subject:"Bug#1052420\: bullseye\-pu\: package flameshot\/0.9.0\+ds1\-2\+deb11u1"

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-24 Thread Boyuan Yang

在 2023-09-24星期日的 19:09 +0100，Adam D. Barratt写道：
> On Sat, 2023-09-23 at 22:10 +0100, Adam D. Barratt wrote:
> > Control: tags -1 confirmed
> > 
> > On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote:
> > > As reported in https://bugs.debian.org/1051408 , current flameshot
> > > in Debian 11 (Bullseye) will silently upload the current captured
> > > screenshot to imgur without confirmation whenever the corresponding
> > > hotkey is pressed. This imposes a security risk of leaking
> > > sensitive
> > > information.
> > > 
> > > In order to mitigate this issue, I propose to upload flameshot
> > > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token
> > > hardcoded
> > > in the source code. Users who wish to utilize the img uploading
> > > feature can fill in their own imgur token in flameshot config
> > > window to re-enable the feature.
> > > 
> > 
> > Please go ahead.
> > 
> 
> I should have spotted this before, but the news file in the source
> package should simply be named "debian/NEWS"; dh_installchangelogs will
> then install it as NEWS.Debian in the binary package.
> 
> It's up to you whether you want to upload a +deb11u2 that simply fixes
> that, or would prefer that we reject the existing upload and you can
> upload a fixed +deb11u1.

Thanks, I just uploaded a +deb11u2 to reflect this change.

Best,
Boyuan Yang


signature.asc
Description: This is a digitally signed message part

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-24 Thread Adam D. Barratt

On Sat, 2023-09-23 at 22:10 +0100, Adam D. Barratt wrote:
> Control: tags -1 confirmed
> 
> On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote:
> > As reported in https://bugs.debian.org/1051408 , current flameshot
> > in Debian 11 (Bullseye) will silently upload the current captured
> > screenshot to imgur without confirmation whenever the corresponding
> > hotkey is pressed. This imposes a security risk of leaking
> > sensitive
> > information.
> > 
> > In order to mitigate this issue, I propose to upload flameshot
> > 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token
> > hardcoded
> > in the source code. Users who wish to utilize the img uploading
> > feature can fill in their own imgur token in flameshot config
> > window to re-enable the feature.
> > 
> 
> Please go ahead.
> 

I should have spotted this before, but the news file in the source
package should simply be named "debian/NEWS"; dh_installchangelogs will
then install it as NEWS.Debian in the binary package.

It's up to you whether you want to upload a +deb11u2 that simply fixes
that, or would prefer that we reject the existing upload and you can
upload a fixed +deb11u1.

Regards,

Adam

Processed: Re: Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-23 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 confirmed
Bug #1052420 [release.debian.org] bullseye-pu: package 
flameshot/0.9.0+ds1-2+deb11u1
Added tag(s) confirmed.

-- 
1052420: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052420
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-23 Thread Adam D. Barratt

Control: tags -1 confirmed

On Thu, 2023-09-21 at 13:37 -0400, Boyuan Yang wrote:
> As reported in https://bugs.debian.org/1051408 , current flameshot
> in Debian 11 (Bullseye) will silently upload the current captured
> screenshot to imgur without confirmation whenever the corresponding
> hotkey is pressed. This imposes a security risk of leaking sensitive
> information.
> 
> In order to mitigate this issue, I propose to upload flameshot
> 0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded
> in the source code. Users who wish to utilize the img uploading
> feature can fill in their own imgur token in flameshot config
> window to re-enable the feature.
> 

Please go ahead.

Regards,

Adam

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

2023-09-21 Thread Boyuan Yang

Package: release.debian.org
Control: affects -1 + src:flameshot
X-Debbugs-Cc: flames...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: by...@debian.org
Severity: normal


[ Reason ]
As reported in https://bugs.debian.org/1051408 , current flameshot
in Debian 11 (Bullseye) will silently upload the current captured
screenshot to imgur without confirmation whenever the corresponding
hotkey is pressed. This imposes a security risk of leaking sensitive
information.

In order to mitigate this issue, I propose to upload flameshot
0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded
in the source code. Users who wish to utilize the img uploading
feature can fill in their own imgur token in flameshot config
window to re-enable the feature.


[ Impact ]
If the update is not approved, users of flameshot will have their
captured screenshot uploaded to imgur by default when the hotkey
is pressed without prompt, which poses a security and information
leaking risk to Debian 11 users using flameshot.

[ Tests ]
Manually tested in a Debian Bullseye VM.

[ Risks ]
Minimum risk as seen from debdiff.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Reset hardcoded imgur token to all zero to invalidate img uploading
functionality by default. For details, please check debdiff attached.

[ Other info ]
Upstream takes a different fix by popping up a confirmation window
whenever an image upload is to be done. The details can be found
at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 .
Such solution is not applied here due to the workload in backporting
all UI source code changes.


Thanks,
Boyuan Yang
diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog
--- flameshot-0.9.0+ds1/debian/changelog	2021-07-22 18:10:19.0 -0400
+++ flameshot-0.9.0+ds1/debian/changelog	2023-09-21 13:16:48.0 -0400
@@ -1,3 +1,20 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * debian/patches/0006-Disable-default-imgur-token.patch:
+Disable default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+(Closes: #1051408)
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
+
 flameshot (0.9.0+ds1-2) unstable; urgency=high
 
   * debian/patches/0003-Disable-automatic-update-checking-by-default.patch:
diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian
--- flameshot-0.9.0+ds1/debian/NEWS.Debian	1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/NEWS.Debian	2023-09-21 13:16:48.0 -0400
@@ -0,0 +1,16 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * This version disables the default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This version strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+.
+For more information, check out https://bugs.debian.org/1051408 .
+
+ -- Boyuan Yang   Thu, 21 Sep 2023 13:16:48 -0400
diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch
--- flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch	1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch	2023-09-21 13:16:39.0 -0400
@@ -0,0 +1,45 @@
+From: Boyuan Yang 
+Date: Thu, 21 Sep 2023 13:14:23 -0400
+Subject: Disable default imgur token
+
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+to re-enable this functionality.
+
+Bug-Debian: https://bugs.debian.org/1051408
+---
+ src/CMakeLists.txt | 2 +-
+ src/imgur.pri  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Processed: Re: Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

Bug#1052420: bullseye-pu: package flameshot/0.9.0+ds1-2+deb11u1

5 matches

Site Navigation

Mail list logo

Footer information