Hi, On Fri, Jul 15, 2022 at 02:04:38PM +0200, Moritz Mühlenhoff wrote: > Source: onionshare > X-Debbugs-CC: t...@security.debian.org > Severity: grave > Tags: security > > Hi, > > The following vulnerabilities were published for onionshare. > > CVE-2021-41867[0]: > | An information disclosure vulnerability in OnionShare 2.3 before 2.4 > | allows remote unauthenticated attackers to retrieve the full list of > | participants of a non-public OnionShare node via the --chat feature. > > https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4 > https://www.ihteam.net/advisory/onionshare/ > > CVE-2021-41868[1]: > | OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to > | upload files on a non-public node when using the --receive > | functionality. > > https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4 > https://www.ihteam.net/advisory/onionshare/ > > CVE-2022-21688[2]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. Affected versions of the desktop application were > | found to be vulnerable to denial of service via an undisclosed > | vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB > | memory consumption and this can be triggered multiple times. To be > | abused, this vulnerability requires rendering in the history tab, so > | some user interaction is required. An adversary with knowledge of the > | Onion service address in public mode or with authentication in private > | mode can perform a Denial of Service attack, which quickly results in > | out-of-memory for the server. This requires the desktop application > | with rendered history, therefore the impact is only elevated. This > | issue has been patched in version 2.5. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v > > CVE-2022-21689[3]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions the receive mode limits > | concurrent uploads to 100 per second and blocks other uploads in the > | same second, which can be triggered by a simple script. An adversary > | with access to the receive mode can block file upload for others. > | There is no way to block this attack in public mode due to the > | anonymity properties of the tor network. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc > > CVE-2022-21690[4]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions The path parameter of the > | requested URL is not sanitized before being passed to the QT frontend. > | This path is used in all components for displaying the server access > | history. This leads to a rendered HTML4 Subset (QT RichText editor) in > | the Onionshare frontend. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq > > CVE-2022-21691[5]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions chat participants can spoof > | their channel leave message, tricking others into assuming they left > | the chatroom. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766 > > CVE-2022-21692[6]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions anyone with access to the chat > | environment can write messages disguised as another chat participant. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v > > CVE-2022-21693[7]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions an adversary with a primitive > | that allows for filesystem access from the context of the Onionshare > | process can access sensitive files in the entire user home folder. > | This could lead to the leaking of sensitive data. Due to the automatic > | exclusion of hidden folders, the impact is reduced. This can be > | mitigated by usage of the flatpak release. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6 > > CVE-2022-21694[8]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. The website mode of the onionshare allows to use a > | hardened CSP, which will block any scripts and external resources. It > | is not possible to configure this CSP for individual pages and > | therefore the security enhancement cannot be used for websites using > | javascript or external resources like fonts or images. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h > https://github.com/onionshare/onionshare/issues/1389 > > CVE-2022-21695[9]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions authenticated users (or > | unauthenticated in public mode) can send messages without being > | visible in the list of chat participants. This issue has been resolved > | in version 2.5. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4 > > CVE-2022-21696[10]: > | OnionShare is an open source tool that lets you securely and > | anonymously share files, host websites, and chat with friends using > | the Tor network. In affected versions it is possible to change the > | username to that of another chat participant with an additional space > | character at the end of the name string. An adversary with access to > | the chat environment can use the rename feature to impersonate other > | participants by adding whitespace characters at the end of the > | username. > > https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f > > If you fix the vulnerabilities please also make sure to include the > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-41867 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867 > [1] https://security-tracker.debian.org/tracker/CVE-2021-41868 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868 > [2] https://security-tracker.debian.org/tracker/CVE-2022-21688 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688 > [3] https://security-tracker.debian.org/tracker/CVE-2022-21689 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689 > [4] https://security-tracker.debian.org/tracker/CVE-2022-21690 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690 > [5] https://security-tracker.debian.org/tracker/CVE-2022-21691 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691 > [6] https://security-tracker.debian.org/tracker/CVE-2022-21692 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692 > [7] https://security-tracker.debian.org/tracker/CVE-2022-21693 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693 > [8] https://security-tracker.debian.org/tracker/CVE-2022-21694 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694 > [9] https://security-tracker.debian.org/tracker/CVE-2022-21695 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695 > [10] https://security-tracker.debian.org/tracker/CVE-2022-21696 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
>From the reported list CVE-2021-41867 and CVE-2021-41868 were addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even though likely as well those who contain "has been patched in 2.5". I have not found any indication that this there is really the case. Any more insights OTOH from you on those? Regards, Salvatore
