From: Leo Famulari <leo@famulari.name>
To: 47627@debbugs.gnu.org
Subject: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Date: Thu, 8 Apr 2021 20:01:26 -0400 [thread overview]
Message-ID: <YG+ZVl0SMWko4LOJ@jasmine.lan> (raw)
In-Reply-To: <YGzmAwp2zOS9lTD6@jasmine.lan>
[-- Attachment #1.1: Type: text/plain, Size: 208 bytes --]
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.
I've attached the patch.
[-- Attachment #1.2: 0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch --]
[-- Type: text/plain, Size: 6949 bytes --]
From 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 10 Dec 2020 14:47:10 -0500
Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404].
* gnu/packages/syncthing.scm (syncthing): Update to 1.15.1.
[source]: Use bundled dependencies.
[inputs]: Remove field.
[arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1.
---
gnu/packages/syncthing.scm | 72 +++++---------------------------------
1 file changed, 8 insertions(+), 64 deletions(-)
diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm
index eb6cb7b4e3..e490c41905 100644
--- a/gnu/packages/syncthing.scm
+++ b/gnu/packages/syncthing.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Petter <petter@mykolab.ch>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2020 Giacomo Leidi <goodoldpaul@autistici.org>
@@ -44,7 +44,7 @@
(define-public syncthing
(package
(name "syncthing")
- (version "1.5.0")
+ (version "1.15.1")
(source (origin
(method url-fetch)
(uri (string-append "https://github.com/syncthing/syncthing"
@@ -52,68 +52,12 @@
"/syncthing-source-v" version ".tar.gz"))
(sha256
(base32
- "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb"))
- (modules '((guix build utils)))
- ;; Delete bundled ("vendored") free software source code.
- (snippet '(begin
- (delete-file-recursively "vendor")
- #t))))
+ "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq"))))
(build-system go-build-system)
;; The primary Syncthing executable goes to "out", while the auxiliary
;; server programs and utility tools go to "utils". This reduces the size
;; of "out" by ~80 MiB.
(outputs '("out" "utils"))
- ;; When updating Syncthing, check 'go.mod' in the source distribution to
- ;; ensure we are using the correct versions of these dependencies.
- (inputs
- `(("go-github-com-jackpal-go-nat-pmp"
- ,go-github-com-jackpal-go-nat-pmp)
- ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4)
- ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr)
- ("go-github-com-chmduquesne-rollinghash"
- ,go-github-com-chmduquesne-rollinghash)
- ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob)
- ("go-github-com-golang-groupcache-lru"
- ,go-github-com-golang-groupcache-lru)
- ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway)
- ("go-github-com-kballard-go-shellquote"
- ,go-github-com-kballard-go-shellquote)
- ("go-github-com-lib-pq" ,go-github-com-lib-pq)
- ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd)
- ("go-github-com-oschwald-geoip2-golang"
- ,go-github-com-oschwald-geoip2-golang)
- ("go-github-com-pkg-errors" ,go-github-com-pkg-errors)
- ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-metrics)
- ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-deadlock)
- ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify)
- ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb)
- ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture)
- ("go-golang-org-x-time" ,go-golang-org-x-time)
- ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap)
- ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf)
- ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil)
- ("go-github-com-prometheus-client-golang"
- ,go-github-com-prometheus-client-golang)
- ("go-golang-org-x-net" ,go-golang-org-x-net)
- ("go-golang-org-x-text" ,go-golang-org-x-text)
- ("go-github-com-audriusbutkevicius-recli"
- ,go-github-com-audriusbutkevicius-recli)
- ("go-github-com-urfave-cli" ,go-github-com-urfave-cli)
- ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart)
- ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty)
- ("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
- ("go-github-com-flynn-archive-go-shlex"
- ,go-github-com-flynn-archive-go-shlex)
- ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-go)
- ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse)
- ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun)
- ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusbutkevicius-pfilter)
- ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemente-quic-go)
- ("go-github-com-willf-bloom" ,go-github-com-willf-bloom)
-
- ;; For tests.
- ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff)))
-
(arguments
`(#:modules ((srfi srfi-26) ; for cut
(guix build utils)
@@ -136,8 +80,8 @@
;; updater and to build the utilities is to "build all" and then
;; "build syncthing" again with -no-upgrade.
;; https://github.com/syncthing/syncthing/issues/6118
- (invoke "go" "run" "build.go" "build" "all")
- (delete-file "syncthing")
+ (invoke "go" "run" "build.go")
+ (delete-file "bin/syncthing")
(invoke "go" "run" "build.go" "-no-upgrade" "build" "syncthing"))))
(replace 'check
@@ -149,10 +93,10 @@
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out"))
(utils (assoc-ref outputs "utils")))
- (with-directory-excursion "src/github.com/syncthing/syncthing"
- (install-file "syncthing" (string-append out "/bin"))
+ (with-directory-excursion "src/github.com/syncthing/syncthing/bin"
+ (install-file "../syncthing" (string-append out "/bin"))
(for-each (cut install-file <> (string-append utils "/bin/"))
- '("stcli" "stcompdirs" "stcrashreceiver"
+ '("stcompdirs" "stcrashreceiver"
"stdisco" "stdiscosrv" "stevents" "stfileinfo"
"stfinddevice" "stfindignored" "stgenfiles"
"stindex" "strelaypoolsrv" "strelaysrv" "stsigtool"
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-04-09 0:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-06 22:40 bug#47627: syncthing package is vulnerable to CVE-2021-21404 Léo Le Bouter via Bug reports for GNU Guix
2021-04-06 22:51 ` Leo Famulari
2021-04-09 0:01 ` Leo Famulari [this message]
2021-04-12 0:27 ` Léo Le Bouter via Bug reports for GNU Guix
2021-04-12 1:54 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YG+ZVl0SMWko4LOJ@jasmine.lan \
--to=leo@famulari.name \
--cc=47627@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.