Bug#1023981: bullseye-pu: package onionshare/2.2-3+deb11u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sun, 2022-11-13 at 14:57 +0100, Clément Hermann wrote:
> Following discussion with Security Team about vulnerabilities in
> onionshare (see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I
> prepared a
> patched version which backport upstream fixes for CVE-2022-21689 and
> CVE-2022-21690.
> 

Please go ahead.

Regards,

Adam

Bug#1023981: bullseye-pu: package onionshare/2.2-3+deb11u1

[Clément Hermann]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


[ Reason ]
Following discussion with Security Team about vulnerabilities in
onionshare (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I prepared a
patched version which backport upstream fixes for CVE-2022-21689 and 
CVE-2022-21690.

Moritz proposed we just use point release for those instead of uploading
 to bullseye-security, hence this request. The issues aren't that
 critical and we are lagging already, so it can wait a few weeks more.

[ Impact ]

If the request isn't approved, I guess I'll ask Security Team to make it
a security upload.

[ Tests ]
I modified the tests in the code, and I did test the modified
functionnality manually with a bullseye virtual machine.

[ Risks ]
Modifications are quite simple. The last relevant CVE referenced in the
bug above would mean a lot more work, and more risks (backporting a lot
of code, or actually upgrade stable to 2.5, which would imply upgrading
python-stem as well). Since it is considered an edge case, it's been
decided it would be ignored in bullseye (I intend to provide a backport
later for user who would be at risk otherwise).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
   * Change debian-branch to debian/bullseye in d/gbp.conf (ignored for
 dch)
   * Backport upstream fix for CVE-2022-21690 by forcing PlainText in
 QLabel
   * Backport upstream fix for CVE-2022-21689 by using µsec in filenames
 when receiving files
diff -Nru onionshare-2.2/debian/changelog onionshare-2.2/debian/changelog
--- onionshare-2.2/debian/changelog 2021-01-11 12:12:11.0 +0100
+++ onionshare-2.2/debian/changelog 2022-11-12 17:23:52.0 +0100
@@ -1,3 +1,10 @@
+onionshare (2.2-3+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream fix for CVE-2022-21690
+  * Backport upstream fix for CVE-2022-21689
+
+ -- Clément Hermann   Sat, 12 Nov 2022 17:23:52 +0100
+
 onionshare (2.2-3) unstable; urgency=medium
 
   [ Ulrike Uhlig ]
diff -Nru onionshare-2.2/debian/gbp.conf onionshare-2.2/debian/gbp.conf
--- onionshare-2.2/debian/gbp.conf  2020-08-29 19:03:20.0 +0200
+++ onionshare-2.2/debian/gbp.conf  2022-11-12 17:23:52.0 +0100
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
 upstream-branch = master
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 
onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff   1970-01-01 
01:00:00.0 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff   2022-11-12 
17:23:52.0 +0100
@@ -0,0 +1,54 @@
+Description: Fix for CVE-2022-21689
+ Adapted from upstream 
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+
+use microseconds for timestamps in filename
+
+Origin: backport, 
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+Bug-GitHub: 
https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare/web/receive_mode.py
 b/onionshare/web/receive_mode.py
+@@ -294,7 +294,7 @@
+ # Figure out what files should be saved
+ now = datetime.now()
+ date_dir = now.strftime("%Y-%m-%d")
+-time_dir = now.strftime("%H.%M.%S")
++time_dir = now.strftime("%H.%M.%S.%f")
+ self.receive_mode_dir = os.path.join(
+ self.web.common.settings.get("data_dir"), date_dir, time_dir
+ )
+--- a/tests/GuiReceiveTest.py
 b/tests/GuiReceiveTest.py
+@@ -1,3 +1,4 @@
++import glob
+ import os
+ import requests
+ from datetime import datetime, timedelta
+@@ -50,17 +51,17 @@
+ now = datetime.now()
+ for i in range(10):
+ date_dir = now.strftime("%Y-%m-%d")
+-if identical_files_at_once:
+-time_dir = now.strftime("%H.%M.%S-1")
+-else:
+-time_dir = now.strftime("%H.%M.%S")
++time_dir = now.strftime("%H.%M.%S")
+ receive_mode_dir = os.path.join(
+ self.gui.common.settings.get("data_dir"), date_dir, time_dir
+ )
+-expected_filename = os.path.join(receive_mode_dir, 
expected_basename)
+-if os.path.exists(expected_filename):
+-exists = True
+-break
++# The directories have microseconds in the name, so we need
++# to use globbing against directory names containing the same
++# second in order to try to find the file.
++