Merge 178364e3a7 into 77975a8e50

.github/workflows/release-container-image.yml

@@ -0,0 +1,56 @@
+# This action listens on new tags, generates a new container image
+# sign it and upload it to the container registry.
+
+name: Release container image
+on:
+  push:
+    tags:
+      - "container-image/**"
+    branches:
+      - "test/image-**"
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  packages: write
+  contents: read
+  attestations: write
+
+env:
+  REGISTRY: ghcr.io/${{ github.repository_owner }}
+  REGISTRY_USER: ${{ github.actor }}
+  REGISTRY_PASSWORD: ${{ github.token }}
+  IMAGE_NAME: dangerzone/dangerzone
+
+jobs:
+  build-container-image:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: USERNAME
+          password: ${{ github.token }}
+
+      - name: Build and push the dangerzone image
+        id: build-image
+        run: |
+          sudo apt-get install -y python3-poetry
+          python3 ./install/common/build-image.py
+          echo ${{ github.token }} | podman login ghcr.io -u USERNAME --password-stdin
+
+          # Load the image with the final name directly
+          gunzip -c share/container.tar.gz | podman load
+          FINAL_IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}"
+          podman tag dangerzone.rocks/dangerzone "$FINAL_IMAGE_NAME"
+          podman push "$FINAL_IMAGE_NAME" --digestfile=digest
+          echo "digest=$(cat digest)" >> "$GITHUB_OUTPUT"
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: "${{ steps.build-image.outputs.digest }}"
+          push-to-registry: true

CHANGELOG.md

@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...HEAD)
+## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...HEAD)
+
+- 
+
+## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0)
+
+- Update the container image
 
 ### Added
 

INSTALL.md

@@ -1,7 +1,7 @@
 ## MacOS
 
-- Download [Dangerzone 0.8.0 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-arm64.dmg)
+- Download [Dangerzone 0.8.1 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-arm64.dmg)
-- Download [Dangerzone 0.8.0 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-i686.dmg)
+- Download [Dangerzone 0.8.1 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-i686.dmg)
 
 You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
 
@@ -11,7 +11,7 @@ You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `bre
 
 ## Windows
 
-- Download [Dangerzone 0.8.0 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0.msi)
+- Download [Dangerzone 0.8.1 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1.msi)
 
 > **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
 > This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to

README.md

@@ -14,13 +14,13 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou
 
 Follow the instructions for each platform:
 
-* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#macos)
+* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#macos)
-* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#windows)
+* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.1//INSTALL.md#windows)
-* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
+* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
-* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
+* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
-* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#fedora)
+* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#fedora)
 * [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
-* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#tails)
+* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#tails)
 
 ## Some features
 

debian/changelog

@@ -1,3 +1,9 @@
+dangerzone (0.8.1) unstable; urgency=low
+
+  * Released Dangerzone 0.8.1
+
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 22 December 2024 22:03:28 +0300
+
 dangerzone (0.8.0) unstable; urgency=low
 
   * Released Dangerzone 0.8.0

docs/advisories/2024-12-24.md

@@ -0,0 +1,33 @@
+Security Advisory 2024-12-24
+
+In Dangerzone, a security vulnerability was detected in the quarantined
+environment where documents are opened. Vulnerabilities like this are expected
+and do not compromise the security of Dangerzone. However, in combination with
+another more serious vulnerability (also called container escape), a malicious
+document may be able to breach the security of Dangerzone. We are not aware of
+any container escapes that affect Dangerzone. **To reduce that risk, you are
+strongly advised to update Dangerzone to the latest version**.
+
+# Summary
+
+A series of vulnerabilities in gst-plugins-base (CVE-2024-47538, CVE-2024-47607
+and CVE-2024-47615) affects the **contained** environment where the document
+rendering takes place.
+
+If one attempts to convert a malicious file with an embedded Vorbis or Opus
+media elements,  arbitrary code may run within that environment. Such files
+look like regular Office documents, which means that you cannot avoid a specific
+extension. Other programs that open Office documents, such as LibreOffice, are
+also affected, unless the system has been upgraded in the meantime.
+
+# How does this impact me?
+
+The expectation is that malicious code will run in a container without Internet
+access, meaning that it won't be able to infect the rest of the system.
+
+If you are running Dangerzone via the Qubes OS, you are not impacted.
+
+# What do I need to do?
+
+You are **strongly** advised to update your Dangerzone installation to 0.8.1 as
+soon as possible.

install/linux/dangerzone.spec

@@ -32,7 +32,7 @@ Name:           dangerzone-qubes
 Name:           dangerzone
 %endif
 
-Version:        0.8.0
+Version:        0.8.1
 Release:        1%{?dist}
 Summary:        Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
 

pyproject.toml

@@ -1,6 +1,6 @@
     [tool.poetry]
 name = "dangerzone"
-version = "0.8.0"
+version = "0.8.1"
 description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
 authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
 license = "AGPL-3.0"

share/version.txt

@@ -1 +1 @@
-0.8.0
+0.8.1