Bug#1014966: onionshare: CVE-2021-41867 CVE-2021-41868 CVE-2022-21688 CVE-2022-21689 CVE-2022-21690 CVE-2022-21691 CVE-2022-21692 CVE-2022-21693 CVE-2022-21694 CVE-2022-21695 CVE-2022-21696

[Clément Hermann]

Hi Salvatore,

Le 22/10/2022 à 13:49, Salvatore Bonaccorso a écrit :

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-41867
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
[1] https://security-tracker.debian.org/tracker/CVE-2021-41868
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41868
[2] https://security-tracker.debian.org/tracker/CVE-2022-21688
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21688
[3] https://security-tracker.debian.org/tracker/CVE-2022-21689
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21689
[4] https://security-tracker.debian.org/tracker/CVE-2022-21690
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21690
[5] https://security-tracker.debian.org/tracker/CVE-2022-21691
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21691
[6] https://security-tracker.debian.org/tracker/CVE-2022-21692
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21692
[7] https://security-tracker.debian.org/tracker/CVE-2022-21693
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21693
[8] https://security-tracker.debian.org/tracker/CVE-2022-21694
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21694
[9] https://security-tracker.debian.org/tracker/CVE-2022-21695
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21695
[10] https://security-tracker.debian.org/tracker/CVE-2022-21696
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21696
 From the reported list CVE-2021-41867 and CVE-2021-41868 were
addressed in 2.4 upstream. But the other seem yet unfixed in 2.5, even
though likely as well those who contain "has been patched in 2.5". I
have not found any indication that this there is really the case.

Any more insights OTOH from you on those?
According to onionshare 2.5 release notes [1], and to the 
vulnerabilities list on the github project [2], I'd say they were fixed.
All vulnerabilities are marked as affecting <2.4 since 2.5 release, and 
for instance for the username impersonation, it's been specified in the 
release notes that the security have been tightened on this front.

That said, I didn't check the code for every vuln individually, and I 
definitely could ask upstream for clarification/confirmation if you 
think it's necessary.



[1] https://github.com/onionshare/onionshare/releases/tag/v2.5
[2] https://github.com/onionshare/onionshare/security/advisories

Cheers,

--
nodens