Hey, > > > What about Buster? Is 2.5 also affected? > > > > yes 2.5 is also affected. At least the source files look the same. > > Ack, can you also prepare an update for buster-security, please?
I have here a proposed debdiff. I added a third patch, so users have the possiblility to accept invalid certs otherwise they would fail silently. At least for me this sounds like not a proper solution. * Do I need to upload also with sources? How can I check this myself? Cheers, hefee
diff -Nru nextcloud-desktop-2.5.1/debian/changelog nextcloud-desktop-2.5.1/debian/changelog
--- nextcloud-desktop-2.5.1/debian/changelog 2019-08-29 18:57:38.000000000 +0200
+++ nextcloud-desktop-2.5.1/debian/changelog 2021-09-11 11:53:28.000000000 +0200
@@ -1,3 +1,12 @@
+nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high
+
+ * Add backported patch to fix CVE-2021-22895. (Closes: #989846)
+ * Add backported patch to fix CVE-2021-32728.
+ * Update patch for CVE-2021-32728 for v2.5.1.
+ * Add patch to make it possible to accept invalid SSL certificates.
+
+ -- Sandro Knauß <he...@debian.org> Sat, 11 Sep 2021 11:53:28 +0200
+
nextcloud-desktop (2.5.1-3+deb10u1) buster; urgency=medium
* Make nextcloud-desktop-cmd depend on nextcloud-desktop-common.
diff -Nru nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch
--- nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.000000000 +0100
+++ nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 2021-09-10 22:17:16.000000000 +0200
@@ -0,0 +1,37 @@
+From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001
+From: Felix Weilbach <felix.weilb...@nextcloud.com>
+Date: Wed, 10 Feb 2021 09:53:57 +0100
+Subject: [PATCH] Validate the providers ssl certificate
+
+Signed-off-by: Felix Weilbach <felix.weilb...@nextcloud.com>
+---
+ src/gui/wizard/webview.cpp | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/src/gui/wizard/webview.cpp
++++ b/src/gui/wizard/webview.cpp
+@@ -45,9 +45,6 @@ public:
+
+ protected:
+ bool certificateError(const QWebEngineCertificateError &certificateError) override;
+-
+-private:
+- QUrl _rootUrl;
+ };
+
+ // We need a separate class here, since we cannot simply return the same WebEnginePage object
+@@ -157,14 +154,9 @@ QWebEnginePage * WebEnginePage::createWi
+
+ void WebEnginePage::setUrl(const QUrl &url) {
+ QWebEnginePage::setUrl(url);
+- _rootUrl = url;
+ }
+
+ bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) {
+- if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid) {
+- return certificateError.url().host() == _rootUrl.host();
+- }
+-
+ return false;
+ }
+
diff -Nru nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch
--- nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.000000000 +0100
+++ nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 2021-09-11 11:28:54.000000000 +0200
@@ -0,0 +1,88 @@
+From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001
+From: Matthieu Gallien <matthieu_gall...@yahoo.fr>
+Date: Wed, 19 May 2021 15:36:47 +0200
+Subject: [PATCH] check e2ee public key against private one
+
+should ensure we have matching private/public keys
+
+Signed-off-by: Matthieu Gallien <matthieu_gall...@yahoo.fr>
+---
+ src/libsync/clientsideencryption.cpp | 30 +++++++++++++++++++++++++++-
+ src/libsync/clientsideencryption.h | 1 +
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/src/libsync/clientsideencryption.cpp
++++ b/src/libsync/clientsideencryption.cpp
+@@ -15,6 +15,7 @@
+ #include "creds/abstractcredentials.h"
+
+ #include <map>
++#include <algorithm>
+
+ #include <cstdio>
+
+@@ -30,6 +31,7 @@
+ #include <QLineEdit>
+ #include <QIODevice>
+ #include <QUuid>
++#include <QRandomGenerator>
+
+ #include <keychain.h>
+
+@@ -644,6 +646,37 @@ void ClientSideEncryption::fetchFromKeyC
+ job->start();
+ }
+
++ bool ClientSideEncryption::checkPublicKeyValidity() const
++ {
++ QByteArray data = EncryptionHelper::generateRandom(64);
++
++ BIO *publicKeyBio = BIO_new(BIO_s_mem());
++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem();
++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size());
++ EVP_PKEY *publicKey = PEM_read_bio_PUBKEY(publicKeyBio, nullptr, nullptr, nullptr);
++ BIO_free_all(publicKeyBio);
++
++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64());
++
++ BIO *privateKeyBio = BIO_new(BIO_s_mem());
++ QByteArray privateKeyPem = _account->e2e()->_privateKey;
++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size());
++ EVP_PKEY *key = PEM_read_bio_PrivateKey(privateKeyBio, nullptr, nullptr, nullptr);
++ BIO_free_all(privateKeyBio);
++
++ QByteArray decryptResult = QByteArray::fromBase64(EncryptionHelper::decryptStringAsymmetric( key, QByteArray::fromBase64(encryptedData)));
++
++ EVP_PKEY_free(key);
++ EVP_PKEY_free(publicKey);
++
++ if (data != decryptResult) {
++ qCInfo(lcCse()) << "invalid private key";
++ return false;
++ }
++
++ return true;
++ }
++
+ void ClientSideEncryption::publicKeyFetched(Job *incoming) {
+ ReadPasswordJob *readJob = static_cast<ReadPasswordJob *>(incoming);
+
+@@ -1032,7 +1060,7 @@ void ClientSideEncryption::decryptPrivat
+
+ qCInfo(lcCse()) << "Private key: " << _privateKey;
+
+- if (!_privateKey.isNull()) {
++ if (!_privateKey.isNull() && checkPublicKeyValidity()) {
+ writePrivateKey();
+ writeCertificate();
+ writeMnemonic();
+--- a/src/libsync/clientsideencryption.h
++++ b/src/libsync/clientsideencryption.h
+@@ -110,6 +110,7 @@ private:
+
+ void fetchFromKeyChain();
+
++ bool checkPublicKeyValidity() const;
+ void writePrivateKey();
+ void writeCertificate();
+ void writeMnemonic();
diff -Nru nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch
--- nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch 1970-01-01 01:00:00.000000000 +0100
+++ nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch 2021-09-10 22:17:16.000000000 +0200
@@ -0,0 +1,46 @@
+Description: Possibility to accept invalid certificates.
+ Unfortunatelly there are invalid SSL certificates out in the wild,
+ that an user needs to be able to accept.
+ Source is the code shipped with bullseye (v3.1.1)
+Author: Sandro Knauß <he...@debian.org>
+Origin: Debian
+Forwarded: not-needed
+Last-Update: 2021-09-10
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+
+--- a/src/gui/wizard/webview.cpp
++++ b/src/gui/wizard/webview.cpp
+@@ -10,6 +10,7 @@
+ #include <QProgressBar>
+ #include <QLoggingCategory>
+ #include <QLocale>
++#include <QMessageBox>
+
+ #include "common/utility.h"
+
+@@ -157,7 +158,23 @@ void WebEnginePage::setUrl(const QUrl &u
+ }
+
+ bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) {
+- return false;
++ /**
++ * TODO properly improve this.
++ * The certificate should be displayed.
++ *
++ * Or rather we should do a request with the QNAM and see if it works (then it is in the store).
++ * This is just a quick fix for now.
++ */
++ QMessageBox messageBox;
++ messageBox.setText(tr("Invalid certificate detected"));
++ messageBox.setInformativeText(tr("The host \"%1\" provided an invalid certificate. Continue?").arg(certificateError.url().host()));
++ messageBox.setIcon(QMessageBox::Warning);
++ messageBox.setStandardButtons(QMessageBox::Yes|QMessageBox::No);
++ messageBox.setDefaultButton(QMessageBox::No);
++
++ int ret = messageBox.exec();
++
++ return ret == QMessageBox::Yes;
+ }
+
+ ExternalWebEnginePage::ExternalWebEnginePage(QWebEngineProfile *profile, QObject* parent) : QWebEnginePage(profile, parent) {
diff -Nru nextcloud-desktop-2.5.1/debian/patches/series nextcloud-desktop-2.5.1/debian/patches/series
--- nextcloud-desktop-2.5.1/debian/patches/series 2019-08-29 18:57:38.000000000 +0200
+++ nextcloud-desktop-2.5.1/debian/patches/series 2021-09-10 22:17:16.000000000 +0200
@@ -3,3 +3,6 @@
0003-use_system_buildflags.patch
0004-disable-git-hash-display.patch
0005-Fixed-Issue-1000-Subfolders-of-moved-folders-not-syn.patch
+0006-Validate-the-providers-ssl-certificate.patch
+0007-check-e2ee-public-key-against-private-one.patch
+MessageBox-for-ConnectionError.patch
signature.asc
Description: This is a digitally signed message part.
