Bug#989846: CVE-2021-22895
Hi Sandro, On Sun, Sep 12, 2021 at 06:33:57PM +0200, Sandro Knauß wrote: > Hey, > > > > What about Buster? Is 2.5 also affected? > > > > > > yes 2.5 is also affected. At least the source files look the same. > > > > Ack, can you also prepare an update for buster-security, please? > > I have here a proposed debdiff. I added a third patch, so users have the > possiblility to accept invalid certs otherwise they would fail silently. At > least for me this sounds like not a proper solution. Deferring a reply for this one to Moritz. > * Do I need to upload also with sources? How can I check this myself? Whenever you do a first upload to security-master where the source would not have been present yet, then yes the orig source needs to be included. For nextcloud-desktop +deb10u1 was via a buster point release, so it would be correct to build with -sa. Note that yu want to change the target distribution to buster-security in: > +nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high Regards, Salvatore
Bug#989846: CVE-2021-22895
Hey, > > > What about Buster? Is 2.5 also affected? > > > > yes 2.5 is also affected. At least the source files look the same. > > Ack, can you also prepare an update for buster-security, please? I have here a proposed debdiff. I added a third patch, so users have the possiblility to accept invalid certs otherwise they would fail silently. At least for me this sounds like not a proper solution. * Do I need to upload also with sources? How can I check this myself? Cheers, hefee diff -Nru nextcloud-desktop-2.5.1/debian/changelog nextcloud-desktop-2.5.1/debian/changelog --- nextcloud-desktop-2.5.1/debian/changelog 2019-08-29 18:57:38.0 +0200 +++ nextcloud-desktop-2.5.1/debian/changelog 2021-09-11 11:53:28.0 +0200 @@ -1,3 +1,12 @@ +nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high + + * Add backported patch to fix CVE-2021-22895. (Closes: #989846) + * Add backported patch to fix CVE-2021-32728. + * Update patch for CVE-2021-32728 for v2.5.1. + * Add patch to make it possible to accept invalid SSL certificates. + + -- Sandro Knauß Sat, 11 Sep 2021 11:53:28 +0200 + nextcloud-desktop (2.5.1-3+deb10u1) buster; urgency=medium * Make nextcloud-desktop-cmd depend on nextcloud-desktop-common. diff -Nru nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch --- nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.0 +0100 +++ nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 2021-09-10 22:17:16.0 +0200 @@ -0,0 +1,37 @@ +From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001 +From: Felix Weilbach +Date: Wed, 10 Feb 2021 09:53:57 +0100 +Subject: [PATCH] Validate the providers ssl certificate + +Signed-off-by: Felix Weilbach +--- + src/gui/wizard/webview.cpp | 12 ++-- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp +@@ -45,9 +45,6 @@ public: + + protected: + bool certificateError(const QWebEngineCertificateError ) override; +- +-private: +-QUrl _rootUrl; + }; + + // We need a separate class here, since we cannot simply return the same WebEnginePage object +@@ -157,14 +154,9 @@ QWebEnginePage * WebEnginePage::createWi + + void WebEnginePage::setUrl(const QUrl ) { + QWebEnginePage::setUrl(url); +-_rootUrl = url; + } + + bool WebEnginePage::certificateError(const QWebEngineCertificateError ) { +-if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid) { +-return certificateError.url().host() == _rootUrl.host(); +-} +- + return false; + } + diff -Nru nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch --- nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.0 +0100 +++ nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 2021-09-11 11:28:54.0 +0200 @@ -0,0 +1,88 @@ +From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001 +From: Matthieu Gallien +Date: Wed, 19 May 2021 15:36:47 +0200 +Subject: [PATCH] check e2ee public key against private one + +should ensure we have matching private/public keys + +Signed-off-by: Matthieu Gallien +--- + src/libsync/clientsideencryption.cpp | 30 +++- + src/libsync/clientsideencryption.h | 1 + + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/src/libsync/clientsideencryption.cpp b/src/libsync/clientsideencryption.cpp +@@ -15,6 +15,7 @@ + #include "creds/abstractcredentials.h" + + #include ++#include + + #include + +@@ -30,6 +31,7 @@ + #include + #include + #include ++#include + + #include + +@@ -644,6 +646,37 @@ void ClientSideEncryption::fetchFromKeyC + job->start(); + } + ++ bool ClientSideEncryption::checkPublicKeyValidity() const ++ { ++ QByteArray data = EncryptionHelper::generateRandom(64); ++ ++ BIO *publicKeyBio = BIO_new(BIO_s_mem()); ++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem(); ++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size()); ++ EVP_PKEY *publicKey = PEM_read_bio_PUBKEY(publicKeyBio, nullptr, nullptr, nullptr); ++ BIO_free_all(publicKeyBio); ++ ++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64()); ++ ++ BIO *privateKeyBio = BIO_new(BIO_s_mem()); ++ QByteArray privateKeyPem = _account->e2e()->_privateKey; ++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size()); ++ EVP_PKEY *key = PEM_read_bio_PrivateKey(privateKeyBio, nullptr, nullptr, nullptr); ++
Bug#989846: CVE-2021-22895
Am Sun, Aug 22, 2021 at 09:34:58PM +0200 schrieb Sandro Knauß: > Hey, > > > Looks good! Please build with -sa (since nextcloud-desktop is new in > > bullseye-security and ftp.d.o and security.d.o don't share tarballs). > > done. > > > What about Buster? Is 2.5 also affected? > > yes 2.5 is also affected. At least the source files look the same. Ack, can you also prepare an update for buster-security, please? With the release of Bullseye, Buster remains supported for another year with non-LTS security support. Cheers, Moritz
Bug#989846: CVE-2021-22895
Hey, > Looks good! Please build with -sa (since nextcloud-desktop is new in > bullseye-security and ftp.d.o and security.d.o don't share tarballs). done. > What about Buster? Is 2.5 also affected? yes 2.5 is also affected. At least the source files look the same. hefee signature.asc Description: This is a digitally signed message part.
Bug#989846: CVE-2021-22895
Am Sun, Aug 22, 2021 at 08:47:45PM +0200 schrieb Sandro Knauß: > Hey, > > finally, I managed to prepare a patched version of nextcloud-desktop. > > I fixed both open isses for nextcloud-desktop for bullseye. See my attached > debdiff. > > * CVE-2021-22895 > * CVE-2021-32728 > > Did I managed all field correctly (codename and urgency)? > > sid with be fixed with a new upload the next hours of 3.3.1-1. Looks good! Please build with -sa (since nextcloud-desktop is new in bullseye-security and ftp.d.o and security.d.o don't share tarballs). What about Buster? Is 2.5 also affected? Cheers, Moritz
Bug#989846: CVE-2021-22895
Hey, finally, I managed to prepare a patched version of nextcloud-desktop. I fixed both open isses for nextcloud-desktop for bullseye. See my attached debdiff. * CVE-2021-22895 * CVE-2021-32728 Did I managed all field correctly (codename and urgency)? sid with be fixed with a new upload the next hours of 3.3.1-1. regards, hefee diff -Nru nextcloud-desktop-3.1.1/debian/changelog nextcloud-desktop-3.1.1/debian/changelog --- nextcloud-desktop-3.1.1/debian/changelog 2021-05-08 19:39:35.0 +0200 +++ nextcloud-desktop-3.1.1/debian/changelog 2021-08-22 19:59:32.0 +0200 @@ -1,3 +1,11 @@ +nextcloud-desktop (3.1.1-2+deb11u1) bullseye-security; urgency=high + + * Add backported patch to fix CVE-2021-22895 (Closes: #989846). + * Add backported patch to fix CVE-2021-32728 with small modifications to +match for Debian. + + -- Sandro Knauß Sun, 22 Aug 2021 19:59:32 +0200 + nextcloud-desktop (3.1.1-2) unstable; urgency=medium * Add two upstream patches to fix CVE-2021-22879 (Closes: #987274): diff -Nru nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch --- nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.0 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 2021-08-22 19:59:32.0 +0200 @@ -0,0 +1,45 @@ +From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001 +From: Felix Weilbach +Date: Wed, 10 Feb 2021 09:53:57 +0100 +Subject: [PATCH] Validate the providers ssl certificate + +Signed-off-by: Felix Weilbach +--- + src/gui/wizard/webview.cpp | 12 ++-- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp +index e03f86509..6c2207f48 100644 +--- a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp +@@ -52,9 +52,6 @@ public: + + protected: + bool certificateError(const QWebEngineCertificateError ) override; +- +-private: +-QUrl _rootUrl; + }; + + // We need a separate class here, since we cannot simply return the same WebEnginePage object +@@ -191,15 +188,10 @@ QWebEnginePage * WebEnginePage::createWindow(QWebEnginePage::WebWindowType type) + + void WebEnginePage::setUrl(const QUrl ) { + QWebEnginePage::setUrl(url); +-_rootUrl = url; + } + +-bool WebEnginePage::certificateError(const QWebEngineCertificateError ) { +-if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid && +-certificateError.url().host() == _rootUrl.host()) { +-return true; +-} +- ++bool WebEnginePage::certificateError(const QWebEngineCertificateError ) ++{ + /** + * TODO properly improve this. + * The certificate should be displayed. +-- +2.33.0 + diff -Nru nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch --- nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.0 +0100 +++ nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 2021-08-22 19:59:32.0 +0200 @@ -0,0 +1,83 @@ +From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001 +From: Matthieu Gallien +Date: Wed, 19 May 2021 15:36:47 +0200 +Subject: [PATCH] check e2ee public key against private one + +should ensure we have matching private/public keys + +Signed-off-by: Matthieu Gallien +--- + src/libsync/clientsideencryption.cpp | 30 +++- + src/libsync/clientsideencryption.h | 1 + + 2 files changed, 30 insertions(+), 1 deletion(-) + +--- a/src/libsync/clientsideencryption.cpp b/src/libsync/clientsideencryption.cpp +@@ -16,6 +16,7 @@ + + #include + #include ++#include + + #include + +@@ -32,6 +33,7 @@ + #include + #include + #include ++#include + + #include + #include "common/utility.h" +@@ -797,6 +799,32 @@ void ClientSideEncryption::fetchFromKeyC + job->start(); + } + ++ bool ClientSideEncryption::checkPublicKeyValidity() const ++ { ++ QByteArray data = EncryptionHelper::generateRandom(64); ++ ++ Bio publicKeyBio; ++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem(); ++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size()); ++ auto publicKey = PKey::readPublicKey(publicKeyBio); ++ ++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64()); ++ ++ Bio privateKeyBio; ++ QByteArray privateKeyPem = _account->e2e()->_privateKey; ++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size()); ++ auto key = PKey::readPrivateKey(privateKeyBio); ++ ++ QByteArray decryptResult =
Bug#989846: CVE-2021-22895
Package: nextcloud-desktop Severity: important Tags: security X-Debbugs-Cc: Debian Security Team See https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5 Patch: https://github.com/nextcloud/desktop/commit/b1ddd0e491b2af0ed040e658d8bcde2a7a61c9fc Can you please upload a targeted fix and ask for an unblock with the release team? Cheers, Moritz