Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Following discussion with Security Team about vulnerabilities in
onionshare (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I prepared a
patched version which backport upstream fixes for CVE-2022-21689 and
CVE-2022-21690.
Moritz proposed we just use point release for those instead of uploading
to bullseye-security, hence this request. The issues aren't that
critical and we are lagging already, so it can wait a few weeks more.
[ Impact ]
If the request isn't approved, I guess I'll ask Security Team to make it
a security upload.
[ Tests ]
I modified the tests in the code, and I did test the modified
functionnality manually with a bullseye virtual machine.
[ Risks ]
Modifications are quite simple. The last relevant CVE referenced in the
bug above would mean a lot more work, and more risks (backporting a lot
of code, or actually upgrade stable to 2.5, which would imply upgrading
python-stem as well). Since it is considered an edge case, it's been
decided it would be ignored in bullseye (I intend to provide a backport
later for user who would be at risk otherwise).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Change debian-branch to debian/bullseye in d/gbp.conf (ignored for
dch)
* Backport upstream fix for CVE-2022-21690 by forcing PlainText in
QLabel
* Backport upstream fix for CVE-2022-21689 by using µsec in filenames
when receiving files
diff -Nru onionshare-2.2/debian/changelog onionshare-2.2/debian/changelog
--- onionshare-2.2/debian/changelog 2021-01-11 12:12:11.0 +0100
+++ onionshare-2.2/debian/changelog 2022-11-12 17:23:52.0 +0100
@@ -1,3 +1,10 @@
+onionshare (2.2-3+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream fix for CVE-2022-21690
+ * Backport upstream fix for CVE-2022-21689
+
+ -- Clément Hermann Sat, 12 Nov 2022 17:23:52 +0100
+
onionshare (2.2-3) unstable; urgency=medium
[ Ulrike Uhlig ]
diff -Nru onionshare-2.2/debian/gbp.conf onionshare-2.2/debian/gbp.conf
--- onionshare-2.2/debian/gbp.conf 2020-08-29 19:03:20.0 +0200
+++ onionshare-2.2/debian/gbp.conf 2022-11-12 17:23:52.0 +0100
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
upstream-branch = master
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff
onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 1970-01-01
01:00:00.0 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 2022-11-12
17:23:52.0 +0100
@@ -0,0 +1,54 @@
+Description: Fix for CVE-2022-21689
+ Adapted from upstream
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+
+use microseconds for timestamps in filename
+
+Origin: backport,
https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+Bug-GitHub:
https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare/web/receive_mode.py
b/onionshare/web/receive_mode.py
+@@ -294,7 +294,7 @@
+ # Figure out what files should be saved
+ now = datetime.now()
+ date_dir = now.strftime("%Y-%m-%d")
+-time_dir = now.strftime("%H.%M.%S")
++time_dir = now.strftime("%H.%M.%S.%f")
+ self.receive_mode_dir = os.path.join(
+ self.web.common.settings.get("data_dir"), date_dir, time_dir
+ )
+--- a/tests/GuiReceiveTest.py
b/tests/GuiReceiveTest.py
+@@ -1,3 +1,4 @@
++import glob
+ import os
+ import requests
+ from datetime import datetime, timedelta
+@@ -50,17 +51,17 @@
+ now = datetime.now()
+ for i in range(10):
+ date_dir = now.strftime("%Y-%m-%d")
+-if identical_files_at_once:
+-time_dir = now.strftime("%H.%M.%S-1")
+-else:
+-time_dir = now.strftime("%H.%M.%S")
++time_dir = now.strftime("%H.%M.%S")
+ receive_mode_dir = os.path.join(
+ self.gui.common.settings.get("data_dir"), date_dir, time_dir
+ )
+-expected_filename = os.path.join(receive_mode_dir,
expected_basename)
+-if os.path.exists(expected_filename):
+-exists = True
+-break
++# The directories have microseconds in the name, so we need
++# to use globbing against directory names containing the same
++# second in order to try to find the file.
++