Pentest to verify TLS CVE fixes

[nbolton]

💵 Bounty: $500 (details)

Blocker:

• CVEs related to TLS and TCP connections #7806

Original CVE report: https://www.openwall.com/lists/oss-security/2021/11/02/4

Task: Penetration Tester/Ethical Hacker/security expert wanted to pentest Deskflow and check the fixes for TLS CVEs:

• CVE-2021-42072
• CVE-2021-42073
• CVE-2021-42074
• CVE-2021-42075
• CVE-2021-42076

We have a bounty for fixing #7806. A number of PRs were opened to fix this. We want to verify these PRs do indeed solve the CVEs so that we can award the bounty.

[nbolton]

/bounty $500

[algora-pbc]

💎 $500 bounty • Deskflow

Steps to solve:

1. Start working: Comment /attempt #8010 with your implementation plan
2. Submit work: Create a pull request including /claim #8010 in the PR body to claim the bounty
3. Receive payment: 100% of the bounty is received 2-5 days post-reward. Make sure you are eligible for payouts

Thank you for contributing to deskflow/deskflow!

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🟢 @zelosleone	Feb 17, 2025, 5:31:13 PM	#1

[CyberPro010]

how can i participate ? i want payment in bitcoin or eth

[nbolton]

how can i participate ? i want payment in bitcoin or eth

Right now, @algora-pbc does not support cryptocurrency. If nobody attempts the bounty within the next week or so, perhaps we can talk on Matrix or IRC.

[wesleymatosdev]

I'm OOO for the holidays but I'd love to try this out.

What is the desired output here? code attempting to explore the mentioned vulnerabilities?

[sithlord48]

Correct we would want pen testing done to show that these are resolved. Perhaps by running the exploit on a known bad version 1.17.2 and then a suspected good version 1.18.0. Ideally this should be something we (or another 3rd party) could also try locally, Maybe even as a test run at build time to make sure we do not regress

Please note: that @varshith257 has a bit to finish before the first two CVEs on the list are resolved. These should be resolved with 1.18.0

• CVE-2021-42074
• CVE-2021-42075
• CVE-2021-42076

[zelosleone]

@sithlord48 @nbolton since prs got merged, is it okay to start?

[sithlord48]

YES!

[zelosleone]

/attempt #8010

Options

• Cancel my attempt

[nbolton]

@mgerstner Perhaps also of interest to you.