Headline
CVE-2023-39342: Release Dangerzone 0.4.2 · freedomofpress/dangerzone
Dangerzone is software for converting potentially dangerous PDFs, office documents, or images to safe PDFs. The Dangerzone CLI (dangerzone-cli command) logs output from the container where the file sanitization takes place, to the user’s terminal. Prior to version 0.4.2, if the container is compromised and can return attacker-controlled strings, then the attacker may be able to spoof messages in the user’s terminal or change the window title. Besides logging output from containers, it also logs the names of the files it sanitizes. If these files contain ANSI escape sequences, then the same issue applies. Dangerzone is predominantly a GUI application, so this issue should leave most of our users unaffected. Nevertheless, we always suggest updating to the newest version. This issue is fixed in Dangerzone 0.4.2.
This release includes various new features, stability improvements, and security fixes. The highlights are:
- An opt-in update notification mechanism for Windows and MacOS users.
This allows users to get notified for new updates when they open the Dangerzone application. For more info, we have a page where we explain this mechanism in detail. - Fix for security vulnerability CVE-2023-39342
This vulnerability affects the messages that users of the dangerzone-cli see in their terminal. This is a low severity CVE that does not lead to any integrity or confidentiality loss, but all users are encouraged to upgrade. - Alpha support for native sanitization on Qubes OS
Qubes OS users that can follow our build instructions can give Dangerzone a spin and use disposable VMs to sanitize their files, instead of containers. If you are an early tester, feel free to write about your experience in our GitHub discussions page. - 4 contributions from 2 new contributors, @OctopusET and @keywordnew
We are especially excited for the support for HWP/HWPX files, which is a file format popular in South Korea, and unfortunately a common target of malware attacks (note: support for these files is not available on Qubes OS or MacOS with Apple Silicon chip yet).
For a full list of the changes, see our changelog.