Hey, > > > What about Buster? Is 2.5 also affected? > > > > yes 2.5 is also affected. At least the source files look the same. > > Ack, can you also prepare an update for buster-security, please?
I have here a proposed debdiff. I added a third patch, so users have the possiblility to accept invalid certs otherwise they would fail silently. At least for me this sounds like not a proper solution. * Do I need to upload also with sources? How can I check this myself? Cheers, hefee
diff -Nru nextcloud-desktop-2.5.1/debian/changelog nextcloud-desktop-2.5.1/debian/changelog --- nextcloud-desktop-2.5.1/debian/changelog 2019-08-29 18:57:38.000000000 +0200 +++ nextcloud-desktop-2.5.1/debian/changelog 2021-09-11 11:53:28.000000000 +0200 @@ -1,3 +1,12 @@ +nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high + + * Add backported patch to fix CVE-2021-22895. (Closes: #989846) + * Add backported patch to fix CVE-2021-32728. + * Update patch for CVE-2021-32728 for v2.5.1. + * Add patch to make it possible to accept invalid SSL certificates. + + -- Sandro Knauß <he...@debian.org> Sat, 11 Sep 2021 11:53:28 +0200 + nextcloud-desktop (2.5.1-3+deb10u1) buster; urgency=medium * Make nextcloud-desktop-cmd depend on nextcloud-desktop-common. diff -Nru nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch --- nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 2021-09-10 22:17:16.000000000 +0200 @@ -0,0 +1,37 @@ +From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001 +From: Felix Weilbach <felix.weilb...@nextcloud.com> +Date: Wed, 10 Feb 2021 09:53:57 +0100 +Subject: [PATCH] Validate the providers ssl certificate + +Signed-off-by: Felix Weilbach <felix.weilb...@nextcloud.com> +--- + src/gui/wizard/webview.cpp | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/src/gui/wizard/webview.cpp ++++ b/src/gui/wizard/webview.cpp +@@ -45,9 +45,6 @@ public: + + protected: + bool certificateError(const QWebEngineCertificateError &certificateError) override; +- +-private: +- QUrl _rootUrl; + }; + + // We need a separate class here, since we cannot simply return the same WebEnginePage object +@@ -157,14 +154,9 @@ QWebEnginePage * WebEnginePage::createWi + + void WebEnginePage::setUrl(const QUrl &url) { + QWebEnginePage::setUrl(url); +- _rootUrl = url; + } + + bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) { +- if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid) { +- return certificateError.url().host() == _rootUrl.host(); +- } +- + return false; + } + diff -Nru nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch --- nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 2021-09-11 11:28:54.000000000 +0200 @@ -0,0 +1,88 @@ +From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001 +From: Matthieu Gallien <matthieu_gall...@yahoo.fr> +Date: Wed, 19 May 2021 15:36:47 +0200 +Subject: [PATCH] check e2ee public key against private one + +should ensure we have matching private/public keys + +Signed-off-by: Matthieu Gallien <matthieu_gall...@yahoo.fr> +--- + src/libsync/clientsideencryption.cpp | 30 +++++++++++++++++++++++++++- + src/libsync/clientsideencryption.h | 1 + + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/src/libsync/clientsideencryption.cpp ++++ b/src/libsync/clientsideencryption.cpp +@@ -15,6 +15,7 @@ + #include "creds/abstractcredentials.h" + + #include <map> ++#include <algorithm> + + #include <cstdio> + +@@ -30,6 +31,7 @@ + #include <QLineEdit> + #include <QIODevice> + #include <QUuid> ++#include <QRandomGenerator> + + #include <keychain.h> + +@@ -644,6 +646,37 @@ void ClientSideEncryption::fetchFromKeyC + job->start(); + } + ++ bool ClientSideEncryption::checkPublicKeyValidity() const ++ { ++ QByteArray data = EncryptionHelper::generateRandom(64); ++ ++ BIO *publicKeyBio = BIO_new(BIO_s_mem()); ++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem(); ++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size()); ++ EVP_PKEY *publicKey = PEM_read_bio_PUBKEY(publicKeyBio, nullptr, nullptr, nullptr); ++ BIO_free_all(publicKeyBio); ++ ++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64()); ++ ++ BIO *privateKeyBio = BIO_new(BIO_s_mem()); ++ QByteArray privateKeyPem = _account->e2e()->_privateKey; ++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size()); ++ EVP_PKEY *key = PEM_read_bio_PrivateKey(privateKeyBio, nullptr, nullptr, nullptr); ++ BIO_free_all(privateKeyBio); ++ ++ QByteArray decryptResult = QByteArray::fromBase64(EncryptionHelper::decryptStringAsymmetric( key, QByteArray::fromBase64(encryptedData))); ++ ++ EVP_PKEY_free(key); ++ EVP_PKEY_free(publicKey); ++ ++ if (data != decryptResult) { ++ qCInfo(lcCse()) << "invalid private key"; ++ return false; ++ } ++ ++ return true; ++ } ++ + void ClientSideEncryption::publicKeyFetched(Job *incoming) { + ReadPasswordJob *readJob = static_cast<ReadPasswordJob *>(incoming); + +@@ -1032,7 +1060,7 @@ void ClientSideEncryption::decryptPrivat + + qCInfo(lcCse()) << "Private key: " << _privateKey; + +- if (!_privateKey.isNull()) { ++ if (!_privateKey.isNull() && checkPublicKeyValidity()) { + writePrivateKey(); + writeCertificate(); + writeMnemonic(); +--- a/src/libsync/clientsideencryption.h ++++ b/src/libsync/clientsideencryption.h +@@ -110,6 +110,7 @@ private: + + void fetchFromKeyChain(); + ++ bool checkPublicKeyValidity() const; + void writePrivateKey(); + void writeCertificate(); + void writeMnemonic(); diff -Nru nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch --- nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch 1970-01-01 01:00:00.000000000 +0100 +++ nextcloud-desktop-2.5.1/debian/patches/MessageBox-for-ConnectionError.patch 2021-09-10 22:17:16.000000000 +0200 @@ -0,0 +1,46 @@ +Description: Possibility to accept invalid certificates. + Unfortunatelly there are invalid SSL certificates out in the wild, + that an user needs to be able to accept. + Source is the code shipped with bullseye (v3.1.1) +Author: Sandro Knauß <he...@debian.org> +Origin: Debian +Forwarded: not-needed +Last-Update: 2021-09-10 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ + +--- a/src/gui/wizard/webview.cpp ++++ b/src/gui/wizard/webview.cpp +@@ -10,6 +10,7 @@ + #include <QProgressBar> + #include <QLoggingCategory> + #include <QLocale> ++#include <QMessageBox> + + #include "common/utility.h" + +@@ -157,7 +158,23 @@ void WebEnginePage::setUrl(const QUrl &u + } + + bool WebEnginePage::certificateError(const QWebEngineCertificateError &certificateError) { +- return false; ++ /** ++ * TODO properly improve this. ++ * The certificate should be displayed. ++ * ++ * Or rather we should do a request with the QNAM and see if it works (then it is in the store). ++ * This is just a quick fix for now. ++ */ ++ QMessageBox messageBox; ++ messageBox.setText(tr("Invalid certificate detected")); ++ messageBox.setInformativeText(tr("The host \"%1\" provided an invalid certificate. Continue?").arg(certificateError.url().host())); ++ messageBox.setIcon(QMessageBox::Warning); ++ messageBox.setStandardButtons(QMessageBox::Yes|QMessageBox::No); ++ messageBox.setDefaultButton(QMessageBox::No); ++ ++ int ret = messageBox.exec(); ++ ++ return ret == QMessageBox::Yes; + } + + ExternalWebEnginePage::ExternalWebEnginePage(QWebEngineProfile *profile, QObject* parent) : QWebEnginePage(profile, parent) { diff -Nru nextcloud-desktop-2.5.1/debian/patches/series nextcloud-desktop-2.5.1/debian/patches/series --- nextcloud-desktop-2.5.1/debian/patches/series 2019-08-29 18:57:38.000000000 +0200 +++ nextcloud-desktop-2.5.1/debian/patches/series 2021-09-10 22:17:16.000000000 +0200 @@ -3,3 +3,6 @@ 0003-use_system_buildflags.patch 0004-disable-git-hash-display.patch 0005-Fixed-Issue-1000-Subfolders-of-moved-folders-not-syn.patch +0006-Validate-the-providers-ssl-certificate.patch +0007-check-e2ee-public-key-against-private-one.patch +MessageBox-for-ConnectionError.patch
signature.asc
Description: This is a digitally signed message part.