From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id GOP/GIiZb2A+sQAAgWs5BA (envelope-from ) for ; Fri, 09 Apr 2021 02:02:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +NnZEoiZb2CzEgAAB5/wlQ (envelope-from ) for ; Fri, 09 Apr 2021 00:02:16 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 81446157A7 for ; Fri, 9 Apr 2021 02:02:14 +0200 (CEST) Received: from localhost ([::1]:39862 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lUebF-0000pk-9c for larch@yhetil.org; Thu, 08 Apr 2021 20:02:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41724) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUeb4-0000oV-TU for bug-guix@gnu.org; Thu, 08 Apr 2021 20:02:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:37049) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lUeb4-0004fl-KI for bug-guix@gnu.org; Thu, 08 Apr 2021 20:02:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lUeb4-0006bS-Ez for bug-guix@gnu.org; Thu, 08 Apr 2021 20:02:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 09 Apr 2021 00:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47627 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 47627@debbugs.gnu.org X-Debbugs-Original-To: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Debbugs-Original-Cc: 47627@debbugs.gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161792650225350 (code B ref -1); Fri, 09 Apr 2021 00:02:02 +0000 Received: (at submit) by debbugs.gnu.org; 9 Apr 2021 00:01:42 +0000 Received: from localhost ([127.0.0.1]:48593 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeae-0006ah-DM for submit@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:42 -0400 Received: from lists.gnu.org ([209.51.188.17]:41442) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeab-0006aS-RO for submit@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41648) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUeab-0000iQ-Jp for bug-guix@gnu.org; Thu, 08 Apr 2021 20:01:33 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:56915) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lUeaZ-0004Ll-3J for bug-guix@gnu.org; Thu, 08 Apr 2021 20:01:33 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id F0FF8161D; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 08 Apr 2021 20:01:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=ymg66VmiJ1PRuau5sHytN5LF 5xxt9BqO4tm1seltMdo=; b=DDx4vdvQ+oiYL2WPR1XMGkgZ2CLZuYdmOlRpnyiJ lzOsfkaAaX0uEZVSKWx1pNfoG2dXchg+wjtYLHsERBxjuYNeZKTyvT5w1dXS8kh8 UgKGfY/T3vE/+GvdebZkkvm+QXcWGWYG2zzbYIVyEj+MhxXFgJ5n6CHYVKAGXOSF fH4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ymg66V miJ1PRuau5sHytN5LF5xxt9BqO4tm1seltMdo=; b=Yoe598bmNlCGBZg4xOaKEg 1wcFFr2vw87cmeWCgfTBlWHvg21VlyCUMXeTUMuwRspZZLFMNerz1hn+GMXZXge+ 1r3+VdzV6mCsA7vFRvHnmlNZcFZ3jqxsMPPKDic9cm/0RPZxUWcJPc+q2FFB5+Pg qScqLq2aFd6o402dOTL39/t5R4RgcXArGZIoHU2cqjtXXee2BEpvxin32KoKX4pW yW9pm4hO/ZOdTF9RfaHcnD8CXvZywu4UJpoUcc+qn8pW0u+pNU0jbs0ezzggmfFg 8avu3nJXqP5dz5vfeX40lFRWB4+QZvxRAXymzlqD2uGYnNx0GUmj+Ulo/BjMI4wA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudektddgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 0FA6A240057; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Date: Thu, 8 Apr 2021 20:01:26 -0400 From: Leo Famulari Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hJNysbSMk7R5YAXi" Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=64.147.123.19; envelope-from=leo@famulari.name; helo=wout3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617926535; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=ymg66VmiJ1PRuau5sHytN5LF5xxt9BqO4tm1seltMdo=; b=ErUjh9TK1POnViIk53R6PyiV9eX5gSV9coobUjV3mCRXv0/JKHqqTxeblNfsLMF85JtoYt ANTDWT9Qzg65MEGSe8szmj19kQhaNpwpaZ2/UBylTxRGWm4FFBZd57YVtubXk4ywKO/g8t wRENZwkrKTGQIK/OguBB04y4lZEZe1wyTwAtaqNPEObFqgpojLOLxeZWH4ViZ407F1CDZa qYdeKw/JK5EOpPxVsjt24nisd8cgpC8RuIEPMfxTOocI27Ok/LiXtKXsRJ5fIoMoOTBps7 BF0mOYeJBfRuMVSYSfpiI/KjcyfWQYSfiL60On9FjO8ybDvg4WMIAo+q1jzBvw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617926535; a=rsa-sha256; cv=none; b=HmFskTXHuW6wB3ho1CFzHufQ9efPcCDLCV2Kq97eUNS14m3GJQ/9el89LfnHA+0TcXeGEd c0YERLGkkQoGauFQXtM+B87M7zZGgiu2N8HTId/6l3gKpEwBxgUDHuLH2xWv23PbqZzb9h tF8eFtFOKZnd/TkDbVZwinEUUQ9M2OnrbHmTdFpCujkTnoBhd4davueR1QLXngqmPblYw+ UkWxCI36paNneLCwFrDnf2cFUPPRYwiKiSKdE+10azseHlOe73xAlxcTEj9o+0eoM/UWK8 X5O1cGhenmKP2LLd01jt2VupTzThZoQGmNb/Df6sT55ATTinpIM2DqqZQczsrA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=DDx4vdvQ; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Yoe598bm; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.04 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=DDx4vdvQ; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Yoe598bm; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 81446157A7 X-Spam-Score: -2.04 X-Migadu-Scanner: scn0.migadu.com X-TUID: +uHzyMiCuF3X --hJNysbSMk7R5YAXi Content-Type: multipart/mixed; boundary="wIphN++gTpALrKph" Content-Disposition: inline --wIphN++gTpALrKph Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote: > Yeah. Given this report, we could also just build Syncthing with the > bundled source code, which is freely licensed. I've attached the patch. --wIphN++gTpALrKph Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch" Content-Transfer-Encoding: quoted-printable =46rom 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Thu, 10 Dec 2020 14:47:10 -0500 Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404]. * gnu/packages/syncthing.scm (syncthing): Update to 1.15.1. [source]: Use bundled dependencies. [inputs]: Remove field. [arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1. --- gnu/packages/syncthing.scm | 72 +++++--------------------------------- 1 file changed, 8 insertions(+), 64 deletions(-) diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm index eb6cb7b4e3..e490c41905 100644 --- a/gnu/packages/syncthing.scm +++ b/gnu/packages/syncthing.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =A9 2016 Petter -;;; Copyright =A9 2016, 2017, 2018, 2019, 2020 Leo Famulari +;;; Copyright =A9 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari ;;; Copyright =A9 2020 Tobias Geerinckx-Rice ;;; Copyright =A9 2020 Efraim Flashner ;;; Copyright =A9 2020 Giacomo Leidi @@ -44,7 +44,7 @@ (define-public syncthing (package (name "syncthing") - (version "1.5.0") + (version "1.15.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/syncthing/syncthing" @@ -52,68 +52,12 @@ "/syncthing-source-v" version ".tar.gz")) (sha256 (base32 - "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb")) - (modules '((guix build utils))) - ;; Delete bundled ("vendored") free software source code. - (snippet '(begin - (delete-file-recursively "vendor") - #t)))) + "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq")))) (build-system go-build-system) ;; The primary Syncthing executable goes to "out", while the auxiliary ;; server programs and utility tools go to "utils". This reduces the = size ;; of "out" by ~80 MiB. (outputs '("out" "utils")) - ;; When updating Syncthing, check 'go.mod' in the source distribution = to - ;; ensure we are using the correct versions of these dependencies. - (inputs - `(("go-github-com-jackpal-go-nat-pmp" - ,go-github-com-jackpal-go-nat-pmp) - ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4) - ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr) - ("go-github-com-chmduquesne-rollinghash" - ,go-github-com-chmduquesne-rollinghash) - ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob) - ("go-github-com-golang-groupcache-lru" - ,go-github-com-golang-groupcache-lru) - ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway) - ("go-github-com-kballard-go-shellquote" - ,go-github-com-kballard-go-shellquote) - ("go-github-com-lib-pq" ,go-github-com-lib-pq) - ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd) - ("go-github-com-oschwald-geoip2-golang" - ,go-github-com-oschwald-geoip2-golang) - ("go-github-com-pkg-errors" ,go-github-com-pkg-errors) - ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-met= rics) - ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-dead= lock) - ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify) - ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb) - ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture) - ("go-golang-org-x-time" ,go-golang-org-x-time) - ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap) - ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf) - ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil) - ("go-github-com-prometheus-client-golang" - ,go-github-com-prometheus-client-golang) - ("go-golang-org-x-net" ,go-golang-org-x-net) - ("go-golang-org-x-text" ,go-golang-org-x-text) - ("go-github-com-audriusbutkevicius-recli" - ,go-github-com-audriusbutkevicius-recli) - ("go-github-com-urfave-cli" ,go-github-com-urfave-cli) - ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart) - ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty) - ("go-golang-org-x-crypto" ,go-golang-org-x-crypto) - ("go-github-com-flynn-archive-go-shlex" - ,go-github-com-flynn-archive-go-shlex) - ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-= go) - ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse) - ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun) - ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusb= utkevicius-pfilter) - ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemen= te-quic-go) - ("go-github-com-willf-bloom" ,go-github-com-willf-bloom) - - ;; For tests. - ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff= ))) - (arguments `(#:modules ((srfi srfi-26) ; for cut (guix build utils) @@ -136,8 +80,8 @@ ;; updater and to build the utilities is to "build all" and= then ;; "build syncthing" again with -no-upgrade. ;; https://github.com/syncthing/syncthing/issues/6118 - (invoke "go" "run" "build.go" "build" "all") - (delete-file "syncthing") + (invoke "go" "run" "build.go") + (delete-file "bin/syncthing") (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncth= ing")))) =20 (replace 'check @@ -149,10 +93,10 @@ (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out")) (utils (assoc-ref outputs "utils"))) - (with-directory-excursion "src/github.com/syncthing/syncthi= ng" - (install-file "syncthing" (string-append out "/bin")) + (with-directory-excursion "src/github.com/syncthing/syncthi= ng/bin" + (install-file "../syncthing" (string-append out "/bin")) (for-each (cut install-file <> (string-append utils "/bin= /")) - '("stcli" "stcompdirs" "stcrashreceiver" + '("stcompdirs" "stcrashreceiver" "stdisco" "stdiscosrv" "stevents" "stfileinfo" "stfinddevice" "stfindignored" "stgenfiles" "stindex" "strelaypoolsrv" "strelaysrv" "stsi= gtool" --=20 2.31.1 --wIphN++gTpALrKph-- --hJNysbSMk7R5YAXi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrK fwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzM dBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFg IIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx 87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBm YebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzla xBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc 4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2s rO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWH pGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCM SP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIO R/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE= =flkF -----END PGP SIGNATURE----- --hJNysbSMk7R5YAXi--