Bug#1023981: bullseye-pu: package onionshare/2.2-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
Following discussion with Security Team about vulnerabilities in
onionshare (see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014966 ), I prepared a
patched version which backport upstream fixes for CVE-2022-21689 and CVE-2022-21690.
Moritz proposed we just use point release for those instead of uploading
to bullseye-security, hence this request. The issues aren't that
critical and we are lagging already, so it can wait a few weeks more.
[ Impact ]
If the request isn't approved, I guess I'll ask Security Team to make it
a security upload.
[ Tests ]
I modified the tests in the code, and I did test the modified
functionnality manually with a bullseye virtual machine.
[ Risks ]
Modifications are quite simple. The last relevant CVE referenced in the
bug above would mean a lot more work, and more risks (backporting a lot
of code, or actually upgrade stable to 2.5, which would imply upgrading
python-stem as well). Since it is considered an edge case, it's been
decided it would be ignored in bullseye (I intend to provide a backport
later for user who would be at risk otherwise).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Change debian-branch to debian/bullseye in d/gbp.conf (ignored for
dch)
* Backport upstream fix for CVE-2022-21690 by forcing PlainText in
QLabel
* Backport upstream fix for CVE-2022-21689 by using µsec in filenames
when receiving files
diff -Nru onionshare-2.2/debian/changelog onionshare-2.2/debian/changelog
--- onionshare-2.2/debian/changelog 2021-01-11 12:12:11.000000000 +0100
+++ onionshare-2.2/debian/changelog 2022-11-12 17:23:52.000000000 +0100
@@ -1,3 +1,10 @@
+onionshare (2.2-3+deb11u1) bullseye; urgency=medium
+
+ * Backport upstream fix for CVE-2022-21690
+ * Backport upstream fix for CVE-2022-21689
+
+ -- Clément Hermann <nodens@debian.org> Sat, 12 Nov 2022 17:23:52 +0100
+
onionshare (2.2-3) unstable; urgency=medium
[ Ulrike Uhlig ]
diff -Nru onionshare-2.2/debian/gbp.conf onionshare-2.2/debian/gbp.conf
--- onionshare-2.2/debian/gbp.conf 2020-08-29 19:03:20.000000000 +0200
+++ onionshare-2.2/debian/gbp.conf 2022-11-12 17:23:52.000000000 +0100
@@ -1,4 +1,4 @@
[DEFAULT]
pristine-tar = True
-debian-branch = debian/sid
+debian-branch = debian/bullseye
upstream-branch = master
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 1970-01-01 01:00:00.000000000 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21689-fix.diff 2022-11-12 17:23:52.000000000 +0100
@@ -0,0 +1,54 @@
+Description: Fix for CVE-2022-21689
+ Adapted from upstream https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+
+use microseconds for timestamps in filename
+
+Origin: backport, https://github.com/onionshare/onionshare/commit/096178a9e6133fd6ca9d95a00a67bba75ccab377
+Bug-GitHub: https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare/web/receive_mode.py
++++ b/onionshare/web/receive_mode.py
+@@ -294,7 +294,7 @@
+ # Figure out what files should be saved
+ now = datetime.now()
+ date_dir = now.strftime("%Y-%m-%d")
+- time_dir = now.strftime("%H.%M.%S")
++ time_dir = now.strftime("%H.%M.%S.%f")
+ self.receive_mode_dir = os.path.join(
+ self.web.common.settings.get("data_dir"), date_dir, time_dir
+ )
+--- a/tests/GuiReceiveTest.py
++++ b/tests/GuiReceiveTest.py
+@@ -1,3 +1,4 @@
++import glob
+ import os
+ import requests
+ from datetime import datetime, timedelta
+@@ -50,17 +51,17 @@
+ now = datetime.now()
+ for i in range(10):
+ date_dir = now.strftime("%Y-%m-%d")
+- if identical_files_at_once:
+- time_dir = now.strftime("%H.%M.%S-1")
+- else:
+- time_dir = now.strftime("%H.%M.%S")
++ time_dir = now.strftime("%H.%M.%S")
+ receive_mode_dir = os.path.join(
+ self.gui.common.settings.get("data_dir"), date_dir, time_dir
+ )
+- expected_filename = os.path.join(receive_mode_dir, expected_basename)
+- if os.path.exists(expected_filename):
+- exists = True
+- break
++ # The directories have microseconds in the name, so we need
++ # to use globbing against directory names containing the same
++ # second in order to try to find the file.
++ for path in glob.glob(receive_mode_dir + "*"):
++ if os.path.exists(os.path.join(path, expected_basename)):
++ exists = True
++ break
+ now = now - timedelta(seconds=1)
+
+ self.assertTrue(exists)
diff -Nru onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff
--- onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff 1970-01-01 01:00:00.000000000 +0100
+++ onionshare-2.2/debian/patches/CVE-2022-21690-fix.diff 2022-11-12 17:23:52.000000000 +0100
@@ -0,0 +1,22 @@
+Description: Fix for CVE-2022-21690
+
+Adapted from upstream https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
+
+Force plaintext format for path parameter
+
+Origin: upstream, https://github.com/onionshare/onionshare/commit/8f1e7ac224e54f57e43321bba2c2f9fdb5143bb0
+
+Bug-GitHub: https://github.com/advisories/GHSA-ch22-x2v3-v6vq
+Last-Update: 2022-11-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/onionshare_gui/mode/history.py
++++ b/onionshare_gui/mode/history.py
+@@ -410,6 +410,7 @@
+ self.common.css["history_individual_file_timestamp_label"]
+ )
+ self.path_label = QtWidgets.QLabel("{}".format(self.path))
++ self.path_label.setTextFormat(QtCore.Qt.PlainText)
+ self.status_code_label = QtWidgets.QLabel()
+
+ # Progress bar
diff -Nru onionshare-2.2/debian/patches/series onionshare-2.2/debian/patches/series
--- onionshare-2.2/debian/patches/series 2021-01-06 11:35:02.000000000 +0100
+++ onionshare-2.2/debian/patches/series 2022-11-12 17:23:52.000000000 +0100
@@ -1 +1,3 @@
+CVE-2022-21689-fix.diff
cryptodome.diff
+CVE-2022-21690-fix.diff
Reply to: