mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-05-16 10:11:50 +02:00
Compare commits
5 commits
ab88027fa2
...
3df6a7d886
| Author | SHA1 | Date | |
|---|---|---|---|
| 3df6a7d886 | |||
|
77975a8e50 | ||
|
|
5b9e9c82fc | ||
|
|
f4fa1f87eb | ||
|
|
9f3fd48961 |
15 changed files with 109 additions and 28 deletions
2
.github/workflows/build.yml
vendored
2
.github/workflows/build.yml
vendored
|
|
@ -29,7 +29,7 @@ env:
|
||||||
jobs:
|
jobs:
|
||||||
build-dev-environment:
|
build-dev-environment:
|
||||||
name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
|
name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
include:
|
||||||
|
|
|
||||||
23
.github/workflows/check_push.yml
vendored
Normal file
23
.github/workflows/check_push.yml
vendored
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
name: Check branch conformity
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "test/**"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
prevent-fixup-commits:
|
||||||
|
runs-on: ubuntu-24
|
||||||
|
env:
|
||||||
|
target: debian-bookworm
|
||||||
|
distro: debian
|
||||||
|
version: bookworm
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: prevent fixup commits
|
||||||
|
run: |
|
||||||
|
git fetch origin
|
||||||
|
git status
|
||||||
|
git log --pretty=format:%s origin/main..HEAD | grep -ie '^fixup\|^wip' && exit 1 || true
|
||||||
8
.github/workflows/check_repos.yml
vendored
8
.github/workflows/check_repos.yml
vendored
|
|
@ -10,11 +10,15 @@ on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "test/**"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
install-from-apt-repo:
|
install-from-apt-repo:
|
||||||
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
container: ${{ matrix.distro }}:${{ matrix.version }}
|
container: ${{ matrix.distro }}:${{ matrix.version }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|
@ -70,7 +74,7 @@ jobs:
|
||||||
|
|
||||||
install-from-yum-repo:
|
install-from-yum-repo:
|
||||||
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
container: ${{ matrix.distro }}:${{ matrix.version }}
|
container: ${{ matrix.distro }}:${{ matrix.version }}
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|
|
||||||
14
.github/workflows/ci.yml
vendored
14
.github/workflows/ci.yml
vendored
|
|
@ -27,7 +27,7 @@ concurrency:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
run-lint:
|
run-lint:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
container:
|
container:
|
||||||
image: debian:bookworm
|
image: debian:bookworm
|
||||||
steps:
|
steps:
|
||||||
|
|
@ -78,7 +78,7 @@ jobs:
|
||||||
|
|
||||||
download-tessdata:
|
download-tessdata:
|
||||||
name: Download and cache Tesseract data
|
name: Download and cache Tesseract data
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
- name: Cache Tessdata
|
- name: Cache Tessdata
|
||||||
|
|
@ -183,7 +183,7 @@ jobs:
|
||||||
needs:
|
needs:
|
||||||
- build-container-image
|
- build-container-image
|
||||||
name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
include:
|
||||||
|
|
@ -250,8 +250,8 @@ jobs:
|
||||||
|
|
||||||
install-deb:
|
install-deb:
|
||||||
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
needs:
|
needs:
|
||||||
- build-deb
|
- build-deb
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|
@ -305,7 +305,7 @@ jobs:
|
||||||
|
|
||||||
build-install-rpm:
|
build-install-rpm:
|
||||||
name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
|
name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
needs:
|
needs:
|
||||||
- build-container-image
|
- build-container-image
|
||||||
strategy:
|
strategy:
|
||||||
|
|
@ -377,7 +377,7 @@ jobs:
|
||||||
|
|
||||||
run-tests:
|
run-tests:
|
||||||
name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
|
name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
needs:
|
needs:
|
||||||
- build-container-image
|
- build-container-image
|
||||||
- download-tessdata
|
- download-tessdata
|
||||||
|
|
|
||||||
6
.github/workflows/close-issues.yml
vendored
6
.github/workflows/close-issues.yml
vendored
|
|
@ -2,10 +2,14 @@ name: Close inactive issues
|
||||||
on:
|
on:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: "30 1 * * *"
|
- cron: "30 1 * * *"
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "test/**"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
close-issues:
|
close-issues:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
permissions:
|
permissions:
|
||||||
issues: write
|
issues: write
|
||||||
steps:
|
steps:
|
||||||
|
|
|
||||||
5
.github/workflows/scan.yml
vendored
5
.github/workflows/scan.yml
vendored
|
|
@ -3,6 +3,7 @@ on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
- "test/**"
|
||||||
pull_request:
|
pull_request:
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||||
|
|
@ -10,7 +11,7 @@ on:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
security-scan-container:
|
security-scan-container:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
@ -51,7 +52,7 @@ jobs:
|
||||||
severity-cutoff: critical
|
severity-cutoff: critical
|
||||||
|
|
||||||
security-scan-app:
|
security-scan-app:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
|
||||||
8
.github/workflows/scan_released.yml
vendored
8
.github/workflows/scan_released.yml
vendored
|
|
@ -1,5 +1,9 @@
|
||||||
name: Scan released app and container
|
name: Scan released app and container
|
||||||
on:
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "test/**"
|
||||||
schedule:
|
schedule:
|
||||||
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
@ -9,7 +13,7 @@ jobs:
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
include:
|
include:
|
||||||
- runs-on: ubuntu-latest
|
- runs-on: ubuntu-24
|
||||||
arch: i686
|
arch: i686
|
||||||
# Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
|
# Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
|
||||||
# - runs-on: macos-latest
|
# - runs-on: macos-latest
|
||||||
|
|
@ -55,7 +59,7 @@ jobs:
|
||||||
severity-cutoff: critical
|
severity-cutoff: critical
|
||||||
|
|
||||||
security-scan-app:
|
security-scan-app:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-24
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
|
||||||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
|
||||||
since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||||
|
|
||||||
## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...HEAD)
|
## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...HEAD)
|
||||||
|
|
||||||
|
-
|
||||||
|
|
||||||
|
## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0)
|
||||||
|
|
||||||
|
- Update the container image
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
## MacOS
|
## MacOS
|
||||||
|
|
||||||
- Download [Dangerzone 0.8.0 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-arm64.dmg)
|
- Download [Dangerzone 0.8.1 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-arm64.dmg)
|
||||||
- Download [Dangerzone 0.8.0 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-i686.dmg)
|
- Download [Dangerzone 0.8.1 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-i686.dmg)
|
||||||
|
|
||||||
You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
|
You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
|
||||||
|
|
||||||
|
|
@ -11,7 +11,7 @@ You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `bre
|
||||||
|
|
||||||
## Windows
|
## Windows
|
||||||
|
|
||||||
- Download [Dangerzone 0.8.0 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0.msi)
|
- Download [Dangerzone 0.8.1 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1.msi)
|
||||||
|
|
||||||
> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
|
> **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
|
||||||
> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
|
> This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to
|
||||||
|
|
|
||||||
12
README.md
12
README.md
|
|
@ -14,13 +14,13 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou
|
||||||
|
|
||||||
Follow the instructions for each platform:
|
Follow the instructions for each platform:
|
||||||
|
|
||||||
* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#macos)
|
* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#macos)
|
||||||
* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#windows)
|
* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.1//INSTALL.md#windows)
|
||||||
* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
|
* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
|
||||||
* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
|
* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
|
||||||
* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#fedora)
|
* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#fedora)
|
||||||
* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
|
* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
|
||||||
* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#tails)
|
* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#tails)
|
||||||
|
|
||||||
## Some features
|
## Some features
|
||||||
|
|
||||||
|
|
|
||||||
6
debian/changelog
vendored
6
debian/changelog
vendored
|
|
@ -1,3 +1,9 @@
|
||||||
|
dangerzone (0.8.1) unstable; urgency=low
|
||||||
|
|
||||||
|
* Released Dangerzone 0.8.1
|
||||||
|
|
||||||
|
-- Freedom of the Press Foundation <info@freedom.press> Tue, 22 December 2024 22:03:28 +0300
|
||||||
|
|
||||||
dangerzone (0.8.0) unstable; urgency=low
|
dangerzone (0.8.0) unstable; urgency=low
|
||||||
|
|
||||||
* Released Dangerzone 0.8.0
|
* Released Dangerzone 0.8.0
|
||||||
|
|
|
||||||
33
docs/advisories/2024-12-24.md
Normal file
33
docs/advisories/2024-12-24.md
Normal file
|
|
@ -0,0 +1,33 @@
|
||||||
|
Security Advisory 2024-12-24
|
||||||
|
|
||||||
|
In Dangerzone, a security vulnerability was detected in the quarantined
|
||||||
|
environment where documents are opened. Vulnerabilities like this are expected
|
||||||
|
and do not compromise the security of Dangerzone. However, in combination with
|
||||||
|
another more serious vulnerability (also called container escape), a malicious
|
||||||
|
document may be able to breach the security of Dangerzone. We are not aware of
|
||||||
|
any container escapes that affect Dangerzone. **To reduce that risk, you are
|
||||||
|
strongly advised to update Dangerzone to the latest version**.
|
||||||
|
|
||||||
|
# Summary
|
||||||
|
|
||||||
|
A series of vulnerabilities in gst-plugins-base (CVE-2024-47538, CVE-2024-47607
|
||||||
|
and CVE-2024-47615) affects the **contained** environment where the document
|
||||||
|
rendering takes place.
|
||||||
|
|
||||||
|
If one attempts to convert a malicious file with an embedded Vorbis or Opus
|
||||||
|
media elements, arbitrary code may run within that environment. Such files
|
||||||
|
look like regular Office documents, which means that you cannot avoid a specific
|
||||||
|
extension. Other programs that open Office documents, such as LibreOffice, are
|
||||||
|
also affected, unless the system has been upgraded in the meantime.
|
||||||
|
|
||||||
|
# How does this impact me?
|
||||||
|
|
||||||
|
The expectation is that malicious code will run in a container without Internet
|
||||||
|
access, meaning that it won't be able to infect the rest of the system.
|
||||||
|
|
||||||
|
If you are running Dangerzone via the Qubes OS, you are not impacted.
|
||||||
|
|
||||||
|
# What do I need to do?
|
||||||
|
|
||||||
|
You are **strongly** advised to update your Dangerzone installation to 0.8.1 as
|
||||||
|
soon as possible.
|
||||||
|
|
@ -32,7 +32,7 @@ Name: dangerzone-qubes
|
||||||
Name: dangerzone
|
Name: dangerzone
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Version: 0.8.0
|
Version: 0.8.1
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
|
Summary: Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
[tool.poetry]
|
[tool.poetry]
|
||||||
name = "dangerzone"
|
name = "dangerzone"
|
||||||
version = "0.8.0"
|
version = "0.8.1"
|
||||||
description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
|
description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
|
||||||
authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
|
authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
|
||||||
license = "AGPL-3.0"
|
license = "AGPL-3.0"
|
||||||
|
|
|
||||||
|
|
@ -1 +1 @@
|
||||||
0.8.0
|
0.8.1
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue