Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] Following discussion with Security Team about vulnerabilities in onionshare (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I prepared a patched version which backport upstream fixes for CVE-2022-21689 and CVE-2022-21690. Moritz proposed we just use point release for those instead of uploading to bullseye-security, hence this request. The issues aren't that critical and we are lagging already, so it can wait a few weeks more. [ Impact ] If the request isn't approved, I guess I'll ask Security Team to make it a security upload. [ Tests ] I modified the tests in the code, and I did test the modified functionnality manually with a bullseye virtual machine. [ Risks ] Modifications are quite simple. The last relevant CVE referenced in the bug above would mean a lot more work, and more risks (backporting a lot of code, or actually upgrade stable to 2.5, which would imply upgrading python-stem as well). Since it is considered an edge case, it's been decided it would be ignored in bullseye (I intend to provide a backport later for user who would be at risk otherwise). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in stable [x] the issue is verified as fixed in unstable [ Changes ] * Change debian-branch to debian/bullseye in d/gbp.conf (ignored for dch) * Backport upstream fix for CVE-2022-21690 by forcing PlainText in QLabel * Backport upstream fix for CVE-2022-21689 by using µsec in filenames when receiving files
diff -Nru onionshare-2.2/debian/changelog onionshare-2.2/debian/changelog --- onionshare-2.2/debian/changelog 2021-01-11 12:12:11.000000000 +0100 +++ onionshare-2.2/debian/changelog 2022-11-12 17:23:52.000000000 +0100 @@ -1,3 +1,10 @@ +onionshare (2.2-3+deb11u1) bullseye; urgency=medium + + * Backport upstream fix for CVE-2022-21690 + * Backport upstream fix for CVE-2022-21689 + + -- Clément Hermann <nod...@debian.org> Sat, 12 Nov 2022 17:23:52 +0100 + onionshare (2.2-3) unstable; urgency=medium [ Ulrike Uhlig ] diff -Nru onionshare-2.2/debian/gbp.conf onionshare-2.2/debian/gbp.conf --- onionshare-2.2/debian/gbp.conf 2020-08-29 19:03:20.000000000 +0200 +++ onionshare-2.2/debian/gbp.conf 2022-11-12 17:23:52.000000000 +0100 @@ -1,4 +1,4 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/sid +debian-branch = debian/bullseye upstream-branch = master diff -Nru onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff --- onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 1970-01-01 01:00:00.000000000 +0100 +++ onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 2022-11-12 17:23:52.000000000 +0100 @@ -0,0 +1,54 @@ +Description: Fix for CVE-2022-21689 + Adapted from upstream https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377 + +use microseconds for timestamps in filename + +Origin: backport, https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377 +Bug-GitHub: https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc +Last-Update: 2022-11-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/onionshare/web/receive_mode.py ++++ b/onionshare/web/receive_mode.py +@@ -294,7 +294,7 @@ + # Figure out what files should be saved + now = datetime.now() + date_dir = now.strftime("%Y-%m-%d") +- time_dir = now.strftime("%H.%M.%S") ++ time_dir = now.strftime("%H.%M.%S.%f") + self.receive_mode_dir = os.path.join( + self.web.common.settings.get("data_dir"), date_dir, time_dir + ) +--- a/tests/GuiReceiveTest.py ++++ b/tests/GuiReceiveTest.py +@@ -1,3 +1,4 @@ ++import glob + import os + import requests + from datetime import datetime, timedelta +@@ -50,17 +51,17 @@ + now = datetime.now() + for i in range(10): + date_dir = now.strftime("%Y-%m-%d") +- if identical_files_at_once: +- time_dir = now.strftime("%H.%M.%S-1") +- else: +- time_dir = now.strftime("%H.%M.%S") ++ time_dir = now.strftime("%H.%M.%S") + receive_mode_dir = os.path.join( + self.gui.common.settings.get("data_dir"), date_dir, time_dir + ) +- expected_filename = os.path.join(receive_mode_dir, expected_basename) +- if os.path.exists(expected_filename): +- exists = True +- break ++ # The directories have microseconds in the name, so we need ++ # to use globbing against directory names containing the same ++ # second in order to try to find the file. ++ for path in glob.glob(receive_mode_dir + "*"): ++ if os.path.exists(os.path.join(path, expected_basename)): ++ exists = True ++ break + now = now - timedelta(seconds=1) + + self.assertTrue(exists) diff -Nru onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff --- onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff 1970-01-01 01:00:00.000000000 +0100 +++ onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff 2022-11-12 17:23:52.000000000 +0100 @@ -0,0 +1,22 @@ +Description: Fix for CVE-2022-21690 + +Adapted from upstream https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0 + +Force plaintext format for path parameter + +Origin: upstream, https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0 + +Bug-GitHub: https://github.com/advisories/GHSA-ch22-x2v3-v6vq +Last-Update: 2022-11-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/onionshare_gui/mode/history.py ++++ b/onionshare_gui/mode/history.py +@@ -410,6 +410,7 @@ + self.common.css["history_individual_file_timestamp_label"] + ) + self.path_label = QtWidgets.QLabel("{}".format(self.path)) ++ self.path_label.setTextFormat(QtCore.Qt.PlainText) + self.status_code_label = QtWidgets.QLabel() + + # Progress bar diff -Nru onionshare-2.2/debian/patches/series onionshare-2.2/debian/patches/series --- onionshare-2.2/debian/patches/series 2021-01-06 11:35:02.000000000 +0100 +++ onionshare-2.2/debian/patches/series 2022-11-12 17:23:52.000000000 +0100 @@ -1 +1,3 @@ +CVE-2022-21689-fix.diff cryptodome.diff +CVE-2022-21690-fix.diff