Le 24/10/2022 à 18:26, Clément Hermann a écrit :
Hi,
Le 23/10/2022 à 18:27, Clément Hermann a écrit :
Hi,
Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
To be on safe side, explicitly confirming by upstream would be great.
Agreed. And asked upstream:
https://github.com/onionshare/onionshare/issues/1633.
Upstream replied quickly (yay!) and confirms the known issues are
fixed in 2.5.
Also, the detail of the vulnerable/patched versions has been updated.
Quoting from the upstream issue:
Only affected >= 2.3 - < 2.5: CVE-2021-41867
<https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691
<https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695
<https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696
<https://github.com/advisories/GHSA-68vr-8f46-vc9f>
Only affected >= 2.2 - < 2.5: CVE-2022-21694
<https://github.com/advisories/GHSA-h29c-wcm8-883h>
Only affected >=2.0 - < 2.5: CVE-2022-21689
<https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
Only affected >=2.0 - < 2.4: CVE-2021-41868
<https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode
bug, fixed by changing the authentication from HTTP auth to using
Client Auth in Tor itself)
All versions < 2.5: CVE-2022-21690
<https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly
depending on the Qt version, CVE-2022-21688
<https://github.com/advisories/GHSA-x7wr-283h-5h2v>
GHSA-jgm9-xpfj-4fq6
<https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6>
is a complicated one, as a fix
<https://github.com/onionshare/onionshare/pull/1474> we reduced the
scope of access for Flatpak but you could argue that on 'native'
Debian the whole file system, or at least the parts accessible to the
user running OnionShare, is available not even in read-only mode. I'm
not sure there's really a 'fix' for the deb package.
The advisories on
https://github.com/onionshare/onionshare/security/advisories have been
updated to reflect this.
I did more homework.
So, to summarize:
- CVE-2021-41867 <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>,
CVE-2022-21691 <https://github.com/advisories/GHSA-w9m4-7w72-r766>,
CVE-2022-21695 <https://github.com/advisories/GHSA-99p8-9p2c-49j4>,
CVE-2022-21696 <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
aren't affecting Debian (stable has 2.2, unstable has 2.5). Which is
good because the
- CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h>
affects Bullseye, but that might be an acceptable risk ? The issue is
that CSP can only be turned on or off, not configured to allow js etc,
so it is only useful for static websites. I believe that's the most
common usage of a website with onionshare, and it's arguably a missing
feature more than a vulnerability /per se/.
- CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc> fix
should be easy to backport, at a glance:
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
- CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85>
doesn't affect 2.2 I think, it must have been a mistake from mig5. I
just asked for confirmation. I do hope so since it's a bad one.
- CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>
seems like a one-line patch:
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
- CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
seems like it should be worked around with the CVE-2022-21690
<https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?
I'd welcome input on those.
Cheers,
--
nodens
