Package: release.debian.org Control: affects -1 + src:flameshot X-Debbugs-Cc: flames...@packages.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: bullseye X-Debbugs-Cc: by...@debian.org Severity: normal
[ Reason ] As reported in https://bugs.debian.org/1051408 , current flameshot in Debian 11 (Bullseye) will silently upload the current captured screenshot to imgur without confirmation whenever the corresponding hotkey is pressed. This imposes a security risk of leaking sensitive information. In order to mitigate this issue, I propose to upload flameshot 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded in the source code. Users who wish to utilize the img uploading feature can fill in their own imgur token in flameshot config window to re-enable the feature. [ Impact ] If the update is not approved, users of flameshot will have their captured screenshot uploaded to imgur by default when the hotkey is pressed without prompt, which poses a security and information leaking risk to Debian 11 users using flameshot. [ Tests ] Manually tested in a Debian Bullseye VM. [ Risks ] Minimum risk as seen from debdiff. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Reset hardcoded imgur token to all zero to invalidate img uploading functionality by default. For details, please check debdiff attached. [ Other info ] Upstream takes a different fix by popping up a confirmation window whenever an image upload is to be done. The details can be found at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 . Such solution is not applied here due to the workload in backporting all UI source code changes. Thanks, Boyuan Yang
diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog --- flameshot-0.9.0+ds1/debian/changelog 2021-07-22 18:10:19.000000000 -0400 +++ flameshot-0.9.0+ds1/debian/changelog 2023-09-21 13:16:48.000000000 -0400 @@ -1,3 +1,20 @@ +flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium + + * debian/patches/0006-Disable-default-imgur-token.patch: + Disable default imgur uploading token. + . + Flameshot before v0.10.0 does not pop up confirmation before + uploading the screenshot to imgur, which is a security risk + that may leak sensitive user information. + . + This patch strips the embedded default imgur token from the + source code to disable default image uploading. Users who need + image uploading functionality may set their own imgur token + in flameshot configuration to re-enable this functionality. + (Closes: #1051408) + + -- Boyuan Yang <by...@debian.org> Thu, 21 Sep 2023 13:16:48 -0400 + flameshot (0.9.0+ds1-2) unstable; urgency=high * debian/patches/0003-Disable-automatic-update-checking-by-default.patch: diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian --- flameshot-0.9.0+ds1/debian/NEWS.Debian 1969-12-31 19:00:00.000000000 -0500 +++ flameshot-0.9.0+ds1/debian/NEWS.Debian 2023-09-21 13:16:48.000000000 -0400 @@ -0,0 +1,16 @@ +flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium + + * This version disables the default imgur uploading token. + . + Flameshot before v0.10.0 does not pop up confirmation before + uploading the screenshot to imgur, which is a security risk + that may leak sensitive user information. + . + This version strips the embedded default imgur token from the + source code to disable default image uploading. Users who need + image uploading functionality may set their own imgur token + in flameshot configuration to re-enable this functionality. + . + For more information, check out https://bugs.debian.org/1051408 . + + -- Boyuan Yang <by...@debian.org> Thu, 21 Sep 2023 13:16:48 -0400 diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch --- flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 1969-12-31 19:00:00.000000000 -0500 +++ flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 2023-09-21 13:16:39.000000000 -0400 @@ -0,0 +1,45 @@ +From: Boyuan Yang <by...@debian.org> +Date: Thu, 21 Sep 2023 13:14:23 -0400 +Subject: Disable default imgur token + +Flameshot before v0.10.0 does not pop up confirmation before +uploading the screenshot to imgur, which is a security risk +that may leak sensitive user information. + +This patch strips the embedded default imgur token from the +source code to disable default image uploading. Users who need +image uploading functionality may set their own imgur token +to re-enable this functionality. + +Bug-Debian: https://bugs.debian.org/1051408 +--- + src/CMakeLists.txt | 2 +- + src/imgur.pri | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt +index 4228407..4af4f35 100644 +--- a/src/CMakeLists.txt ++++ b/src/CMakeLists.txt +@@ -191,7 +191,7 @@ endif () + + target_compile_definitions(flameshot PRIVATE APP_PREFIX="${CMAKE_INSTALL_PREFIX}") + target_compile_definitions(flameshot PRIVATE APP_VERSION="v${PROJECT_VERSION}") +-target_compile_definitions(flameshot PRIVATE IMGUR_CLIENT_ID="313baf0c7b4d3ff") ++target_compile_definitions(flameshot PRIVATE IMGUR_CLIENT_ID="000000000000000") + #target_compile_definitions(flameshot PRIVATE QAPPLICATION_CLASS=QApplication) + target_compile_definitions(flameshot PRIVATE FLAMESHOT_APP_VERSION_URL="${GIT_API_URL}") + +diff --git a/src/imgur.pri b/src/imgur.pri +index 6e34b1e..3b41192 100644 +--- a/src/imgur.pri ++++ b/src/imgur.pri +@@ -1,7 +1,7 @@ + # Use default Imgur client_id if user did not pass + # this variable to qmake + isEmpty(IMGUR_CLIENT_ID) { +- IMGUR_CLIENT_ID = "313baf0c7b4d3ff" ++ IMGUR_CLIENT_ID = "000000000000000" + } + + DEFINES += IMGUR_CLIENT_ID=\\\"$${IMGUR_CLIENT_ID}\\\" diff -Nru flameshot-0.9.0+ds1/debian/patches/series flameshot-0.9.0+ds1/debian/patches/series --- flameshot-0.9.0+ds1/debian/patches/series 2021-07-22 18:10:19.000000000 -0400 +++ flameshot-0.9.0+ds1/debian/patches/series 2023-09-21 13:16:39.000000000 -0400 @@ -3,3 +3,4 @@ 0003-Disable-automatic-update-checking-by-default.patch 0004-Fix-nullptr-reference-when-trayicon-is-disabled.patch 9af391b2e94b2ba21cb6af32535ed38240f695c0.patch +0006-Disable-default-imgur-token.patch
signature.asc
Description: This is a digitally signed message part