Debian Bug report logs - #1014966
onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: submit@bugs.debian.org

Subject: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Fri, 15 Jul 2022 14:04:38 +0200

Source: onionshare
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for onionshare.

CVE-2021-41867[0]:
| An information disclosure vulnerability in OnionShare 2.3 before 2.4
| allows remote unauthenticated attackers to retrieve the full list of
| participants of a non-public OnionShare node via the --chat feature.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2021-41868[1]:
| OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
| upload files on a non-public node when using the --receive
| functionality.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2022-21688[2]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. Affected versions of the desktop application were
| found to be vulnerable to denial of service via an undisclosed
| vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
| memory consumption and this can be triggered multiple times. To be
| abused, this vulnerability requires rendering in the history tab, so
| some user interaction is required. An adversary with knowledge of the
| Onion service address in public mode or with authentication in private
| mode can perform a Denial of Service attack, which quickly results in
| out-of-memory for the server. This requires the desktop application
| with rendered history, therefore the impact is only elevated. This
| issue has been patched in version 2.5.

https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v

CVE-2022-21689[3]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions the receive mode limits
| concurrent uploads to 100 per second and blocks other uploads in the
| same second, which can be triggered by a simple script. An adversary
| with access to the receive mode can block file upload for others.
| There is no way to block this attack in public mode due to the
| anonymity properties of the tor network.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc

CVE-2022-21690[4]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions The path parameter of the
| requested URL is not sanitized before being passed to the QT frontend.
| This path is used in all components for displaying the server access
| history. This leads to a rendered HTML4 Subset (QT RichText editor) in
| the Onionshare frontend.

https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq

CVE-2022-21691[5]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions chat participants can spoof
| their channel leave message, tricking others into assuming they left
| the chatroom.

https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766

CVE-2022-21692[6]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions anyone with access to the chat
| environment can write messages disguised as another chat participant.

https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v

CVE-2022-21693[7]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions an adversary with a primitive
| that allows for filesystem access from the context of the Onionshare
| process can access sensitive files in the entire user home folder.
| This could lead to the leaking of sensitive data. Due to the automatic
| exclusion of hidden folders, the impact is reduced. This can be
| mitigated by usage of the flatpak release.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6

CVE-2022-21694[8]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. The website mode of the onionshare allows to use a
| hardened CSP, which will block any scripts and external resources. It
| is not possible to configure this CSP for individual pages and
| therefore the security enhancement cannot be used for websites using
| javascript or external resources like fonts or images.

https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
https://github.com/onionshare/onionshare/issues/1389

CVE-2022-21695[9]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions authenticated users (or
| unauthenticated in public mode) can send messages without being
| visible in the list of chat participants. This issue has been resolved
| in version 2.5.

https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4

CVE-2022-21696[10]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions it is possible to change the
| username to that of another chat participant with an additional space
| character at the end of the name string. An adversary with access to
| the chat environment can use the rename feature to impersonate other
| participants by adding whitespace characters at the end of the
| username.

https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41867
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
[1] https://security-tracker.debian.org/tracker/CVE-2021-41868
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
[2] https://security-tracker.debian.org/tracker/CVE-2022-21688
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
[3] https://security-tracker.debian.org/tracker/CVE-2022-21689
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
[4] https://security-tracker.debian.org/tracker/CVE-2022-21690
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
[5] https://security-tracker.debian.org/tracker/CVE-2022-21691
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
[6] https://security-tracker.debian.org/tracker/CVE-2022-21692
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
[7] https://security-tracker.debian.org/tracker/CVE-2022-21693
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
[8] https://security-tracker.debian.org/tracker/CVE-2022-21694
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
[9] https://security-tracker.debian.org/tracker/CVE-2022-21695
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
[10] https://security-tracker.debian.org/tracker/CVE-2022-21696
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696

Please adjust the affected versions in the BTS as needed.

Message #12 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>, 1014966@bugs.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sat, 22 Oct 2022 13:49:15 +0200

Hi,

On Fri, Jul 15, 2022 at 02:04:38PM +0200, Moritz Mühlenhoff wrote:
> Source: onionshare
> X-Debbugs-CC: team@security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for onionshare.
> 
> CVE-2021-41867[0]:
> | An information disclosure vulnerability in OnionShare 2.3 before 2.4
> | allows remote unauthenticated attackers to retrieve the full list of
> | participants of a non-public OnionShare node via the --chat feature.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2021-41868[1]:
> | OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
> | upload files on a non-public node when using the --receive
> | functionality.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2022-21688[2]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. Affected versions of the desktop application were
> | found to be vulnerable to denial of service via an undisclosed
> | vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
> | memory consumption and this can be triggered multiple times. To be
> | abused, this vulnerability requires rendering in the history tab, so
> | some user interaction is required. An adversary with knowledge of the
> | Onion service address in public mode or with authentication in private
> | mode can perform a Denial of Service attack, which quickly results in
> | out-of-memory for the server. This requires the desktop application
> | with rendered history, therefore the impact is only elevated. This
> | issue has been patched in version 2.5.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> 
> CVE-2022-21689[3]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions the receive mode limits
> | concurrent uploads to 100 per second and blocks other uploads in the
> | same second, which can be triggered by a simple script. An adversary
> | with access to the receive mode can block file upload for others.
> | There is no way to block this attack in public mode due to the
> | anonymity properties of the tor network.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
> 
> CVE-2022-21690[4]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions The path parameter of the
> | requested URL is not sanitized before being passed to the QT frontend.
> | This path is used in all components for displaying the server access
> | history. This leads to a rendered HTML4 Subset (QT RichText editor) in
> | the Onionshare frontend.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq
> 
> CVE-2022-21691[5]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions chat participants can spoof
> | their channel leave message, tricking others into assuming they left
> | the chatroom.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766
> 
> CVE-2022-21692[6]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions anyone with access to the chat
> | environment can write messages disguised as another chat participant.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v
> 
> CVE-2022-21693[7]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions an adversary with a primitive
> | that allows for filesystem access from the context of the Onionshare
> | process can access sensitive files in the entire user home folder.
> | This could lead to the leaking of sensitive data. Due to the automatic
> | exclusion of hidden folders, the impact is reduced. This can be
> | mitigated by usage of the flatpak release.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6
> 
> CVE-2022-21694[8]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. The website mode of the onionshare allows to use a
> | hardened CSP, which will block any scripts and external resources. It
> | is not possible to configure this CSP for individual pages and
> | therefore the security enhancement cannot be used for websites using
> | javascript or external resources like fonts or images.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
> https://github.com/onionshare/onionshare/issues/1389
> 
> CVE-2022-21695[9]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions authenticated users (or
> | unauthenticated in public mode) can send messages without being
> | visible in the list of chat participants. This issue has been resolved
> | in version 2.5.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4
> 
> CVE-2022-21696[10]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions it is possible to change the
> | username to that of another chat participant with an additional space
> | character at the end of the name string. An adversary with access to
> | the chat environment can use the rename feature to impersonate other
> | participants by adding whitespace characters at the end of the
> | username.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
> [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
> [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
> [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
> [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
> [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
> [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
> [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
> [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
> [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
> [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696

From the reported list CVE-2021-41867 and CVE-2021-41868 were
addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
though likely as well those who contain "has been patched in 2.5". I
have not found any indication that this there is really the case.

Any more insights OTOH from you on those?

Regards,
Salvatore

Message #17 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <clement.hermann@nodens.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1014966@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sat, 22 Oct 2022 14:50:53 +0200

Hi Salvatore,

Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :
>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
>> [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
>> [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
>> [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
>> [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
>> [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
>> [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
>> [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
>> [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
>> [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
>> [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
>>      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
>  From the reported list CVE-2021-41867 and CVE-2021-41868 were
> addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
> though likely as well those who contain "has been patched in 2.5". I
> have not found any indication that this there is really the case.
>
> Any more insights OTOH from you on those?
According to onionshare 2.5 release notes [1], and to the 
vulnerabilities list on the github project [2], I'd say they were fixed.
All vulnerabilities are marked as affecting <2.4 since 2.5 release, and 
for instance for the username impersonation, it's been specified in the 
release notes that the security have been tightened on this front.

That said, I didn't check the code for every vuln individually, and I 
definitely could ask upstream for clarification/confirmation if you 
think it's necessary.



[1] https://github.com/onionshare/onionshare/releases/tag/v2.5
[2] https://github.com/onionshare/onionshare/security/advisories

Cheers,

-- 
nodens

Message #22 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Clément Hermann <clement.hermann@nodens.org>, 1014966@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sat, 22 Oct 2022 15:01:38 +0200

Hi Clément,

On Sat, Oct 22, 2022 at 02:50:53PM +0200, Clément Hermann wrote:
> Hi Salvatore,
> 
> Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :
> > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
> > > [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
> > > [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
> > > [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
> > > [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
> > > [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
> > > [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
> > > [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
> > > [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
> > > [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
> > > [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
> > >      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
> >  From the reported list CVE-2021-41867 and CVE-2021-41868 were
> > addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
> > though likely as well those who contain "has been patched in 2.5". I
> > have not found any indication that this there is really the case.
> > 
> > Any more insights OTOH from you on those?
> According to onionshare 2.5 release notes [1], and to the vulnerabilities
> list on the github project [2], I'd say they were fixed.
> All vulnerabilities are marked as affecting <2.4 since 2.5 release, and for
> instance for the username impersonation, it's been specified in the release
> notes that the security have been tightened on this front.
> 
> That said, I didn't check the code for every vuln individually, and I
> definitely could ask upstream for clarification/confirmation if you think
> it's necessary.

Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.

Regards,
Salvatore

Message #27 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <clement.hermann@nodens.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1014966@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sun, 23 Oct 2022 18:27:08 +0200

Hi,

Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :

> Thanks for the quick reply! (much appreciated). I think it would be
> good to get a confirmation from upstream and if possible to have
> those advisories updates. E.g.
> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> while mentioning "affected versions < 2.4" the patched version remains
> "none". this might be that the < 2.4 just reflects the point in time
> when the advisory was filled. OTOH you have arguments with the v2.5
> release information that they might all be fixed.
>
> To be on safe side, explicitly confirming by upstream would be great.

Agreed. And asked upstream: 
https://github.com/onionshare/onionshare/issues/1633.

Cheers,

-- 
nodens

Message #32 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Clément Hermann <clement.hermann@nodens.org>

Cc: 1014966@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sun, 23 Oct 2022 20:43:11 +0200

Hi Clément,

On Sun, Oct 23, 2022 at 06:27:08PM +0200, Clément Hermann wrote:
> Hi,
> 
> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
> 
> > Thanks for the quick reply! (much appreciated). I think it would be
> > good to get a confirmation from upstream and if possible to have
> > those advisories updates. E.g.
> > https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> > while mentioning "affected versions < 2.4" the patched version remains
> > "none". this might be that the < 2.4 just reflects the point in time
> > when the advisory was filled. OTOH you have arguments with the v2.5
> > release information that they might all be fixed.
> > 
> > To be on safe side, explicitly confirming by upstream would be great.
> 
> Agreed. And asked upstream:
> https://github.com/onionshare/onionshare/issues/1633.

Thank you!

Regards,
Salvatore

Message #37 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <nodens@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1014966@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Mon, 24 Oct 2022 18:26:30 +0200

[Message part 1 (text/plain, inline)]

Hi,

Le 23/10/2022 à 18:27, Clément Hermann a écrit :
> Hi,
>
> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
>
>> Thanks for the quick reply! (much appreciated). I think it would be
>> good to get a confirmation from upstream and if possible to have
>> those advisories updates. E.g.
>> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v 
>>
>> while mentioning "affected versions < 2.4" the patched version remains
>> "none". this might be that the < 2.4 just reflects the point in time
>> when the advisory was filled. OTOH you have arguments with the v2.5
>> release information that they might all be fixed.
>>
>> To be on safe side, explicitly confirming by upstream would be great.
>
> Agreed. And asked upstream: 
> https://github.com/onionshare/onionshare/issues/1633.

Upstream replied quickly (yay!) and confirms the known issues are fixed 
in 2.5.

Also, the detail of the vulnerable/patched versions has been updated. 
Quoting from the upstream issue:
>
> Only affected >= 2.3 - < 2.5: CVE-2021-41867 
> <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691 
> <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695 
> <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696 
> <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
> Only affected >= 2.2 - < 2.5: CVE-2022-21694 
> <https://github.com/advisories/GHSA-h29c-wcm8-883h>
> Only affected >=2.0 - < 2.5: CVE-2022-21689 
> <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
> Only affected >=2.0 - < 2.4: CVE-2021-41868 
> <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode bug, 
> fixed by changing the authentication from HTTP auth to using Client 
> Auth in Tor itself)
> All versions < 2.5: CVE-2022-21690 
> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly 
> depending on the Qt version, CVE-2022-21688 
> <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
>
> GHSA-jgm9-xpfj-4fq6 
> <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6> 
> is a complicated one, as a fix 
> <https://github.com/onionshare/onionshare/pull/1474> we reduced the 
> scope of access for Flatpak but you could argue that on 'native' 
> Debian the whole file system, or at least the parts accessible to the 
> user running OnionShare, is available not even in read-only mode. I'm 
> not sure there's really a 'fix' for the deb package.
>
The advisories on 
https://github.com/onionshare/onionshare/security/advisories have been 
updated to reflect this.

-- 
nodens

[Message part 2 (text/html, inline)]

Message #42 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <nodens@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1014966@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Mon, 24 Oct 2022 20:41:58 +0200

[Message part 1 (text/plain, inline)]

Le 24/10/2022 à 18:26, Clément Hermann a écrit :
> Hi,
>
> Le 23/10/2022 à 18:27, Clément Hermann a écrit :
>> Hi,
>>
>> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
>>> To be on safe side, explicitly confirming by upstream would be great.
>>
>> Agreed. And asked upstream: 
>> https://github.com/onionshare/onionshare/issues/1633.
>
> Upstream replied quickly (yay!) and confirms the known issues are 
> fixed in 2.5.
>
> Also, the detail of the vulnerable/patched versions has been updated. 
> Quoting from the upstream issue:
>>
>> Only affected >= 2.3 - < 2.5: CVE-2021-41867 
>> <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, CVE-2022-21691 
>> <https://github.com/advisories/GHSA-w9m4-7w72-r766>, CVE-2022-21695 
>> <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, CVE-2022-21696 
>> <https://github.com/advisories/GHSA-68vr-8f46-vc9f>
>> Only affected >= 2.2 - < 2.5: CVE-2022-21694 
>> <https://github.com/advisories/GHSA-h29c-wcm8-883h>
>> Only affected >=2.0 - < 2.5: CVE-2022-21689 
>> <https://github.com/advisories/GHSA-jh82-c5jw-pxpc>
>> Only affected >=2.0 - < 2.4: CVE-2021-41868 
>> <https://github.com/advisories/GHSA-7g47-xxff-9p85> (Receive mode 
>> bug, fixed by changing the authentication from HTTP auth to using 
>> Client Auth in Tor itself)
>> All versions < 2.5: CVE-2022-21690 
>> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq>, and possibly 
>> depending on the Qt version, CVE-2022-21688 
>> <https://github.com/advisories/GHSA-x7wr-283h-5h2v>
>>
>> GHSA-jgm9-xpfj-4fq6 
>> <https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6> 
>> is a complicated one, as a fix 
>> <https://github.com/onionshare/onionshare/pull/1474> we reduced the 
>> scope of access for Flatpak but you could argue that on 'native' 
>> Debian the whole file system, or at least the parts accessible to the 
>> user running OnionShare, is available not even in read-only mode. I'm 
>> not sure there's really a 'fix' for the deb package.
>>
> The advisories on 
> https://github.com/onionshare/onionshare/security/advisories have been 
> updated to reflect this.

I did more homework.

So, to summarize:
- CVE-2021-41867 <https://github.com/advisories/GHSA-6rvj-pw9w-jcvc>, 
CVE-2022-21691 <https://github.com/advisories/GHSA-w9m4-7w72-r766>, 
CVE-2022-21695 <https://github.com/advisories/GHSA-99p8-9p2c-49j4>, 
CVE-2022-21696 <https://github.com/advisories/GHSA-68vr-8f46-vc9f> 
aren't affecting Debian (stable has 2.2, unstable has 2.5). Which is 
good because the

- CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h> 
affects Bullseye, but that might be an acceptable risk ? The issue is 
that CSP can only be turned on or off, not configured to allow js etc, 
so it is only useful for static websites. I believe that's the most 
common usage of a website with onionshare, and it's arguably a missing 
feature more than a vulnerability /per se/.

- CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc> fix 
should be easy to backport, at a glance: 
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377

- CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85> 
doesn't affect 2.2 I think, it must have been a mistake from mig5. I 
just asked for confirmation. I do hope so since it's a bad one.

- CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq> 
seems like a one-line patch: 
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0

- CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v> 
seems like it should be worked around with the CVE-2022-21690 
<https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?

I'd welcome input on those.

Cheers,

-- 
nodens

[Message part 2 (text/html, inline)]

Message #47 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <nodens@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 1014966@bugs.debian.org

Cc: Moritz Mühlenhoff <jmm@inutil.org>, team@security.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Tue, 25 Oct 2022 09:02:57 +0200

[Message part 1 (text/plain, inline)]

Le 24/10/2022 à 20:41, Clément Hermann a écrit :
>
> - CVE-2022-21694 <https://github.com/advisories/GHSA-h29c-wcm8-883h> 
> affects Bullseye, but that might be an acceptable risk ? The issue is 
> that CSP can only be turned on or off, not configured to allow js etc, 
> so it is only useful for static websites. I believe that's the most 
> common usage of a website with onionshare, and it's arguably a missing 
> feature more than a vulnerability /per se/.
>
> - CVE-2022-21689 <https://github.com/advisories/GHSA-jh82-c5jw-pxpc> 
> fix should be easy to backport, at a glance: 
> https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
>
> - CVE-2021-41868 <https://github.com/advisories/GHSA-7g47-xxff-9p85> 
> doesn't affect 2.2 I think, it must have been a mistake from mig5. I 
> just asked for confirmation. I do hope so since it's a bad one.

Sadly, upstream rectified and confirms it affects 2.2 [0], and has been 
tested and reproduced on Bullseye. We do need to fix it. Upstream has a 
few suggestions, but I guess our choices are either uploading 2.5 to 
stable, if that's possible. python-stem at least will need to be updated 
as well, from 1.8.0 to 1.8.1 which luckily is bugfix only.

> - CVE-2022-21690 <https://github.com/advisories/GHSA-ch22-x2v3-v6vq> 
> seems like a one-line patch: 
> https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
>
> - CVE-2022-21688 <https://github.com/advisories/GHSA-x7wr-283h-5h2v> 
> seems like it should be worked around with the CVE-2022-21690 
> <https://github.com/advisories/GHSA-ch22-x2v3-v6vq> fix (OTF-001)?
>
> I'd welcome input on those.
>
Of course if we choose to update onionshare to 2.5 in stable, we fix 
those as well.

[0] 
https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350

Cheers,

-- 
nodens

[Message part 2 (text/html, inline)]

Message #52 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Clément Hermann <clement.hermann@nodens.org>, 1014966@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Tue, 25 Oct 2022 11:15:29 +0200

Hi Clément,

> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
> suggestions, but I guess our choices are either uploading 2.5 to stable, if
> that's possible. python-stem at least will need to be updated as well, from
> 1.8.0 to 1.8.1 which luckily is bugfix only.

With the upstream confirmation about affected states I had a look at the remaining
issues affecting Bullseye:

CVE-2022-21694 (https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
is not a vulnerability by itself, it's a lack of a feature at most. We can ignore it for
Bullseye.

CVE-2022-21688 (https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
is just a stop gap, the actual issue is in QT and I'll reach out to upstream for more information
when this was fixed in QT so that it can be backported to Bullseye's QT packages.

This leaves:
https://security-tracker.debian.org/tracker/CVE-2022-21690
https://security-tracker.debian.org/tracker/CVE-2022-21689
https://security-tracker.debian.org/tracker/CVE-2021-41868

I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge case
and invasive to fix.

This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which could be backported?

Given that the primary use case for onionshare will be tails, my suggestion would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point release (which Tails will sync up
to). What do you think?

Cheers,
        Moritz

Message #57 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <nodens@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 1014966@bugs.debian.org

Cc: Salvatore Bonaccorso <carnil@debian.org>, team@security.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Tue, 25 Oct 2022 13:53:07 +0200

Hi Moritz,

Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :
> Hi Clément,
>
>> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
>> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
>> suggestions, but I guess our choices are either uploading 2.5 to stable, if
>> that's possible. python-stem at least will need to be updated as well, from
>> 1.8.0 to 1.8.1 which luckily is bugfix only.
> With the upstream confirmation about affected states I had a look at the remaining
> issues affecting Bullseye:

Thanks!

> CVE-2022-21694 (https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
> is not a vulnerability by itself, it's a lack of a feature at most. We can ignore it for
> Bullseye.

Agreed, that's my reasoning too.

> CVE-2022-21688 (https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
> is just a stop gap, the actual issue is in QT and I'll reach out to upstream for more information
> when this was fixed in QT so that it can be backported to Bullseye's QT packages.
Agreed. The fix for CVE-2022-21690 will provide a workaround as well.

> This leaves:
> https://security-tracker.debian.org/tracker/CVE-2022-21690
> https://security-tracker.debian.org/tracker/CVE-2022-21689
> https://security-tracker.debian.org/tracker/CVE-2021-41868
>
> I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge case
> and invasive to fix.
I'm not sure how much of an edge case it is. But I agree it's fair. We 
could provide a backport for users needing secure authentication, so 
they could use onion v3 auth for this usage (I didn't check yet how easy 
a backport would be, but I expect it'd be simple except maybe for the 
poetry build system part).

>
> This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which could be backported?

Yes.

> Given that the primary use case for onionshare will be tails, my suggestion would be that CVE-2022-21689
> and CVE-2022-21690 get backported fixes for the next Bullseye point release (which Tails will sync up
> to). What do you think?

There are some users of onionshare beside in Tails, but that sounds like 
a viable plan.

Cheers,

-- 
nodens

Message #64 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Clément Hermann <nodens@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 1014966@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sun, 27 Nov 2022 11:45:27 +0100

Hi

Le 25/10/2022 à 13:53, Clément Hermann a écrit :
> Hi Moritz,
>
> Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :
>
>> Given that the primary use case for onionshare will be tails, my 
>> suggestion would be that CVE-2022-21689
>> and CVE-2022-21690 get backported fixes for the next Bullseye point 
>> release (which Tails will sync up
>> to). What do you think?
>
> There are some users of onionshare beside in Tails, but that sounds 
> like a viable plan.
>
FYI, backported fixes have been uploaded and should be included in next 
point release (#1023981)

Cheers,

-- 
nodens

Message #71 received at 1014966@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 1014966@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sun, 27 Nov 2022 17:12:45 +0100

Am Sun, Nov 27, 2022 at 11:45:27AM +0100 schrieb Clément Hermann:
> Hi
> 
> Le 25/10/2022 à 13:53, Clément Hermann a écrit :
> > Hi Moritz,
> > 
> > Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :
> > 
> > > Given that the primary use case for onionshare will be tails, my
> > > suggestion would be that CVE-2022-21689
> > > and CVE-2022-21690 get backported fixes for the next Bullseye point
> > > release (which Tails will sync up
> > > to). What do you think?
> > 
> > There are some users of onionshare beside in Tails, but that sounds like
> > a viable plan.
> > 
> FYI, backported fixes have been uploaded and should be included in next
> point release (#1023981)

Saw that, thanks!

Cheers,
        Moritz

Message #76 received at 1014966-done@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 1014966-done@bugs.debian.org

Subject: Re: Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

Date: Sat, 12 Oct 2024 16:17:16 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Sun, 27 Nov 2022 11:45:27 +0100 =?UTF-8?Q?Cl=c3=a9ment_Hermann?= 
<nodens@debian.org> wrote:
> FYI, backported fixes have been uploaded and should be included in next 
> point release (#1023981)
And this happened long time ago, so let's close this bug. (The BTS 
already knows it doesn't apply to stable, testing or unstable for a while).

Paul

[OpenPGP_signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.