[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1023981: marked as done (bullseye-pu: package onionshare/2.2-3+deb11u1)

Your message dated Sat, 17 Dec 2022 10:57:10 +0000
with message-id <03e9b90cf2f149b9e2835590c9ec0ccb048b744d.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 11.6
has caused the Debian Bug report #1023981,
regarding bullseye-pu: package onionshare/2.2-3+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1023981: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023981
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu


[ Reason ]
Following discussion with Security Team about vulnerabilities in
onionshare (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I prepared a
patched version which backport upstream fixes for CVE-2022-21689 and CVE-2022-21690.

Moritz proposed we just use point release for those instead of uploading
 to bullseye-security, hence this request. The issues aren't that
 critical and we are lagging already, so it can wait a few weeks more.

[ Impact ]

If the request isn't approved, I guess I'll ask Security Team to make it
a security upload.

[ Tests ]
I modified the tests in the code, and I did test the modified
functionnality manually with a bullseye virtual machine.

[ Risks ]
Modifications are quite simple. The last relevant CVE referenced in the
bug above would mean a lot more work, and more risks (backporting a lot
of code, or actually upgrade stable to 2.5, which would imply upgrading
python-stem as well). Since it is considered an edge case, it's been
decided it would be ignored in bullseye (I intend to provide a backport
later for user who would be at risk otherwise).

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
   * Change debian-branch to debian/bullseye in d/gbp.conf (ignored for
     dch)
   * Backport upstream fix for CVE-2022-21690 by forcing PlainText in
     QLabel
   * Backport upstream fix for CVE-2022-21689 by using µsec in filenames
     when receiving files

diff -Nru onionshare-2.2/debian/changelog onionshare-2.2/debian/changelog
--- onionshare-2.2/debian/changelog	2021-01-11 12:12:11.000000000 +0100
+++ onionshare-2.2/debian/changelog	2022-11-12 17:23:52.000000000 +0100
@@ -1,3 +1,10 @@
+onionshare (2.2-3+deb11u1) bullseye; urgency=medium
+
+  * Backport upstream fix for CVE-2022-21690
+  * Backport upstream fix for CVE-2022-21689
+
+ -- Clément Hermann <nodens@debian.org>  Sat, 12 Nov 2022 17:23:52 +0100
+
 onionshare (2.2-3) unstable; urgency=medium
 
   [ Ulrike Uhlig ]
diff -Nru onionshare-2.2/debian/gbp.conf onionshare-2.2/debian/gbp.conf
--- onionshare-2.2/debian/gbp.conf	2020-08-29 19:03:20.000000000 +0200
+++ onionshare-2.2/debian/gbp.conf	2022-11-12 17:23:52.000000000 +0100
@@ -1,4 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
 upstream-branch = master
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff	1970-01-01 01:00:00.000000000 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff	2022-11-12 17:23:52.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Fix for CVE-2022-21689
+ Adapted from upstream https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+
+use microseconds for timestamps in filename
+
+Origin: backport, https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+Bug-GitHub: https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare/web/receive_mode.py
++++ b/onionshare/web/receive_mode.py
+@@ -294,7 +294,7 @@
+             # Figure out what files should be saved
+             now = datetime.now()
+             date_dir = now.strftime("%Y-%m-%d")
+-            time_dir = now.strftime("%H.%M.%S")
++            time_dir = now.strftime("%H.%M.%S.%f")
+             self.receive_mode_dir = os.path.join(
+                 self.web.common.settings.get("data_dir"), date_dir, time_dir
+             )
+--- a/tests/GuiReceiveTest.py
++++ b/tests/GuiReceiveTest.py
+@@ -1,3 +1,4 @@
++import glob
+ import os
+ import requests
+ from datetime import datetime, timedelta
+@@ -50,17 +51,17 @@
+         now = datetime.now()
+         for i in range(10):
+             date_dir = now.strftime("%Y-%m-%d")
+-            if identical_files_at_once:
+-                time_dir = now.strftime("%H.%M.%S-1")
+-            else:
+-                time_dir = now.strftime("%H.%M.%S")
++            time_dir = now.strftime("%H.%M.%S")
+             receive_mode_dir = os.path.join(
+                 self.gui.common.settings.get("data_dir"), date_dir, time_dir
+             )
+-            expected_filename = os.path.join(receive_mode_dir, expected_basename)
+-            if os.path.exists(expected_filename):
+-                exists = True
+-                break
++            # The directories have microseconds in the name, so we need
++            # to use globbing against directory names containing the same
++            # second in order to try to find the file.
++            for path in glob.glob(receive_mode_dir + "*"):
++                if os.path.exists(os.path.join(path, expected_basename)):
++                    exists = True
++                    break
+             now = now - timedelta(seconds=1)
+
+         self.assertTrue(exists)
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff	1970-01-01 01:00:00.000000000 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff	2022-11-12 17:23:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2022-21690
+
+Adapted from upstream https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
+
+Force plaintext format for path parameter
+
+Origin: upstream, https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
+
+Bug-GitHub: https://github.com/advisories/GHSA-ch22-x2v3-v6vq
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare_gui/mode/history.py
++++ b/onionshare_gui/mode/history.py
+@@ -410,6 +410,7 @@
+             self.common.css["history_individual_file_timestamp_label"]
+         )
+         self.path_label = QtWidgets.QLabel("{}".format(self.path))
++        self.path_label.setTextFormat(QtCore.Qt.PlainText)
+         self.status_code_label = QtWidgets.QLabel()
+
+         # Progress bar
diff -Nru onionshare-2.2/debian/patches/series onionshare-2.2/debian/patches/series
--- onionshare-2.2/debian/patches/series	2021-01-06 11:35:02.000000000 +0100
+++ onionshare-2.2/debian/patches/series	2022-11-12 17:23:52.000000000 +0100
@@ -1 +1,3 @@
+CVE-2022-21689-fix.diff
 cryptodome.diff
+CVE-2022-21690-fix.diff

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 11.6

Hi,

Each of the updates referred to in these requests was included in this
morning's 11.6 point release.

Regards,

Adam

--- End Message ---
Reply to: