Bug 1191311 - (CVE-2021-41867) VUL-0: CVE-2021-41867: python-onionshare: An information disclosure vulnerability allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the --chat feature
(CVE-2021-41867)
VUL-0: CVE-2021-41867: python-onionshare: An information disclosure vulnerabi...
Status: IN_PROGRESS
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Marcus Meissner
Security Team bot
https://smash.suse.de/issue/311695/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-05 07:08 UTC by Robert Frohl
Modified: 2021-10-23 16:24 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
axel.braun: needinfo? (meissner)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-10-05 07:08:17 UTC
CVE-2021-41867

An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows
remote unauthenticated attackers to retrieve the full list of participants of a
non-public OnionShare node via the --chat feature.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41867
https://github.com/onionshare/onionshare/compare/v2.3.3...v2.4
https://www.ihteam.net/advisory/onionshare/
Comment 1 Axel Braun 2021-10-05 08:35:32 UTC
I have upgraded Onionshare in https://build.opensuse.org/package/show/home:DocB:branches:devel:languages:python/python-onionshare to 2.4 already.

However, before submitting this to Leap 15.2 it would require a couple of python packages as well to be upgraded.
Please advice
Comment 2 Robert Frohl 2021-10-05 09:01:17 UTC
(In reply to Axel Braun from comment #1)
> I have upgraded Onionshare in
> https://build.opensuse.org/package/show/home:DocB:branches:devel:languages:
> python/python-onionshare to 2.4 already.
> 
> However, before submitting this to Leap 15.2 it would require a couple of
> python packages as well to be upgraded.
> Please advice

I would say as Leap 15.2 is end of life soon, maybe it would be enough to update for 15.3.

Do the same dependency problems exist there too ?
Comment 5 Axel Braun 2021-10-05 11:03:59 UTC
(In reply to Robert Frohl from comment #2)

> I would say as Leap 15.2 is end of life soon, maybe it would be enough to
> update for 15.3.
> 
> Do the same dependency problems exist there too ?

For the most part, yes.
Comment 6 Robert Frohl 2021-10-05 13:08:48 UTC
(In reply to Axel Braun from comment #5)
> (In reply to Robert Frohl from comment #2)
> 
> > I would say as Leap 15.2 is end of life soon, maybe it would be enough to
> > update for 15.3.
> > 
> > Do the same dependency problems exist there too ?
> 
> For the most part, yes.

The current build seems to have succeeded for Leap 15.2 [0]. This suggest to me that there might be some flakiness with the python dependencies ?

[0] https://build.opensuse.org/package/show/devel:languages:python/python-onionshare
Comment 7 Axel Braun 2021-10-05 16:26:47 UTC
(In reply to Robert Frohl from comment #6)
 
> The current build seems to have succeeded for Leap 15.2 [0]. This suggest to
> me that there might be some flakiness with the python dependencies ?
> 
> [0]
> https://build.opensuse.org/package/show/devel:languages:python/python-
> onionshare

Strange - in my local branch it fails for all Leap due to missing dependencies. At least the error for Leap 15.3 is consistent to my branch
Comment 8 Axel Braun 2021-10-06 13:02:39 UTC
I have onionshare now building, testing and running on Leap 15.3

If I'm not mistaken we have to update the following packages to get it running:

drwxr-xr-x 3 docb users  101 14. Sep 12:17 python-bidict
drwxr-xr-x 3 docb users  148 26. Mai 09:18 python-Flask-SocketIO
drwxr-xr-x 3 docb users  228 27. Jul 11:36 python-hypothesis
drwxr-xr-x 3 docb users  128  5. Okt 14:09 python-iniconfig
drwxr-xr-x 3 docb users  166  6. Okt 14:58 python-onionshare
drwxr-xr-x 3 docb users  165  5. Okt 14:09 python-packaging
drwxr-xr-x 3 docb users  128  5. Okt 14:09 python-py
drwxr-xr-x 3 docb users  119  5. Okt 14:09 python-pytest
drwxr-xr-x 3 docb users  130  6. Okt 12:33 python-pytest-xvfb
drwxr-xr-x 3 docb users  127 26. Mai 09:12 python-python-engineio
drwxr-xr-x 3 docb users  127  6. Okt 12:57 python-python-socketio
drwxr-xr-x 3 docb users  128  6. Okt 11:54 python-PyVirtualDisplay
drwxr-xr-x 3 docb users  166 27. Jul 11:36 python-rpm-macros
drwxr-xr-x 3 docb users  247  5. Okt 14:09 python-setuptools
drwxr-xr-x 3 docb users  109  6. Okt 12:32 python-vncdotool

Will you check with the maintenance team if this is feasible?
Otherwise onionshare needs to stay on version 2.2
Comment 9 Marcus Meissner 2021-10-07 09:48:53 UTC
this is quite a list, also most come from SLES :(

do you have lists of package - minimum version?

I would however think with only 3 months left of lifetime we can perahps ignore it
Comment 10 Axel Braun 2021-10-07 18:54:36 UTC
(In reply to Marcus Meissner from comment #9)

> I would however think with only 3 months left of lifetime we can perahps
> ignore it

The list is for Leap 15.3  - I agree re. your statement about 15.2

onionshare fails in testing with an 'internal error', see 
https://lists.opensuse.org/archives/list/python@lists.opensuse.org/thread/IDZFNHLZQCYO4WFPBOUQ7J35XVOPSBNM/

After some investigation I could reduce it to these packages:
For building:
python-pytest-xvfb 2.0.0
python-PyVirtualDisplay >= 0.3  (version 2.1 used, Py3 only)
python-vncdotool >= 0.13.0 (version 1.0.0 used)

to run it afterwards:
python-python-socketio
python-Flask-SocketIO
python-setuptools (to build Flask-SocketIO)
python-bidict
python-engineio

See: https://build.opensuse.org/project/show/home:DocB:python
Comment 11 Axel Braun 2021-10-13 08:47:59 UTC
Hello Markus, please advise how to proceed.
onionshare received a major rewrite in version 2.3, thus the additional python modules