Merge 9f3fd48961 into 77975a8e50

.github/workflows/build.yml

@@ -29,7 +29,7 @@ env:
 jobs:
   build-dev-environment:
     name: "Build dev-env (${{ matrix.distro }}-${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     strategy:
       matrix:
         include:

.github/workflows/check_push.yml

@@ -0,0 +1,23 @@
+name: Check branch conformity
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - "test/**"
+
+jobs:
+  prevent-fixup-commits:
+      runs-on: ubuntu-24
+      env:
+        target: debian-bookworm
+        distro: debian
+        version: bookworm
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v4
+        - name: prevent fixup commits
+          run: |
+            git fetch origin
+            git status
+            git log --pretty=format:%s origin/main..HEAD | grep -ie '^fixup\|^wip' && exit 1 || true

.github/workflows/check_repos.yml

@@ -10,11 +10,15 @@ on:
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:
+  push:
+    branches:
+      - main
+      - "test/**"
 
 jobs:
   install-from-apt-repo:
     name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container: ${{ matrix.distro }}:${{ matrix.version }}
     strategy:
       matrix:
@@ -70,7 +74,7 @@ jobs:
 
   install-from-yum-repo:
     name: "Install Dangerzone on ${{ matrix.distro}} ${{ matrix.version }}"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container: ${{ matrix.distro }}:${{ matrix.version }}
     strategy:
       matrix:

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ concurrency:
 
 jobs:
   run-lint:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     container:
       image: debian:bookworm
     steps:
@@ -78,7 +78,7 @@ jobs:
 
   download-tessdata:
     name: Download and cache Tesseract data
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
     - uses: actions/checkout@v4
     - name: Cache Tessdata
@@ -183,7 +183,7 @@ jobs:
     needs:
       - build-container-image
     name: "build-deb (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     strategy:
       matrix:
         include:
@@ -250,8 +250,8 @@ jobs:
 
   install-deb:
     name: "install-deb (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
-    needs:
+    runs-on: ubuntu-24
+    needs: 
       - build-deb
     strategy:
       matrix:
@@ -305,7 +305,7 @@ jobs:
 
   build-install-rpm:
     name: "build-install-rpm (${{ matrix.distro }} ${{matrix.version}})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     needs:
       - build-container-image
     strategy:
@@ -377,7 +377,7 @@ jobs:
 
   run-tests:
     name: "run tests (${{ matrix.distro }} ${{ matrix.version }})"
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     needs:
       - build-container-image
       - download-tessdata

.github/workflows/close-issues.yml

@@ -2,10 +2,14 @@ name: Close inactive issues
 on:
   schedule:
     - cron: "30 1 * * *"
+  push:
+    branches:
+      - main
+      - "test/**"
 
 jobs:
   close-issues:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     permissions:
       issues: write
     steps:

.github/workflows/scan.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - "test/**"
   pull_request:
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
@@ -10,7 +11,7 @@ on:
 
 jobs:
   security-scan-container:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -51,7 +52,7 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4

.github/workflows/scan_released.yml

@@ -1,5 +1,9 @@
 name: Scan released app and container
 on:
+  push:
+    branches:
+      - main
+      - "test/**"
   schedule:
     - cron: '0 0 * * *' # Run every day at 00:00 UTC.
   workflow_dispatch:
@@ -9,7 +13,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - runs-on: ubuntu-latest
+          - runs-on: ubuntu-24
             arch: i686
           # Do not scan Silicon mac for now to avoid masking release scan results for other plaforms.
           # - runs-on: macos-latest
@@ -55,7 +59,7 @@ jobs:
           severity-cutoff: critical
 
   security-scan-app:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24
     steps:
       - name: Checkout
         uses: actions/checkout@v4

CHANGELOG.md

@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...HEAD)
+## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...HEAD)
+
+- 
+
+## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0)
+
+- Update the container image
 
 ### Added
 

INSTALL.md

@@ -1,7 +1,7 @@
 ## MacOS
 
-- Download [Dangerzone 0.8.0 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-arm64.dmg)
-- Download [Dangerzone 0.8.0 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0-i686.dmg)
+- Download [Dangerzone 0.8.1 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-arm64.dmg)
+- Download [Dangerzone 0.8.1 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1-i686.dmg)
 
 You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone`
 
@@ -11,7 +11,7 @@ You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `bre
 
 ## Windows
 
-- Download [Dangerzone 0.8.0 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.0/Dangerzone-0.8.0.msi)
+- Download [Dangerzone 0.8.1 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.8.1/Dangerzone-0.8.1.msi)
 
 > **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/).
 > This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to

README.md

@@ -14,13 +14,13 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou
 
 Follow the instructions for each platform:
 
-* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#macos)
-* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.0//INSTALL.md#windows)
-* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
-* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#ubuntu-debian)
-* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#fedora)
+* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#macos)
+* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.1//INSTALL.md#windows)
+* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
+* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
+* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#fedora)
 * [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
-* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#tails)
+* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#tails)
 
 ## Some features
 

debian/changelog

@@ -1,3 +1,9 @@
+dangerzone (0.8.1) unstable; urgency=low
+
+  * Released Dangerzone 0.8.1
+
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 22 December 2024 22:03:28 +0300
+
 dangerzone (0.8.0) unstable; urgency=low
 
   * Released Dangerzone 0.8.0

docs/advisories/2024-12-24.md

@@ -0,0 +1,33 @@
+Security Advisory 2024-12-24
+
+In Dangerzone, a security vulnerability was detected in the quarantined
+environment where documents are opened. Vulnerabilities like this are expected
+and do not compromise the security of Dangerzone. However, in combination with
+another more serious vulnerability (also called container escape), a malicious
+document may be able to breach the security of Dangerzone. We are not aware of
+any container escapes that affect Dangerzone. **To reduce that risk, you are
+strongly advised to update Dangerzone to the latest version**.
+
+# Summary
+
+A series of vulnerabilities in gst-plugins-base (CVE-2024-47538, CVE-2024-47607
+and CVE-2024-47615) affects the **contained** environment where the document
+rendering takes place.
+
+If one attempts to convert a malicious file with an embedded Vorbis or Opus
+media elements,  arbitrary code may run within that environment. Such files
+look like regular Office documents, which means that you cannot avoid a specific
+extension. Other programs that open Office documents, such as LibreOffice, are
+also affected, unless the system has been upgraded in the meantime.
+
+# How does this impact me?
+
+The expectation is that malicious code will run in a container without Internet
+access, meaning that it won't be able to infect the rest of the system.
+
+If you are running Dangerzone via the Qubes OS, you are not impacted.
+
+# What do I need to do?
+
+You are **strongly** advised to update your Dangerzone installation to 0.8.1 as
+soon as possible.

install/linux/dangerzone.spec

@@ -32,7 +32,7 @@ Name:           dangerzone-qubes
 Name:           dangerzone
 %endif
 
-Version:        0.8.0
+Version:        0.8.1
 Release:        1%{?dist}
 Summary:        Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
 

pyproject.toml

@@ -1,6 +1,6 @@
     [tool.poetry]
 name = "dangerzone"
-version = "0.8.0"
+version = "0.8.1"
 description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs"
 authors = ["Freedom of the Press Foundation <info@freedom.press>", "Micah Lee <micah.lee@theintercept.com>"]
 license = "AGPL-3.0"

share/version.txt

@@ -1 +1 @@
-0.8.0
+0.8.1