Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-11-27 Thread Moritz Mühlenhoff 
Am Sun, Nov 27, 2022 at 11:45:27AM +0100 schrieb Clément Hermann:
> Hi
> 
> Le 25/10/2022 à 13:53, Clément Hermann a écrit :
> > Hi Moritz,
> > 
> > Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :
> > 
> > > Given that the primary use case for onionshare will be tails, my
> > > suggestion would be that CVE-2022-21689
> > > and CVE-2022-21690 get backported fixes for the next Bullseye point
> > > release (which Tails will sync up
> > > to). What do you think?
> > 
> > There are some users of onionshare beside in Tails, but that sounds like
> > a viable plan.
> > 
> FYI, backported fixes have been uploaded and should be included in next
> point release (#1023981)

Saw that, thanks!

Cheers,
Moritz

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-11-27 Thread Clément Hermann 

Hi

Le 25/10/2022 à 13:53, Clément Hermann a écrit :

Hi Moritz,

Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :

Given that the primary use case for onionshare will be tails, my 
suggestion would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point 
release (which Tails will sync up

to). What do you think?


There are some users of onionshare beside in Tails, but that sounds 
like a viable plan.


FYI, backported fixes have been uploaded and should be included in next 
point release (#1023981)


Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-25 Thread Clément Hermann 

Hi Moritz,

Le 25/10/2022 à 11:15, Moritz Muehlenhoff a écrit :

Hi Clément,


Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
suggestions, but I guess our choices are either uploading 2.5 to stable, if
that's possible. python-stem at least will need to be updated as well, from
1.8.0 to 1.8.1 which luckily is bugfix only.

With the upstream confirmation about affected states I had a look at the 
remaining
issues affecting Bullseye:


Thanks!


CVE-2022-21694 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
is not a vulnerability by itself, it's a lack of a feature at most. We can 
ignore it for
Bullseye.


Agreed, that's my reasoning too.


CVE-2022-21688 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
is just a stop gap, the actual issue is in QT and I'll reach out to upstream 
for more information
when this was fixed in QT so that it can be backported to Bullseye's QT 
packages.

Agreed. The fix for CVE-2022-21690 will provide a workaround as well.


This leaves:
https://security-tracker.debian.org/tracker/CVE-2022-21690
https://security-tracker.debian.org/tracker/CVE-2022-21689
https://security-tracker.debian.org/tracker/CVE-2021-41868

I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge 
case
and invasive to fix.
I'm not sure how much of an edge case it is. But I agree it's fair. We 
could provide a backport for users needing secure authentication, so 
they could use onion v3 auth for this usage (I didn't check yet how easy 
a backport would be, but I expect it'd be simple except maybe for the 
poetry build system part).




This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which 
could be backported?


Yes.


Given that the primary use case for onionshare will be tails, my suggestion 
would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point release 
(which Tails will sync up
to). What do you think?


There are some users of onionshare beside in Tails, but that sounds like 
a viable plan.


Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-25 Thread Moritz Muehlenhoff 
Hi Clément,

> Sadly, upstream rectified and confirms it affects 2.2 [0], and has been
> tested and reproduced on Bullseye. We do need to fix it. Upstream has a few
> suggestions, but I guess our choices are either uploading 2.5 to stable, if
> that's possible. python-stem at least will need to be updated as well, from
> 1.8.0 to 1.8.1 which luckily is bugfix only.

With the upstream confirmation about affected states I had a look at the 
remaining
issues affecting Bullseye:

CVE-2022-21694 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h)
is not a vulnerability by itself, it's a lack of a feature at most. We can 
ignore it for
Bullseye.

CVE-2022-21688 
(https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v)
is just a stop gap, the actual issue is in QT and I'll reach out to upstream 
for more information
when this was fixed in QT so that it can be backported to Bullseye's QT 
packages.

This leaves:
https://security-tracker.debian.org/tracker/CVE-2022-21690
https://security-tracker.debian.org/tracker/CVE-2022-21689
https://security-tracker.debian.org/tracker/CVE-2021-41868

I think it's fair to ignore CVE-2021-41868 for Bullseye, it sounds like an edge 
case
and invasive to fix.

This leaves CVE-2022-21690 and CVE-2022-21689 which have isolated patches which 
could be backported?

Given that the primary use case for onionshare will be tails, my suggestion 
would be that CVE-2022-21689
and CVE-2022-21690 get backported fixes for the next Bullseye point release 
(which Tails will sync up
to). What do you think?

Cheers,
Moritz

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-25 Thread Clément Hermann 



Le 24/10/2022 à 20:41, Clément Hermann a écrit :


- CVE-2022-21694  
affects Bullseye, but that might be an acceptable risk ? The issue is 
that CSP can only be turned on or off, not configured to allow js etc, 
so it is only useful for static websites. I believe that's the most 
common usage of a website with onionshare, and it's arguably a missing 
feature more than a vulnerability /per se/.


- CVE-2022-21689  
fix should be easy to backport, at a glance: 
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377


- CVE-2021-41868  
doesn't affect 2.2 I think, it must have been a mistake from mig5. I 
just asked for confirmation. I do hope so since it's a bad one.


Sadly, upstream rectified and confirms it affects 2.2 [0], and has been 
tested and reproduced on Bullseye. We do need to fix it. Upstream has a 
few suggestions, but I guess our choices are either uploading 2.5 to 
stable, if that's possible. python-stem at least will need to be updated 
as well, from 1.8.0 to 1.8.1 which luckily is bugfix only.


- CVE-2022-21690  
seems like a one-line patch: 
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0


- CVE-2022-21688  
seems like it should be worked around with the CVE-2022-21690 
 fix (OTF-001)?


I'd welcome input on those.

Of course if we choose to update onionshare to 2.5 in stable, we fix 
those as well.


[0] 
https://github.com/onionshare/onionshare/issues/1633#issuecomment-1289735350


Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-24 Thread Clément Hermann 



Le 24/10/2022 à 18:26, Clément Hermann a écrit :

Hi,

Le 23/10/2022 à 18:27, Clément Hermann a écrit :

Hi,

Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :

To be on safe side, explicitly confirming by upstream would be great.


Agreed. And asked upstream: 
https://github.com/onionshare/onionshare/issues/1633.


Upstream replied quickly (yay!) and confirms the known issues are 
fixed in 2.5.


Also, the detail of the vulnerable/patched versions has been updated. 
Quoting from the upstream issue:


Only affected >= 2.3 - < 2.5: CVE-2021-41867 
, CVE-2022-21691 
, CVE-2022-21695 
, CVE-2022-21696 

Only affected >= 2.2 - < 2.5: CVE-2022-21694 

Only affected >=2.0 - < 2.5: CVE-2022-21689 

Only affected >=2.0 - < 2.4: CVE-2021-41868 
 (Receive mode 
bug, fixed by changing the authentication from HTTP auth to using 
Client Auth in Tor itself)
All versions < 2.5: CVE-2022-21690 
, and possibly 
depending on the Qt version, CVE-2022-21688 



GHSA-jgm9-xpfj-4fq6 
 
is a complicated one, as a fix 
 we reduced the 
scope of access for Flatpak but you could argue that on 'native' 
Debian the whole file system, or at least the parts accessible to the 
user running OnionShare, is available not even in read-only mode. I'm 
not sure there's really a 'fix' for the deb package.


The advisories on 
https://github.com/onionshare/onionshare/security/advisories have been 
updated to reflect this.


I did more homework.

So, to summarize:
- CVE-2021-41867 , 
CVE-2022-21691 , 
CVE-2022-21695 , 
CVE-2022-21696  
aren't affecting Debian (stable has 2.2, unstable has 2.5). Which is 
good because the


- CVE-2022-21694  
affects Bullseye, but that might be an acceptable risk ? The issue is 
that CSP can only be turned on or off, not configured to allow js etc, 
so it is only useful for static websites. I believe that's the most 
common usage of a website with onionshare, and it's arguably a missing 
feature more than a vulnerability /per se/.


- CVE-2022-21689  fix 
should be easy to backport, at a glance: 
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377


- CVE-2021-41868  
doesn't affect 2.2 I think, it must have been a mistake from mig5. I 
just asked for confirmation. I do hope so since it's a bad one.


- CVE-2022-21690  
seems like a one-line patch: 
https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0


- CVE-2022-21688  
seems like it should be worked around with the CVE-2022-21690 
 fix (OTF-001)?


I'd welcome input on those.

Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-24 Thread Clément Hermann 

Hi,

Le 23/10/2022 à 18:27, Clément Hermann a écrit :

Hi,

Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :


Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v 


while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.


Agreed. And asked upstream: 
https://github.com/onionshare/onionshare/issues/1633.


Upstream replied quickly (yay!) and confirms the known issues are fixed 
in 2.5.


Also, the detail of the vulnerable/patched versions has been updated. 
Quoting from the upstream issue:


Only affected >= 2.3 - < 2.5: CVE-2021-41867 
, CVE-2022-21691 
, CVE-2022-21695 
, CVE-2022-21696 

Only affected >= 2.2 - < 2.5: CVE-2022-21694 

Only affected >=2.0 - < 2.5: CVE-2022-21689 

Only affected >=2.0 - < 2.4: CVE-2021-41868 
 (Receive mode bug, 
fixed by changing the authentication from HTTP auth to using Client 
Auth in Tor itself)
All versions < 2.5: CVE-2022-21690 
, and possibly 
depending on the Qt version, CVE-2022-21688 



GHSA-jgm9-xpfj-4fq6 
 
is a complicated one, as a fix 
 we reduced the 
scope of access for Flatpak but you could argue that on 'native' 
Debian the whole file system, or at least the parts accessible to the 
user running OnionShare, is available not even in read-only mode. I'm 
not sure there's really a 'fix' for the deb package.


The advisories on 
https://github.com/onionshare/onionshare/security/advisories have been 
updated to reflect this.


--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-23 Thread Salvatore Bonaccorso 
Hi Clément,

On Sun, Oct 23, 2022 at 06:27:08PM +0200, Clément Hermann wrote:
> Hi,
> 
> Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :
> 
> > Thanks for the quick reply! (much appreciated). I think it would be
> > good to get a confirmation from upstream and if possible to have
> > those advisories updates. E.g.
> > https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> > while mentioning "affected versions < 2.4" the patched version remains
> > "none". this might be that the < 2.4 just reflects the point in time
> > when the advisory was filled. OTOH you have arguments with the v2.5
> > release information that they might all be fixed.
> > 
> > To be on safe side, explicitly confirming by upstream would be great.
> 
> Agreed. And asked upstream:
> https://github.com/onionshare/onionshare/issues/1633.

Thank you!

Regards,
Salvatore

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-23 Thread Clément Hermann 

Hi,

Le 22/10/2022 à 15:01, Salvatore Bonaccorso a écrit :


Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.


Agreed. And asked upstream: 
https://github.com/onionshare/onionshare/issues/1633.


Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-22 Thread Salvatore Bonaccorso 
Hi Clément,

On Sat, Oct 22, 2022 at 02:50:53PM +0200, Clément Hermann wrote:
> Hi Salvatore,
> 
> Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :
> > 
> > > For further information see:
> > > 
> > > [0] https://security-tracker.debian.org/tracker/CVE-2021-41867
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
> > > [1] https://security-tracker.debian.org/tracker/CVE-2021-41868
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
> > > [2] https://security-tracker.debian.org/tracker/CVE-2022-21688
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
> > > [3] https://security-tracker.debian.org/tracker/CVE-2022-21689
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
> > > [4] https://security-tracker.debian.org/tracker/CVE-2022-21690
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
> > > [5] https://security-tracker.debian.org/tracker/CVE-2022-21691
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
> > > [6] https://security-tracker.debian.org/tracker/CVE-2022-21692
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
> > > [7] https://security-tracker.debian.org/tracker/CVE-2022-21693
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
> > > [8] https://security-tracker.debian.org/tracker/CVE-2022-21694
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
> > > [9] https://security-tracker.debian.org/tracker/CVE-2022-21695
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
> > > [10] https://security-tracker.debian.org/tracker/CVE-2022-21696
> > >  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
> >  From the reported list CVE-2021-41867 and CVE-2021-41868 were
> > addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
> > though likely as well those who contain "has been patched in 2.5". I
> > have not found any indication that this there is really the case.
> > 
> > Any more insights OTOH from you on those?
> According to onionshare 2.5 release notes [1], and to the vulnerabilities
> list on the github project [2], I'd say they were fixed.
> All vulnerabilities are marked as affecting <2.4 since 2.5 release, and for
> instance for the username impersonation, it's been specified in the release
> notes that the security have been tightened on this front.
> 
> That said, I didn't check the code for every vuln individually, and I
> definitely could ask upstream for clarification/confirmation if you think
> it's necessary.

Thanks for the quick reply! (much appreciated). I think it would be
good to get a confirmation from upstream and if possible to have
those advisories updates. E.g.
https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
while mentioning "affected versions < 2.4" the patched version remains
"none". this might be that the < 2.4 just reflects the point in time
when the advisory was filled. OTOH you have arguments with the v2.5
release information that they might all be fixed.

To be on safe side, explicitly confirming by upstream would be great.

Regards,
Salvatore

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-22 Thread Clément Hermann 

Hi Salvatore,

Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :



For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41867
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
[1] https://security-tracker.debian.org/tracker/CVE-2021-41868
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
[2] https://security-tracker.debian.org/tracker/CVE-2022-21688
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
[3] https://security-tracker.debian.org/tracker/CVE-2022-21689
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
[4] https://security-tracker.debian.org/tracker/CVE-2022-21690
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
[5] https://security-tracker.debian.org/tracker/CVE-2022-21691
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
[6] https://security-tracker.debian.org/tracker/CVE-2022-21692
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
[7] https://security-tracker.debian.org/tracker/CVE-2022-21693
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
[8] https://security-tracker.debian.org/tracker/CVE-2022-21694
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
[9] https://security-tracker.debian.org/tracker/CVE-2022-21695
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
[10] https://security-tracker.debian.org/tracker/CVE-2022-21696
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696

 From the reported list CVE-2021-41867 and CVE-2021-41868 were
addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
though likely as well those who contain "has been patched in 2.5". I
have not found any indication that this there is really the case.

Any more insights OTOH from you on those?
According to onionshare 2.5 release notes [1], and to the 
vulnerabilities list on the github project [2], I'd say they were fixed.
All vulnerabilities are marked as affecting <2.4 since 2.5 release, and 
for instance for the username impersonation, it's been specified in the 
release notes that the security have been tightened on this front.


That said, I didn't check the code for every vuln individually, and I 
definitely could ask upstream for clarification/confirmation if you 
think it's necessary.




[1] https://github.com/onionshare/onionshare/releases/tag/v2.5
[2] https://github.com/onionshare/onionshare/security/advisories

Cheers,

--
nodens

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-10-22 Thread Salvatore Bonaccorso 
Hi,

On Fri, Jul 15, 2022 at 02:04:38PM +0200, Moritz Mühlenhoff wrote:
> Source: onionshare
> X-Debbugs-CC: t...@security.debian.org
> Severity: grave
> Tags: security
> 
> Hi,
> 
> The following vulnerabilities were published for onionshare.
> 
> CVE-2021-41867[0]:
> | An information disclosure vulnerability in OnionShare 2.3 before 2.4
> | allows remote unauthenticated attackers to retrieve the full list of
> | participants of a non-public OnionShare node via the --chat feature.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2021-41868[1]:
> | OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
> | upload files on a non-public node when using the --receive
> | functionality.
> 
> https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
> https://www.ihteam.net/advisory/onionshare/
> 
> CVE-2022-21688[2]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. Affected versions of the desktop application were
> | found to be vulnerable to denial of service via an undisclosed
> | vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
> | memory consumption and this can be triggered multiple times. To be
> | abused, this vulnerability requires rendering in the history tab, so
> | some user interaction is required. An adversary with knowledge of the
> | Onion service address in public mode or with authentication in private
> | mode can perform a Denial of Service attack, which quickly results in
> | out-of-memory for the server. This requires the desktop application
> | with rendered history, therefore the impact is only elevated. This
> | issue has been patched in version 2.5.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v
> 
> CVE-2022-21689[3]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions the receive mode limits
> | concurrent uploads to 100 per second and blocks other uploads in the
> | same second, which can be triggered by a simple script. An adversary
> | with access to the receive mode can block file upload for others.
> | There is no way to block this attack in public mode due to the
> | anonymity properties of the tor network.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
> 
> CVE-2022-21690[4]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions The path parameter of the
> | requested URL is not sanitized before being passed to the QT frontend.
> | This path is used in all components for displaying the server access
> | history. This leads to a rendered HTML4 Subset (QT RichText editor) in
> | the Onionshare frontend.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq
> 
> CVE-2022-21691[5]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions chat participants can spoof
> | their channel leave message, tricking others into assuming they left
> | the chatroom.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766
> 
> CVE-2022-21692[6]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions anyone with access to the chat
> | environment can write messages disguised as another chat participant.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v
> 
> CVE-2022-21693[7]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. In affected versions an adversary with a primitive
> | that allows for filesystem access from the context of the Onionshare
> | process can access sensitive files in the entire user home folder.
> | This could lead to the leaking of sensitive data. Due to the automatic
> | exclusion of hidden folders, the impact is reduced. This can be
> | mitigated by usage of the flatpak release.
> 
> https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6
> 
> CVE-2022-21694[8]:
> | OnionShare is an open source tool that lets you securely and
> | anonymously share files, host websites, and chat with friends using
> | the Tor network. The website mode of the onionshare allows to use a
> | hardened CSP, which will block any scripts and external resources. It
> | is not possible to configure this CSP for individual pages and
> | therefore the security enhancement cannot be used for

Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

2022-07-15 Thread Moritz Mühlenhoff 
Source: onionshare
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for onionshare.

CVE-2021-41867[0]:
| An information disclosure vulnerability in OnionShare 2.3 before 2.4
| allows remote unauthenticated attackers to retrieve the full list of
| participants of a non-public OnionShare node via the --chat feature.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2021-41868[1]:
| OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to
| upload files on a non-public node when using the --receive
| functionality.

https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/

CVE-2022-21688[2]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. Affected versions of the desktop application were
| found to be vulnerable to denial of service via an undisclosed
| vulnerability in the QT image parsing. Roughly 20 bytes lead to 2GB
| memory consumption and this can be triggered multiple times. To be
| abused, this vulnerability requires rendering in the history tab, so
| some user interaction is required. An adversary with knowledge of the
| Onion service address in public mode or with authentication in private
| mode can perform a Denial of Service attack, which quickly results in
| out-of-memory for the server. This requires the desktop application
| with rendered history, therefore the impact is only elevated. This
| issue has been patched in version 2.5.

https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v

CVE-2022-21689[3]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions the receive mode limits
| concurrent uploads to 100 per second and blocks other uploads in the
| same second, which can be triggered by a simple script. An adversary
| with access to the receive mode can block file upload for others.
| There is no way to block this attack in public mode due to the
| anonymity properties of the tor network.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc

CVE-2022-21690[4]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions The path parameter of the
| requested URL is not sanitized before being passed to the QT frontend.
| This path is used in all components for displaying the server access
| history. This leads to a rendered HTML4 Subset (QT RichText editor) in
| the Onionshare frontend.

https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq

CVE-2022-21691[5]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions chat participants can spoof
| their channel leave message, tricking others into assuming they left
| the chatroom.

https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766

CVE-2022-21692[6]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions anyone with access to the chat
| environment can write messages disguised as another chat participant.

https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v

CVE-2022-21693[7]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. In affected versions an adversary with a primitive
| that allows for filesystem access from the context of the Onionshare
| process can access sensitive files in the entire user home folder.
| This could lead to the leaking of sensitive data. Due to the automatic
| exclusion of hidden folders, the impact is reduced. This can be
| mitigated by usage of the flatpak release.

https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6

CVE-2022-21694[8]:
| OnionShare is an open source tool that lets you securely and
| anonymously share files, host websites, and chat with friends using
| the Tor network. The website mode of the onionshare allows to use a
| hardened CSP, which will block any scripts and external resources. It
| is not possible to configure this CSP for individual pages and
| therefore the security enhancement cannot be used for websites using
| javascript or external resources like fonts or images.

https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h
https://github.com/onionshare/onionshare/issues/1389

CVE-2022-21695[9]:
| OnionShare is an open source tool that lets