Hi Salvatore

actually upstream marked both CVEs as fixed in 2.6.4:
TEMP-1139716-6892B6
TEMP-1139717-36B614

I uploaded 2.6.4 to unstable, so at least sid and testing will be fixed.
Unfortunately the diff between 2.6.3 and 2.6.4 is quite big :( So I'm currently 
investigating the source, if I can extract the patches to fix the CVEs.

Thanks for all your work!

Regards,

hefee

--

On Donnerstag, 11. Juni 2026 20:48 Salvatore Bonaccorso wrote:
> Source: onionshare
> Version: 2.6.3-3
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: [email protected], Debian Security Team
> <[email protected]>
> 
> Hi
> 
> From
> https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5
> -22mf
> > OnionShare CLI/Desktop 2.6.3 can follow symbolic links inside a
> > selected Share or Website directory and serve the symlink target
> > rather than limiting access to files physically contained in the
> > selected directory. If a user shares a directory that contains
> > attacker-supplied or otherwise untrusted symlinks, a remote recipient
> > with access to the OnionShare service can read arbitrary local files
> > readable by the OnionShare process that the symlink points to.
> > 
> > This affects the shipped onionshare-cli Python package and the desktop
> > application because both call the same onionshare_cli.web
> > file-indexing and streaming code.
> 
> Regards,
> Salvatore
> 
> _______________________________________________
> Pkg-privacy-maintainers mailing list
> [email protected]
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-privacy-maintai
> ners


Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to