From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oMW3FB3mbGB6xAAAgWs5BA (envelope-from ) for ; Wed, 07 Apr 2021 00:52:13 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id 0CyLDh3mbGCnRgAAbx9fmQ (envelope-from ) for ; Tue, 06 Apr 2021 22:52:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3A4568DD8 for ; Wed, 7 Apr 2021 00:52:12 +0200 (CEST) Received: from localhost ([::1]:34008 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lTuYN-00032F-5t for larch@yhetil.org; Tue, 06 Apr 2021 18:52:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33218) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lTuYE-00031H-G7 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:52:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58989) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lTuYE-0000uq-7b for bug-guix@gnu.org; Tue, 06 Apr 2021 18:52:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lTuYE-0003LA-5w for bug-guix@gnu.org; Tue, 06 Apr 2021 18:52:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 06 Apr 2021 22:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47627 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47627@debbugs.gnu.org X-Debbugs-Original-To: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Debbugs-Original-Cc: 47627@debbugs.gnu.org Received: via spool by 47627-submit@debbugs.gnu.org id=B47627.161774951712819 (code B ref 47627); Tue, 06 Apr 2021 22:52:02 +0000 Received: (at 47627) by debbugs.gnu.org; 6 Apr 2021 22:51:57 +0000 Received: from localhost ([127.0.0.1]:42299 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuY9-0003Kg-K0 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:57 -0400 Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:60493) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lTuY8-0003KD-E3 for 47627@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:56 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 8A8081286; Tue, 6 Apr 2021 18:51:49 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Tue, 06 Apr 2021 18:51:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=3rZNttmwAKBp5ekEvuYEHfHN qxzLXQ8TZUgl+AgBLLU=; b=lVAau1t+/gEiw9fh2MWamQDk7qTMOTIzUkGls9v7 ExhASpoypGkN7UKELv0dV/2PiaRlmjkNbGNcG8VhbwCQUGZ/gB4NvUfWAgDVR036 OSnTwI78z/FHDRKlzmVMkBclcK+Da7GOkTC7ZRN7qDjRdQ6oorc3JZeN6tiSn3ZG Im4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=3rZNtt mwAKBp5ekEvuYEHfHNqxzLXQ8TZUgl+AgBLLU=; b=mxAJWIZLYl+cXCQqsVbSPU gttWmpfrQkFCtIyoga9RnDHGE9ztqI/Hk/XIjRGaidCGr36jAFYlI5dA4gqWJngf SQJDbQuvbEGgStuBGTa4AWm6m4cKNs3qMg3IRHENl3WVgfxgRaQMnzGxlgIqxEBq U/2zzu6hLMWcr6NRuNzyu3/VciKj2TArG0VCG/LKpNYVOYHbVkBIjtE57QP7qjER 1jwjUIcnbA6pTTguGwwnVfYcIHcJ2lD6E6NKPFGjXQ1S8f+O+PY38Qm8C481OawF bmXOvY4TGhwb7J8Cv3L2k/7XMh5YhzpspecOuUDHY3BjEwacUm+9ToVCLk2EusrQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudejiedgudehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddunecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedtheeigefgfefgiedtteeihefhkeffudeiveevheehleetiefgiedvueffkeev jeenucffohhmrghinhepghhnuhdrohhrghenucfkphepuddttddruddurdduieelrdduud eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv ohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 9972E24005C; Tue, 6 Apr 2021 18:51:48 -0400 (EDT) Date: Tue, 6 Apr 2021 18:51:47 -0400 From: Leo Famulari Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="P8wpwDeUZwqY//ac" Content-Disposition: inline In-Reply-To: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617749532; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=3rZNttmwAKBp5ekEvuYEHfHNqxzLXQ8TZUgl+AgBLLU=; b=GH7mwGo9w6KvcddFyHUxeAUlaLBGk59kzbDCsVCOfo2AC0fusmhyoljhPcAFsQuIruZLiu EQ29UWLAXfuCteORN6EtjaRs6EJ7snPKXrUwcKDUgKNI274Yr669ngKZyAO87EfeM8K0oC 8mu2AanEZ9TgMBWpXXiw/sNKQpd9nYT9iBP4W9264oFAC5TvD/PlYkUwfk/FoBebCuJepB K2xn2chLeuHe1nfyDXo8L60JuTGHKULvA1Gf4kb/GExqq82unbWSp/GTp9wWKCmlEnGNYn /2YS7kEQMf3i1nWKRBuRgPTZiCpBHXwvyT/Ezfl/uI7wl6ruGFARPx8BnPbZNQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617749532; a=rsa-sha256; cv=none; b=o/7eoOgvrC1oFpgQZ0tRGL8XTJ1Tri4m44+ZzhsCypMT+EZGlTweIWn3ht9IvooBH/0xha GRHBTSVXFQQ8t6EOgHlHjiBftFDgkH0JdttpNtni+wtFnEDMYMmoHx1YwNFgusCERgFiDL Bhg4YA3VnbtiZnQgqxq3zmj6ABQtfY89cB2SEpwJYJmJMAUgGqHM31rdHXGTRxGwGDNrTj M0BvnxpKXp1e0Jwoo+ZnMOtJMXEhw4mmWW/VH9KNwjY1DuN5jNRzHTpSVaM5CtDgI/s45q UY3RPdy+7cBdNhrGoSCGR6Q+1reNxrKmzLR4EcNZYmu76CQlp1gMhp99hNIWeQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=lVAau1t+; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mxAJWIZL; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.54 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=lVAau1t+; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mxAJWIZL; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 3A4568DD8 X-Spam-Score: -3.54 X-Migadu-Scanner: scn0.migadu.com X-TUID: QUXb3Hwm/ugP --P8wpwDeUZwqY//ac Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 07, 2021 at 12:40:03AM +0200, L=E9o Le Bouter via Bug reports f= or GNU Guix wrote: > CVE-2021-21404 06.04.21 22:15 > Syncthing is a continuous file synchronization program. In Syncthing > before version 1.15.0, the relay server `strelaysrv` can be caused to > crash and exit by sending a relay message with a negative length field. > Similarly, Syncthing itself can crash for the same reason if given a > malformed message from a malicious relay server when attempting to join > the relay. Relay joins are essentially random (from a subset of low > latency relays) and Syncthing will by default restart when crashing, at > which point it's likely to pick another non-malicious relay. This flaw > is fixed in version 1.15.0. >=20 > We still ship 1.5.0, we crucially need to update that *very* useful > networked daemon package. With the new go importer maybe that's easier. > Also work in the go build system needs to happen IIRC. >=20 > Previous discussion about updating syncthing:=20 > https://issues.guix.gnu.org/45476 Yeah. Given this report, we could also just build Syncthing with the bundled source code, which is freely licensed. --P8wpwDeUZwqY//ac Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBs5gMACgkQJkb6MLrK fwiwAg/+IftBGQ7ZdZB31FztYTjpcp/jXBMU2h5Nn/O84Y89NVz+ljHrEcKwt2vV rY4SsJosD48FBjLK8Aya6u+MhkYB8XFt7g/ed9nS3f+WFa2mupBJv4PAp9v8XwUT NDwq9fb5CgDic1RqAD7SXFi0QHit0LBf3bK5SvbUEVu93a8ILmACQX78BubPTeMt eLxCPGFWPrBVEmWzCZtbeJFUE5+bBOIS4N5Dt6HQMt8n1jYckjwUGb9ZNnOu4Sdq BcgFZyGrTC4Ou2M4+/UMZMGDnG4n3VdPGFKp4nYItU2W9p5ttI3OqIcLhQk/n7To Omf298qt7AEzFvAQWkLpEJVLzgcTG1C2/6IBf/rijsZdY5jel6NVS3W6gsdYcDV5 +pHoR45+O+OqphVuhTeJgdMf3OteGiKHRovLQ94Ms7y5W/OCtYECUWFgy4H7Dc6O wT0YRdkIeWA6Tz+0cr4nV35RUfxmqPLb+qBk8JoNpdlPlcQ08M2THbtMwb5v1M0A XRjwBe2B/1oW/KdxIUWTJsNpEkijQk78eQpGXVnBfsZs0lMzjCswTxhiDnemDFoe dtf2SD2mWVeyyJ/9BsvzLOK/LfXIiZ4eqEmsE485n+3L3O2fB5yrbcVsHkFsoC3i 49GoeEjrFvxDi2lvsCoIZNzbUlLoeiroo9CLEukJ3X2eaxTe73I= =uZLu -----END PGP SIGNATURE----- --P8wpwDeUZwqY//ac--