syncthing package is vulnerable to CVE-2021-21404

Done

Details

2 participants

Leo Famulari
Léo Le Bouter

Owner: unassigned

Submitted by: Léo Le Bouter

Severity: normal

Léo Le Bouter wrote on 7 Apr 2021 00:40

Recipients:(address . bug-guix@gnu.org)

Message-ID:38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net

CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

Léo Le Bouter wrote on 7 Apr 2021 00:41

Recipients:(address . control@debbugs.gnu.org)

Message-ID:e680139bcfbd4cb950c09bd4bb6c82d109a89707.camel@zaclys.net

tags 47627 + security

quit

Leo Famulari wrote on 7 Apr 2021 00:51

Recipients:(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)

Message-ID:YGzmAwp2zOS9lTD6@jasmine.lan

On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:

Toggle quote (18 lines)> CVE-2021-21404	06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
> 
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
> 
> Previous discussion about updating syncthing: 
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the

bundled source code, which is freely licensed.

Leo Famulari wrote on 9 Apr 2021 02:01

Recipients:(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)

Message-ID:YG+ZVl0SMWko4LOJ@jasmine.lan

On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:

Toggle quote (3 lines)

> Yeah. Given this report, we could also just build Syncthing with the

> bundled source code, which is freely licensed.

I've attached the patch.

Attachment: 0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch

Léo Le Bouter wrote on 12 Apr 2021 02:27

Recipients:

Message-ID:1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net

On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:

Toggle quote (7 lines)

> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:

> > Yeah. Given this report, we could also just build Syncthing with

> > the

> > bundled source code, which is freely licensed.

> I've attached the patch.

I tested this patch on my system, works great with the syncthing

service also. LGTM from me.

Leo Famulari wrote on 12 Apr 2021 03:54

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47627-done@debbugs.gnu.org)

Message-ID:YHOobxPF9OMoiv7C@jasmine.lan

On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:

Toggle quote (11 lines)> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> > 
> > I've attached the patch.
> 
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as

ed3ef756f521a0df8596a88b66f65b7a1ad99252

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 47627@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date