Bug#989846: CVE-2021-22895
Hi Sandro, On Sun, Sep 12, 2021 at 06:33:57PM +0200, Sandro Knauß wrote: > Hey, > > > > What about Buster? Is 2.5 also affected? > > > > > > yes 2.5 is also affected. At least the source files look the same. > > > > Ack, can you also prepare an update for buster-security, please? > > I have here a proposed debdiff. I added a third patch, so users have the > possiblility to accept invalid certs otherwise they would fail silently. At > least for me this sounds like not a proper solution. Deferring a reply for this one to Moritz. > * Do I need to upload also with sources? How can I check this myself? Whenever you do a first upload to security-master where the source would not have been present yet, then yes the orig source needs to be included. For nextcloud-desktop +deb10u1 was via a buster point release, so it would be correct to build with -sa. Note that yu want to change the target distribution to buster-security in: > +nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high Regards, Salvatore
Bug#989846: CVE-2021-22895
Hey,
> > > What about Buster? Is 2.5 also affected?
> >
> > yes 2.5 is also affected. At least the source files look the same.
>
> Ack, can you also prepare an update for buster-security, please?
I have here a proposed debdiff. I added a third patch, so users have the
possiblility to accept invalid certs otherwise they would fail silently. At
least for me this sounds like not a proper solution.
* Do I need to upload also with sources? How can I check this myself?
Cheers,
hefee
diff -Nru nextcloud-desktop-2.5.1/debian/changelog nextcloud-desktop-2.5.1/debian/changelog
--- nextcloud-desktop-2.5.1/debian/changelog 2019-08-29 18:57:38.0 +0200
+++ nextcloud-desktop-2.5.1/debian/changelog 2021-09-11 11:53:28.0 +0200
@@ -1,3 +1,12 @@
+nextcloud-desktop (2.5.1-3+deb10u2) buster; urgency=high
+
+ * Add backported patch to fix CVE-2021-22895. (Closes: #989846)
+ * Add backported patch to fix CVE-2021-32728.
+ * Update patch for CVE-2021-32728 for v2.5.1.
+ * Add patch to make it possible to accept invalid SSL certificates.
+
+ -- Sandro Knauß Sat, 11 Sep 2021 11:53:28 +0200
+
nextcloud-desktop (2.5.1-3+deb10u1) buster; urgency=medium
* Make nextcloud-desktop-cmd depend on nextcloud-desktop-common.
diff -Nru nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch
--- nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.0 +0100
+++ nextcloud-desktop-2.5.1/debian/patches/0006-Validate-the-providers-ssl-certificate.patch 2021-09-10 22:17:16.0 +0200
@@ -0,0 +1,37 @@
+From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001
+From: Felix Weilbach
+Date: Wed, 10 Feb 2021 09:53:57 +0100
+Subject: [PATCH] Validate the providers ssl certificate
+
+Signed-off-by: Felix Weilbach
+---
+ src/gui/wizard/webview.cpp | 12 ++--
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/src/gui/wizard/webview.cpp
b/src/gui/wizard/webview.cpp
+@@ -45,9 +45,6 @@ public:
+
+ protected:
+ bool certificateError(const QWebEngineCertificateError ) override;
+-
+-private:
+-QUrl _rootUrl;
+ };
+
+ // We need a separate class here, since we cannot simply return the same WebEnginePage object
+@@ -157,14 +154,9 @@ QWebEnginePage * WebEnginePage::createWi
+
+ void WebEnginePage::setUrl(const QUrl ) {
+ QWebEnginePage::setUrl(url);
+-_rootUrl = url;
+ }
+
+ bool WebEnginePage::certificateError(const QWebEngineCertificateError ) {
+-if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid) {
+-return certificateError.url().host() == _rootUrl.host();
+-}
+-
+ return false;
+ }
+
diff -Nru nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch
--- nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.0 +0100
+++ nextcloud-desktop-2.5.1/debian/patches/0007-check-e2ee-public-key-against-private-one.patch 2021-09-11 11:28:54.0 +0200
@@ -0,0 +1,88 @@
+From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001
+From: Matthieu Gallien
+Date: Wed, 19 May 2021 15:36:47 +0200
+Subject: [PATCH] check e2ee public key against private one
+
+should ensure we have matching private/public keys
+
+Signed-off-by: Matthieu Gallien
+---
+ src/libsync/clientsideencryption.cpp | 30 +++-
+ src/libsync/clientsideencryption.h | 1 +
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/src/libsync/clientsideencryption.cpp
b/src/libsync/clientsideencryption.cpp
+@@ -15,6 +15,7 @@
+ #include "creds/abstractcredentials.h"
+
+ #include
++#include
+
+ #include
+
+@@ -30,6 +31,7 @@
+ #include
+ #include
+ #include
++#include
+
+ #include
+
+@@ -644,6 +646,37 @@ void ClientSideEncryption::fetchFromKeyC
+ job->start();
+ }
+
++ bool ClientSideEncryption::checkPublicKeyValidity() const
++ {
++ QByteArray data = EncryptionHelper::generateRandom(64);
++
++ BIO *publicKeyBio = BIO_new(BIO_s_mem());
++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem();
++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size());
++ EVP_PKEY *publicKey = PEM_read_bio_PUBKEY(publicKeyBio, nullptr, nullptr, nullptr);
++ BIO_free_all(publicKeyBio);
++
++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64());
++
++ BIO *privateKeyBio = BIO_new(BIO_s_mem());
++ QByteArray privateKeyPem = _account->e2e()->_privateKey;
++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size());
++ EVP_PKEY *key = PEM_read_bio_PrivateKey(privateKeyBio, nullptr, nullptr, nullptr);
++
Bug#989846: CVE-2021-22895
Am Sun, Aug 22, 2021 at 09:34:58PM +0200 schrieb Sandro Knauß: > Hey, > > > Looks good! Please build with -sa (since nextcloud-desktop is new in > > bullseye-security and ftp.d.o and security.d.o don't share tarballs). > > done. > > > What about Buster? Is 2.5 also affected? > > yes 2.5 is also affected. At least the source files look the same. Ack, can you also prepare an update for buster-security, please? With the release of Bullseye, Buster remains supported for another year with non-LTS security support. Cheers, Moritz
Bug#989846: CVE-2021-22895
Hey, > Looks good! Please build with -sa (since nextcloud-desktop is new in > bullseye-security and ftp.d.o and security.d.o don't share tarballs). done. > What about Buster? Is 2.5 also affected? yes 2.5 is also affected. At least the source files look the same. hefee signature.asc Description: This is a digitally signed message part.
Bug#989846: CVE-2021-22895
Am Sun, Aug 22, 2021 at 08:47:45PM +0200 schrieb Sandro Knauß: > Hey, > > finally, I managed to prepare a patched version of nextcloud-desktop. > > I fixed both open isses for nextcloud-desktop for bullseye. See my attached > debdiff. > > * CVE-2021-22895 > * CVE-2021-32728 > > Did I managed all field correctly (codename and urgency)? > > sid with be fixed with a new upload the next hours of 3.3.1-1. Looks good! Please build with -sa (since nextcloud-desktop is new in bullseye-security and ftp.d.o and security.d.o don't share tarballs). What about Buster? Is 2.5 also affected? Cheers, Moritz
Bug#989846: CVE-2021-22895
Hey,
finally, I managed to prepare a patched version of nextcloud-desktop.
I fixed both open isses for nextcloud-desktop for bullseye. See my attached
debdiff.
* CVE-2021-22895
* CVE-2021-32728
Did I managed all field correctly (codename and urgency)?
sid with be fixed with a new upload the next hours of 3.3.1-1.
regards,
hefee
diff -Nru nextcloud-desktop-3.1.1/debian/changelog nextcloud-desktop-3.1.1/debian/changelog
--- nextcloud-desktop-3.1.1/debian/changelog 2021-05-08 19:39:35.0 +0200
+++ nextcloud-desktop-3.1.1/debian/changelog 2021-08-22 19:59:32.0 +0200
@@ -1,3 +1,11 @@
+nextcloud-desktop (3.1.1-2+deb11u1) bullseye-security; urgency=high
+
+ * Add backported patch to fix CVE-2021-22895 (Closes: #989846).
+ * Add backported patch to fix CVE-2021-32728 with small modifications to
+match for Debian.
+
+ -- Sandro Knauß Sun, 22 Aug 2021 19:59:32 +0200
+
nextcloud-desktop (3.1.1-2) unstable; urgency=medium
* Add two upstream patches to fix CVE-2021-22879 (Closes: #987274):
diff -Nru nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch
--- nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 1970-01-01 01:00:00.0 +0100
+++ nextcloud-desktop-3.1.1/debian/patches/0007-Validate-the-providers-ssl-certificate.patch 2021-08-22 19:59:32.0 +0200
@@ -0,0 +1,45 @@
+From 142180c0e297ef500daf8328e7ea3020e33a3639 Mon Sep 17 00:00:00 2001
+From: Felix Weilbach
+Date: Wed, 10 Feb 2021 09:53:57 +0100
+Subject: [PATCH] Validate the providers ssl certificate
+
+Signed-off-by: Felix Weilbach
+---
+ src/gui/wizard/webview.cpp | 12 ++--
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+diff --git a/src/gui/wizard/webview.cpp b/src/gui/wizard/webview.cpp
+index e03f86509..6c2207f48 100644
+--- a/src/gui/wizard/webview.cpp
b/src/gui/wizard/webview.cpp
+@@ -52,9 +52,6 @@ public:
+
+ protected:
+ bool certificateError(const QWebEngineCertificateError ) override;
+-
+-private:
+-QUrl _rootUrl;
+ };
+
+ // We need a separate class here, since we cannot simply return the same WebEnginePage object
+@@ -191,15 +188,10 @@ QWebEnginePage * WebEnginePage::createWindow(QWebEnginePage::WebWindowType type)
+
+ void WebEnginePage::setUrl(const QUrl ) {
+ QWebEnginePage::setUrl(url);
+-_rootUrl = url;
+ }
+
+-bool WebEnginePage::certificateError(const QWebEngineCertificateError ) {
+-if (certificateError.error() == QWebEngineCertificateError::CertificateAuthorityInvalid &&
+-certificateError.url().host() == _rootUrl.host()) {
+-return true;
+-}
+-
++bool WebEnginePage::certificateError(const QWebEngineCertificateError )
++{
+ /**
+ * TODO properly improve this.
+ * The certificate should be displayed.
+--
+2.33.0
+
diff -Nru nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch
--- nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 1970-01-01 01:00:00.0 +0100
+++ nextcloud-desktop-3.1.1/debian/patches/0008-check-e2ee-public-key-against-private-one.patch 2021-08-22 19:59:32.0 +0200
@@ -0,0 +1,83 @@
+From 7fb09a81632de6066e55def20308d6e61cadbc48 Mon Sep 17 00:00:00 2001
+From: Matthieu Gallien
+Date: Wed, 19 May 2021 15:36:47 +0200
+Subject: [PATCH] check e2ee public key against private one
+
+should ensure we have matching private/public keys
+
+Signed-off-by: Matthieu Gallien
+---
+ src/libsync/clientsideencryption.cpp | 30 +++-
+ src/libsync/clientsideencryption.h | 1 +
+ 2 files changed, 30 insertions(+), 1 deletion(-)
+
+--- a/src/libsync/clientsideencryption.cpp
b/src/libsync/clientsideencryption.cpp
+@@ -16,6 +16,7 @@
+
+ #include
+ #include
++#include
+
+ #include
+
+@@ -32,6 +33,7 @@
+ #include
+ #include
+ #include
++#include
+
+ #include
+ #include "common/utility.h"
+@@ -797,6 +799,32 @@ void ClientSideEncryption::fetchFromKeyC
+ job->start();
+ }
+
++ bool ClientSideEncryption::checkPublicKeyValidity() const
++ {
++ QByteArray data = EncryptionHelper::generateRandom(64);
++
++ Bio publicKeyBio;
++ QByteArray publicKeyPem = _account->e2e()->_publicKey.toPem();
++ BIO_write(publicKeyBio, publicKeyPem.constData(), publicKeyPem.size());
++ auto publicKey = PKey::readPublicKey(publicKeyBio);
++
++ auto encryptedData = EncryptionHelper::encryptStringAsymmetric(publicKey, data.toBase64());
++
++ Bio privateKeyBio;
++ QByteArray privateKeyPem = _account->e2e()->_privateKey;
++ BIO_write(privateKeyBio, privateKeyPem.constData(), privateKeyPem.size());
++ auto key = PKey::readPrivateKey(privateKeyBio);
++
++ QByteArray decryptResult =
Bug#989846: CVE-2021-22895
Package: nextcloud-desktop Severity: important Tags: security X-Debbugs-Cc: Debian Security Team See https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5 Patch: https://github.com/nextcloud/desktop/commit/b1ddd0e491b2af0ed040e658d8bcde2a7a61c9fc Can you please upload a targeted fix and ask for an unblock with the release team? Cheers, Moritz
