* bug#47627: syncthing package is vulnerable to CVE-2021-21404
@ 2021-04-06 22:40 Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 22:51 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-06 22:40 UTC (permalink / raw)
To: 47627
[-- Attachment #1: Type: text/plain, Size: 924 bytes --]
CVE-2021-21404 06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.
We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.
Previous discussion about updating syncthing:
https://issues.guix.gnu.org/45476
Léo
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-06 22:51 ` Leo Famulari
2021-04-09 0:01 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-04-06 22:51 UTC (permalink / raw)
To: 47627
[-- Attachment #1: Type: text/plain, Size: 1163 bytes --]
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-21404 06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
>
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
>
> Previous discussion about updating syncthing:
> https://issues.guix.gnu.org/45476
Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
2021-04-06 22:51 ` Leo Famulari
@ 2021-04-09 0:01 ` Leo Famulari
2021-04-12 0:27 ` Léo Le Bouter via Bug reports for GNU Guix
0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-04-09 0:01 UTC (permalink / raw)
To: 47627
[-- Attachment #1.1: Type: text/plain, Size: 208 bytes --]
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.
I've attached the patch.
[-- Attachment #1.2: 0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch --]
[-- Type: text/plain, Size: 6949 bytes --]
From 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 10 Dec 2020 14:47:10 -0500
Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404].
* gnu/packages/syncthing.scm (syncthing): Update to 1.15.1.
[source]: Use bundled dependencies.
[inputs]: Remove field.
[arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1.
---
gnu/packages/syncthing.scm | 72 +++++---------------------------------
1 file changed, 8 insertions(+), 64 deletions(-)
diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm
index eb6cb7b4e3..e490c41905 100644
--- a/gnu/packages/syncthing.scm
+++ b/gnu/packages/syncthing.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Petter <petter@mykolab.ch>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2020 Giacomo Leidi <goodoldpaul@autistici.org>
@@ -44,7 +44,7 @@
(define-public syncthing
(package
(name "syncthing")
- (version "1.5.0")
+ (version "1.15.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/syncthing/syncthing"
@@ -52,68 +52,12 @@
"/syncthing-source-v" version ".tar.gz"))
(sha256
(base32
- "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb"))
- (modules '((guix build utils)))
- ;; Delete bundled ("vendored") free software source code.
- (snippet '(begin
- (delete-file-recursively "vendor")
- #t))))
+ "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq"))))
(build-system go-build-system)
;; The primary Syncthing executable goes to "out", while the auxiliary
;; server programs and utility tools go to "utils". This reduces the size
;; of "out" by ~80 MiB.
(outputs '("out" "utils"))
- ;; When updating Syncthing, check 'go.mod' in the source distribution to
- ;; ensure we are using the correct versions of these dependencies.
- (inputs
- `(("go-github-com-jackpal-go-nat-pmp"
- ,go-github-com-jackpal-go-nat-pmp)
- ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4)
- ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr)
- ("go-github-com-chmduquesne-rollinghash"
- ,go-github-com-chmduquesne-rollinghash)
- ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob)
- ("go-github-com-golang-groupcache-lru"
- ,go-github-com-golang-groupcache-lru)
- ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway)
- ("go-github-com-kballard-go-shellquote"
- ,go-github-com-kballard-go-shellquote)
- ("go-github-com-lib-pq" ,go-github-com-lib-pq)
- ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd)
- ("go-github-com-oschwald-geoip2-golang"
- ,go-github-com-oschwald-geoip2-golang)
- ("go-github-com-pkg-errors" ,go-github-com-pkg-errors)
- ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-metrics)
- ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-deadlock)
- ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify)
- ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb)
- ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture)
- ("go-golang-org-x-time" ,go-golang-org-x-time)
- ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap)
- ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf)
- ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil)
- ("go-github-com-prometheus-client-golang"
- ,go-github-com-prometheus-client-golang)
- ("go-golang-org-x-net" ,go-golang-org-x-net)
- ("go-golang-org-x-text" ,go-golang-org-x-text)
- ("go-github-com-audriusbutkevicius-recli"
- ,go-github-com-audriusbutkevicius-recli)
- ("go-github-com-urfave-cli" ,go-github-com-urfave-cli)
- ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart)
- ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty)
- ("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
- ("go-github-com-flynn-archive-go-shlex"
- ,go-github-com-flynn-archive-go-shlex)
- ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-go)
- ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse)
- ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun)
- ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusbutkevicius-pfilter)
- ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemente-quic-go)
- ("go-github-com-willf-bloom" ,go-github-com-willf-bloom)
-
- ;; For tests.
- ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff)))
-
(arguments
`(#:modules ((srfi srfi-26) ; for cut
(guix build utils)
@@ -136,8 +80,8 @@
;; updater and to build the utilities is to "build all" and then
;; "build syncthing" again with -no-upgrade.
;; https://github.com/syncthing/syncthing/issues/6118
- (invoke "go" "run" "build.go" "build" "all")
- (delete-file "syncthing")
+ (invoke "go" "run" "build.go")
+ (delete-file "bin/syncthing")
(invoke "go" "run" "build.go" "-no-upgrade" "build" "syncthing"))))
(replace 'check
@@ -149,10 +93,10 @@
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out"))
(utils (assoc-ref outputs "utils")))
- (with-directory-excursion "src/github.com/syncthing/syncthing"
- (install-file "syncthing" (string-append out "/bin"))
+ (with-directory-excursion "src/github.com/syncthing/syncthing/bin"
+ (install-file "../syncthing" (string-append out "/bin"))
(for-each (cut install-file <> (string-append utils "/bin/"))
- '("stcli" "stcompdirs" "stcrashreceiver"
+ '("stcompdirs" "stcrashreceiver"
"stdisco" "stdiscosrv" "stevents" "stfileinfo"
"stfinddevice" "stfindignored" "stgenfiles"
"stindex" "strelaypoolsrv" "strelaysrv" "stsigtool"
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
2021-04-09 0:01 ` Leo Famulari
@ 2021-04-12 0:27 ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-12 1:54 ` Leo Famulari
0 siblings, 1 reply; 5+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-04-12 0:27 UTC (permalink / raw)
To: Leo Famulari, 47627
[-- Attachment #1: Type: text/plain, Size: 381 bytes --]
On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > Yeah. Given this report, we could also just build Syncthing with
> > the
> > bundled source code, which is freely licensed.
>
> I've attached the patch.
I tested this patch on my system, works great with the syncthing
service also. LGTM from me.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* bug#47627: syncthing package is vulnerable to CVE-2021-21404
2021-04-12 0:27 ` Léo Le Bouter via Bug reports for GNU Guix
@ 2021-04-12 1:54 ` Leo Famulari
0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2021-04-12 1:54 UTC (permalink / raw)
To: Léo Le Bouter; +Cc: 47627-done
[-- Attachment #1: Type: text/plain, Size: 543 bytes --]
On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> >
> > I've attached the patch.
>
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.
Thanks for the review. Pushed as
ed3ef756f521a0df8596a88b66f65b7a1ad99252
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-04-12 1:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 22:51 ` Leo Famulari
2021-04-09 0:01 ` Leo Famulari
2021-04-12 0:27 ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-12 1:54 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).