h ++++ b/src/libsync/clientsideencryption.h +@@ -118,6 +118,7 @@ private: + + void fetchFromKeyChain(); + ++ bool checkPublicKeyValidity() const; + void writePrivateKey(); + void writeCertificate(); + void writeMnemonic(); diff -Nru nextcloud-desktop-3.1.1/debian/patches/series nextcloud-desktop-3.1.1/debian/patches/series --- nextcloud-desktop-3.1.1/debian/patches/series 2021-05-08 19:39:35.000000000 +0200 +++ nextcloud-desktop-3.1.1/debian/patches/series 2021-08-22 19:59:32.000000000 +0200 @@ -4,3 +4,5 @@ 0004-Revert-8fb673457b42-Add-a-button-to-create-a-debug-a.patch 0005-Please-blhc.patch 0006-Validate-sensitive-URLs-to-onle-allow-http-s-schemes.patch +0007-Validate-the-providers-ssl-certificate.patch +0008-check-e2ee-public-key-against-private-one.patch
signature.asc
Description: This is a digitally signed message part.