Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Mon, 24 Oct 2022 09:33:16 -0700 

Hi,

Le 23/10/2022 à 18:27, Clément Hermann a écrit :

Hi,

Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :


Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v 
while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.
Agreed. And asked upstream: https://github.com/onionshare/onionshare/issues/1633.
Upstream replied quickly (yay!) and confirms the known issues are fixed in 2.5.
Also, the detail of the vulnerable/patched versions has been updated. Quoting from the upstream issue:
Only affected >= 2.3 - < 2.5: CVE-2021-41867 <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691 <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695 <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696 <https://github.com/advisories/GHSA-68vr-8f46-vc9f> Only affected >= 2.2 - < 2.5: CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h> Only affected >=2.0 - < 2.5: CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc> Only affected >=2.0 - < 2.4: CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode bug, fixed by changing the authentication from HTTP auth to using Client Auth in Tor itself) All versions < 2.5: CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly depending on the Qt version, CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
GHSA-jgm9-xpfj-4fq6 <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6> is a complicated one, as a fix <https://github.com/onionshare/onionshare/pull/1474> we reduced the scope of access for Flatpak but you could argue that on 'native' Debian the whole file system, or at least the parts accessible to the user running OnionShare, is available not even in read-only mode. I'm not sure there's really a 'fix' for the deb package.
The advisories on https://github.com/onionshare/onionshare/security/advisories have been updated to reflect this. 

--
nodens

Reply via email to