unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
@ 2021-04-06 22:40 Léo Le Bouter via Bug reports for GNU Guix
  2021-04-06 22:51 ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-06 22:40 UTC (permalink / raw)
  To: 47627

[-- Attachment #1: Type: text/plain, Size: 924 bytes --]

CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47627: syncthing package is vulnerable to CVE-2021-21404
  2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-06 22:51 ` Leo Famulari
  2021-04-09  0:01   ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-04-06 22:51 UTC (permalink / raw)
  To: 47627

[-- Attachment #1: Type: text/plain, Size: 1163 bytes --]

On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-21404	06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
> 
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
> 
> Previous discussion about updating syncthing: 
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47627: syncthing package is vulnerable to CVE-2021-21404
  2021-04-06 22:51 ` Leo Famulari
@ 2021-04-09  0:01   ` Leo Famulari
  2021-04-12  0:27     ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-04-09  0:01 UTC (permalink / raw)
  To: 47627


[-- Attachment #1.1: Type: text/plain, Size: 208 bytes --]

On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.

I've attached the patch.

[-- Attachment #1.2: 0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch --]
[-- Type: text/plain, Size: 6949 bytes --]

From 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 10 Dec 2020 14:47:10 -0500
Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404].

* gnu/packages/syncthing.scm (syncthing): Update to 1.15.1.
[source]: Use bundled dependencies.
[inputs]: Remove field.
[arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1.
---
 gnu/packages/syncthing.scm | 72 +++++---------------------------------
 1 file changed, 8 insertions(+), 64 deletions(-)

diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm
index eb6cb7b4e3..e490c41905 100644
--- a/gnu/packages/syncthing.scm
+++ b/gnu/packages/syncthing.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Petter <petter@mykolab.ch>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2020 Giacomo Leidi <goodoldpaul@autistici.org>
@@ -44,7 +44,7 @@
 (define-public syncthing
   (package
     (name "syncthing")
-    (version "1.5.0")
+    (version "1.15.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/syncthing/syncthing"
@@ -52,68 +52,12 @@
                                   "/syncthing-source-v" version ".tar.gz"))
               (sha256
                (base32
-                "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb"))
-              (modules '((guix build utils)))
-              ;; Delete bundled ("vendored") free software source code.
-              (snippet '(begin
-                          (delete-file-recursively "vendor")
-                          #t))))
+                "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq"))))
     (build-system go-build-system)
     ;; The primary Syncthing executable goes to "out", while the auxiliary
     ;; server programs and utility tools go to "utils".  This reduces the size
     ;; of "out" by ~80 MiB.
     (outputs '("out" "utils"))
-    ;; When updating Syncthing, check 'go.mod' in the source distribution to
-    ;; ensure we are using the correct versions of these dependencies.
-    (inputs
-     `(("go-github-com-jackpal-go-nat-pmp"
-        ,go-github-com-jackpal-go-nat-pmp)
-       ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4)
-       ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr)
-       ("go-github-com-chmduquesne-rollinghash"
-        ,go-github-com-chmduquesne-rollinghash)
-       ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob)
-       ("go-github-com-golang-groupcache-lru"
-        ,go-github-com-golang-groupcache-lru)
-       ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway)
-       ("go-github-com-kballard-go-shellquote"
-        ,go-github-com-kballard-go-shellquote)
-       ("go-github-com-lib-pq" ,go-github-com-lib-pq)
-       ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd)
-       ("go-github-com-oschwald-geoip2-golang"
-        ,go-github-com-oschwald-geoip2-golang)
-       ("go-github-com-pkg-errors" ,go-github-com-pkg-errors)
-       ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-metrics)
-       ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-deadlock)
-       ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify)
-       ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb)
-       ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture)
-       ("go-golang-org-x-time" ,go-golang-org-x-time)
-       ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap)
-       ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf)
-       ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil)
-       ("go-github-com-prometheus-client-golang"
-        ,go-github-com-prometheus-client-golang)
-       ("go-golang-org-x-net" ,go-golang-org-x-net)
-       ("go-golang-org-x-text" ,go-golang-org-x-text)
-       ("go-github-com-audriusbutkevicius-recli"
-        ,go-github-com-audriusbutkevicius-recli)
-       ("go-github-com-urfave-cli" ,go-github-com-urfave-cli)
-       ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart)
-       ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty)
-       ("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
-       ("go-github-com-flynn-archive-go-shlex"
-        ,go-github-com-flynn-archive-go-shlex)
-       ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-go)
-       ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse)
-       ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun)
-       ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusbutkevicius-pfilter)
-       ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemente-quic-go)
-       ("go-github-com-willf-bloom" ,go-github-com-willf-bloom)
-
-       ;; For tests.
-       ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff)))
-
     (arguments
      `(#:modules ((srfi srfi-26) ; for cut
                   (guix build utils)
@@ -136,8 +80,8 @@
                ;; updater and to build the utilities is to "build all" and then
                ;; "build syncthing" again with -no-upgrade.
                ;; https://github.com/syncthing/syncthing/issues/6118
-               (invoke "go" "run" "build.go" "build" "all")
-               (delete-file "syncthing")
+               (invoke "go" "run" "build.go")
+               (delete-file "bin/syncthing")
                (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncthing"))))
 
          (replace 'check
@@ -149,10 +93,10 @@
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out"))
                    (utils (assoc-ref outputs "utils")))
-               (with-directory-excursion "src/github.com/syncthing/syncthing"
-                 (install-file "syncthing" (string-append out "/bin"))
+               (with-directory-excursion "src/github.com/syncthing/syncthing/bin"
+                 (install-file "../syncthing" (string-append out "/bin"))
                  (for-each (cut install-file <> (string-append utils "/bin/"))
-                           '("stcli" "stcompdirs" "stcrashreceiver"
+                           '("stcompdirs" "stcrashreceiver"
                              "stdisco" "stdiscosrv" "stevents" "stfileinfo"
                              "stfinddevice" "stfindignored" "stgenfiles"
                              "stindex" "strelaypoolsrv" "strelaysrv" "stsigtool"
-- 
2.31.1


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* bug#47627: syncthing package is vulnerable to CVE-2021-21404
  2021-04-09  0:01   ` Leo Famulari
@ 2021-04-12  0:27     ` Léo Le Bouter via Bug reports for GNU Guix
  2021-04-12  1:54       ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-12  0:27 UTC (permalink / raw)
  To: Leo Famulari, 47627

[-- Attachment #1: Type: text/plain, Size: 381 bytes --]

On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > Yeah. Given this report, we could also just build Syncthing with
> > the
> > bundled source code, which is freely licensed.
> 
> I've attached the patch.

I tested this patch on my system, works great with the syncthing
service also. LGTM from me.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#47627: syncthing package is vulnerable to CVE-2021-21404
  2021-04-12  0:27     ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-12  1:54       ` Leo Famulari
  0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2021-04-12  1:54 UTC (permalink / raw)
  To: Léo Le Bouter; +Cc: 47627-done

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> > 
> > I've attached the patch.
> 
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as
ed3ef756f521a0df8596a88b66f65b7a1ad99252

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-04-12  1:56 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 22:51 ` Leo Famulari
2021-04-09  0:01   ` Leo Famulari
2021-04-12  0:27     ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-12  1:54       ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).