Your message dated Sat, 12 Oct 2024 16:17:16 +0100
with message-id <649ceb03-ff73-4118-8582-fc24addfc...@debian.org>
and subject line Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868
CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692
CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
has caused the Debian Bug report #1014966,
regarding onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688
CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693
CVE-2022-21694 CVE-2022-21695 CVE-2022-21696
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1014966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: onionshare
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for onionshare.
CVE-2021-41867[0]:
| An information disclosure vulnerability in OnionShare 2.3 before 2.4
| allows remote unauthenticated attackers to retrieve the full list of
| participants of a non-public OnionShare node via the --chat feature.
https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/
CVE-2021-41868[1]:
| OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
| upload files on a non-public node when using the --receive
| functionality.
https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/
CVE-2022-21688[2]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. Affected versions of the desktop application were
| found to be vulnerable to denial of service via an undisclosed
| vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
| memory consumption and this can be triggered multiple times. To be
| abused, this vulnerability requires rendering in the history tab, so
| some user interaction is required. An adversary with knowledge of the
| Onion service address in public mode or with authentication in private
| mode can perform a Denial of Service attack, which quickly results in
| out-of-memory for the server. This requires the desktop application
| with rendered history, therefore the impact is only elevated. This
| issue has been patched in version 2.5.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
CVE-2022-21689[3]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions the receive mode limits
| concurrent uploads to 100 per second and blocks other uploads in the
| same second, which can be triggered by a simple script. An adversary
| with access to the receive mode can block file upload for others.
| There is no way to block this attack in public mode due to the
| anonymity properties of the tor network.
https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
CVE-2022-21690[4]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions The path parameter of the
| requested URL is not sanitized before being passed to the QT frontend.
| This path is used in all components for displaying the server access
| history. This leads to a rendered HTML4 Subset (QT RichText editor) in
| the Onionshare frontend.
https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq
CVE-2022-21691[5]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions chat participants can spoof
| their channel leave message, tricking others into assuming they left
| the chatroom.
https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766
CVE-2022-21692[6]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions anyone with access to the chat
| environment can write messages disguised as another chat participant.
https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v
CVE-2022-21693[7]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions an adversary with a primitive
| that allows for filesystem access from the context of the Onionshare
| process can access sensitive files in the entire user home folder.
| This could lead to the leaking of sensitive data. Due to the automatic
| exclusion of hidden folders, the impact is reduced. This can be
| mitigated by usage of the flatpak release.
https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6
CVE-2022-21694[8]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. The website mode of the onionshare allows to use a
| hardened CSP, which will block any scripts and external resources. It
| is not possible to configure this CSP for individual pages and
| therefore the security enhancement cannot be used for websites using
| javascript or external resources like fonts or images.
https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
https://github.com/onionshare/onionshare/issues/1389
CVE-2022-21695[9]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions authenticated users (or
| unauthenticated in public mode) can send messages without being
| visible in the list of chat participants. This issue has been resolved
| in version 2.5.
https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4
CVE-2022-21696[10]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions it is possible to change the
| username to that of another chat participant with an additional space
| character at the end of the name string. An adversary with access to
| the chat environment can use the rename feature to impersonate other
| participants by adding whitespace characters at the end of the
| username.
https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-41867
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
[1] https://security-tracker.debian.org/tracker/CVE-2021-41868
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
[2] https://security-tracker.debian.org/tracker/CVE-2022-21688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
[3] https://security-tracker.debian.org/tracker/CVE-2022-21689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
[4] https://security-tracker.debian.org/tracker/CVE-2022-21690
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
[5] https://security-tracker.debian.org/tracker/CVE-2022-21691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
[6] https://security-tracker.debian.org/tracker/CVE-2022-21692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
[7] https://security-tracker.debian.org/tracker/CVE-2022-21693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
[8] https://security-tracker.debian.org/tracker/CVE-2022-21694
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
[9] https://security-tracker.debian.org/tracker/CVE-2022-21695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
[10] https://security-tracker.debian.org/tracker/CVE-2022-21696
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Hi,
On Sun, 27 Nov 2022 11:45:27 +0100 =?UTF-8?Q?Cl=c3=a9ment_Hermann?=
<nod...@debian.org> wrote:
FYI, backported fixes have been uploaded and should be included in next
point release (#1023981)
And this happened long time ago, so let's close this bug. (The BTS
already knows it doesn't apply to stable, testing or unstable for a while).
Paul
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
