Package: release.debian.org
Control: affects -1 + src:flameshot
X-Debbugs-Cc: flames...@packages.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bullseye
X-Debbugs-Cc: by...@debian.org
Severity: normal
[ Reason ]
As reported in https://bugs.debian.org/1051408 , current flameshot
in Debian 11 (Bullseye) will silently upload the current captured
screenshot to imgur without confirmation whenever the corresponding
hotkey is pressed. This imposes a security risk of leaking sensitive
information.
In order to mitigate this issue, I propose to upload flameshot
0.9.0+ds1-2+deb11u1, which strips the embedded imgur token hardcoded
in the source code. Users who wish to utilize the img uploading
feature can fill in their own imgur token in flameshot config
window to re-enable the feature.
[ Impact ]
If the update is not approved, users of flameshot will have their
captured screenshot uploaded to imgur by default when the hotkey
is pressed without prompt, which poses a security and information
leaking risk to Debian 11 users using flameshot.
[ Tests ]
Manually tested in a Debian Bullseye VM.
[ Risks ]
Minimum risk as seen from debdiff.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Reset hardcoded imgur token to all zero to invalidate img uploading
functionality by default. For details, please check debdiff attached.
[ Other info ]
Upstream takes a different fix by popping up a confirmation window
whenever an image upload is to be done. The details can be found
at https://github.com/flameshot-org/flameshot/releases/tag/v11.0.0 .
Such solution is not applied here due to the workload in backporting
all UI source code changes.
Thanks,
Boyuan Yang
diff -Nru flameshot-0.9.0+ds1/debian/changelog flameshot-0.9.0+ds1/debian/changelog
--- flameshot-0.9.0+ds1/debian/changelog 2021-07-22 18:10:19.0 -0400
+++ flameshot-0.9.0+ds1/debian/changelog 2023-09-21 13:16:48.0 -0400
@@ -1,3 +1,20 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/0006-Disable-default-imgur-token.patch:
+Disable default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+(Closes: #1051408)
+
+ -- Boyuan Yang Thu, 21 Sep 2023 13:16:48 -0400
+
flameshot (0.9.0+ds1-2) unstable; urgency=high
* debian/patches/0003-Disable-automatic-update-checking-by-default.patch:
diff -Nru flameshot-0.9.0+ds1/debian/NEWS.Debian flameshot-0.9.0+ds1/debian/NEWS.Debian
--- flameshot-0.9.0+ds1/debian/NEWS.Debian 1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/NEWS.Debian 2023-09-21 13:16:48.0 -0400
@@ -0,0 +1,16 @@
+flameshot (0.9.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+ * This version disables the default imgur uploading token.
+.
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+.
+This version strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+in flameshot configuration to re-enable this functionality.
+.
+For more information, check out https://bugs.debian.org/1051408 .
+
+ -- Boyuan Yang Thu, 21 Sep 2023 13:16:48 -0400
diff -Nru flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch
--- flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 1969-12-31 19:00:00.0 -0500
+++ flameshot-0.9.0+ds1/debian/patches/0006-Disable-default-imgur-token.patch 2023-09-21 13:16:39.0 -0400
@@ -0,0 +1,45 @@
+From: Boyuan Yang
+Date: Thu, 21 Sep 2023 13:14:23 -0400
+Subject: Disable default imgur token
+
+Flameshot before v0.10.0 does not pop up confirmation before
+uploading the screenshot to imgur, which is a security risk
+that may leak sensitive user information.
+
+This patch strips the embedded default imgur token from the
+source code to disable default image uploading. Users who need
+image uploading functionality may set their own imgur token
+to re-enable this functionality.
+
+Bug-Debian: https://bugs.debian.org/1051408
+---
+ src/CMakeLists.txt | 2 +-
+ src/imgur.pri | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+