syncthing package is vulnerable to CVE-2021-21404

DoneSubmitted by Léo Le Bouter.
Details
2 participants
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 7 Apr 00:40 +0200
(address . bug-guix@gnu.org)
38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net
CVE-2021-21404 06.04.21 22:15Syncthing is a continuous file synchronization program. In Syncthingbefore version 1.15.0, the relay server `strelaysrv` can be caused tocrash and exit by sending a relay message with a negative length field.Similarly, Syncthing itself can crash for the same reason if given amalformed message from a malicious relay server when attempting to jointhe relay. Relay joins are essentially random (from a subset of lowlatency relays) and Syncthing will by default restart when crashing, atwhich point it's likely to pick another non-malicious relay. This flawis fixed in version 1.15.0.
We still ship 1.5.0, we crucially need to update that *very* usefulnetworked daemon package. With the new go importer maybe that's easier.Also work in the go build system needs to happen IIRC.
Previous discussion about updating syncthing: https://issues.guix.gnu.org/45476
Léo
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs40MACgkQRaix6GvNEKaxnA/7BcM43O5eKXtzPLXkleZi2pMG1MYsvPjTCjabTJLOtPGzJES8bTAssC7n4l0R4YIw03H7SvRLvpUJCTxpcHRr56HOcaOHBnkad4C0L1pdIkyZpMS9dzZ3R/E0m+B1zsEq7o3bxlWhnQKfbaIFfIpC6IV78Nos+pntn2o4ICE7pTM6MuFcAiTw7RoP1z0jXIh5EXfADwdULVvFAC83ybOOTG4nsdHs4yJbC4uJXcPH1fYRUgFocLNcSd4EqefsisDCGFMTNZvQLfeBY0mSVxa5LgwOibGLaqoLtfQmBnaGqkRPmZMr3omj81f0opRyu1/mspBQ+EqcjiSzyK6xw01cKQQQK+EvrBdo2+bRe6VTja4HWZJRqcfahJo312K8pQgG4RrN5wLiEj7OaC4RJyC/iZBAu/M/epgKVX39hHu6RIkq1iqKCGodv5XNU7B3lRwoB/f03uSAfGhHLFlRqgvEhpWeuLkJYHAZd2fW7qh5C8yj/lsxVlerb731Kz7CUJFp4wytZKrxP201OLElqMLetggVHVbxsqC+AAEO0+aX0Muy+exxI2Exs95/hTnHo8gTg/LlI11LsMH+T+v0LnzYlMZjIfc0zgy6dEHINapF+mXhf6opY6W07yqCqVAe7qULiq5+CR63vq5aPkv+LsvNx7ObC7GybJoZbVV4xMwdkac==RvYl-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 7 Apr 00:41 +0200
(address . control@debbugs.gnu.org)
e680139bcfbd4cb950c09bd4bb6c82d109a89707.camel@zaclys.net
tags 47627 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs45MACgkQRaix6GvNEKa1Gw//a5PF0y7Ohg/8s5eAnRV3YxggYoqZ82Y4PR22+3TEunpD32bLjtAzd1rrfmvRW2kz37UpHZQYb4NNcv9pJlTCCOaKgQPvitKGTg4vdSBoLFAroUxr7g7lLdpt14zZuMNwFKuq3TYWaH3P29FopHyTyOrtur9BlfwT0iNYsAUmpL1wF6x6Q67Cl7eNZu6VSY7g59spMrvTan+XnwfOON6j528PStl+M9Vkseoe+K1z1ch5hqPEbiMbEqrKogKA+ehu/fve6/MhC1dqou7fTGYTLMfSWjkYAxp+1WPfRbz/7B2aSz+iKeydKEbJLDPGlhKTNNTTV9zx6lLiAHxKdawXQ/PSvKUEZl1CYU4qSyeb4rA/AW2IkGONhlyGivtNOtqadiSmtZ0INdUYytoPcCMhoVjylEOHPOquVlU4YAKQRb+ux8Q5ytIwPR/on0cpfGtZlUayZdNRCz7TwrOsPgF8t70OA7SQFD39PaHk2sjtq5S8Pk58E5KnkoXY1KvGQz7DS6sCkEVwG1EbnRqZ5naJ13I3tQqSNneL8/p1krPvJzykx+uZ9DT743r3S9xjVLoOyVrg5WtAnxfx3Yse2Iok2xAU10lgKdbXgvuWLr8EP0OwKikCGU7JRz1Q/vKyU/F90VXrv5EIctyx7ltVqTd9kvNz1PE1jASoZnoEY53E3mM==Mlhr-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 7 Apr 00:51 +0200
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YGzmAwp2zOS9lTD6@jasmine.lan
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (18 lines)> CVE-2021-21404 06.04.21 22:15> Syncthing is a continuous file synchronization program. In Syncthing> before version 1.15.0, the relay server `strelaysrv` can be caused to> crash and exit by sending a relay message with a negative length field.> Similarly, Syncthing itself can crash for the same reason if given a> malformed message from a malicious relay server when attempting to join> the relay. Relay joins are essentially random (from a subset of low> latency relays) and Syncthing will by default restart when crashing, at> which point it's likely to pick another non-malicious relay. This flaw> is fixed in version 1.15.0.> > We still ship 1.5.0, we crucially need to update that *very* useful> networked daemon package. With the new go importer maybe that's easier.> Also work in the go build system needs to happen IIRC.> > Previous discussion about updating syncthing: > https://issues.guix.gnu.org/45476
Yeah. Given this report, we could also just build Syncthing with thebundled source code, which is freely licensed.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBs5gMACgkQJkb6MLrKfwiwAg/+IftBGQ7ZdZB31FztYTjpcp/jXBMU2h5Nn/O84Y89NVz+ljHrEcKwt2vVrY4SsJosD48FBjLK8Aya6u+MhkYB8XFt7g/ed9nS3f+WFa2mupBJv4PAp9v8XwUTNDwq9fb5CgDic1RqAD7SXFi0QHit0LBf3bK5SvbUEVu93a8ILmACQX78BubPTeMteLxCPGFWPrBVEmWzCZtbeJFUE5+bBOIS4N5Dt6HQMt8n1jYckjwUGb9ZNnOu4SdqBcgFZyGrTC4Ou2M4+/UMZMGDnG4n3VdPGFKp4nYItU2W9p5ttI3OqIcLhQk/n7ToOmf298qt7AEzFvAQWkLpEJVLzgcTG1C2/6IBf/rijsZdY5jel6NVS3W6gsdYcDV5+pHoR45+O+OqphVuhTeJgdMf3OteGiKHRovLQ94Ms7y5W/OCtYECUWFgy4H7Dc6OwT0YRdkIeWA6Tz+0cr4nV35RUfxmqPLb+qBk8JoNpdlPlcQ08M2THbtMwb5v1M0AXRjwBe2B/1oW/KdxIUWTJsNpEkijQk78eQpGXVnBfsZs0lMzjCswTxhiDnemDFoedtf2SD2mWVeyyJ/9BsvzLOK/LfXIiZ4eqEmsE485n+3L3O2fB5yrbcVsHkFsoC3i49GoeEjrFvxDi2lvsCoIZNzbUlLoeiroo9CLEukJ3X2eaxTe73I==uZLu-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 9 Apr 02:01 +0200
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YG+ZVl0SMWko4LOJ@jasmine.lan
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)> Yeah. Given this report, we could also just build Syncthing with the> bundled source code, which is freely licensed.
I've attached the patch.
From 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001From: Leo Famulari <leo@famulari.name>Date: Thu, 10 Dec 2020 14:47:10 -0500Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404].
* gnu/packages/syncthing.scm (syncthing): Update to 1.15.1.[source]: Use bundled dependencies.[inputs]: Remove field.[arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1.--- gnu/packages/syncthing.scm | 72 +++++--------------------------------- 1 file changed, 8 insertions(+), 64 deletions(-)
Toggle diff (118 lines)diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scmindex eb6cb7b4e3..e490c41905 100644--- a/gnu/packages/syncthing.scm+++ b/gnu/packages/syncthing.scm@@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2016 Petter <petter@mykolab.ch>-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name> ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il> ;;; Copyright © 2020 Giacomo Leidi <goodoldpaul@autistici.org>@@ -44,7 +44,7 @@ (define-public syncthing (package (name "syncthing")- (version "1.5.0")+ (version "1.15.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/syncthing/syncthing"@@ -52,68 +52,12 @@ "/syncthing-source-v" version ".tar.gz")) (sha256 (base32- "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb"))- (modules '((guix build utils)))- ;; Delete bundled ("vendored") free software source code.- (snippet '(begin- (delete-file-recursively "vendor")- #t))))+ "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq")))) (build-system go-build-system) ;; The primary Syncthing executable goes to "out", while the auxiliary ;; server programs and utility tools go to "utils". This reduces the size ;; of "out" by ~80 MiB. (outputs '("out" "utils"))- ;; When updating Syncthing, check 'go.mod' in the source distribution to- ;; ensure we are using the correct versions of these dependencies.- (inputs- `(("go-github-com-jackpal-go-nat-pmp"- ,go-github-com-jackpal-go-nat-pmp)- ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4)- ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr)- ("go-github-com-chmduquesne-rollinghash"- ,go-github-com-chmduquesne-rollinghash)- ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob)- ("go-github-com-golang-groupcache-lru"- ,go-github-com-golang-groupcache-lru)- ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway)- ("go-github-com-kballard-go-shellquote"- ,go-github-com-kballard-go-shellquote)- ("go-github-com-lib-pq" ,go-github-com-lib-pq)- ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd)- ("go-github-com-oschwald-geoip2-golang"- ,go-github-com-oschwald-geoip2-golang)- ("go-github-com-pkg-errors" ,go-github-com-pkg-errors)- ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-metrics)- ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-deadlock)- ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify)- ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb)- ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture)- ("go-golang-org-x-time" ,go-golang-org-x-time)- ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap)- ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf)- ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil)- ("go-github-com-prometheus-client-golang"- ,go-github-com-prometheus-client-golang)- ("go-golang-org-x-net" ,go-golang-org-x-net)- ("go-golang-org-x-text" ,go-golang-org-x-text)- ("go-github-com-audriusbutkevicius-recli"- ,go-github-com-audriusbutkevicius-recli)- ("go-github-com-urfave-cli" ,go-github-com-urfave-cli)- ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart)- ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty)- ("go-golang-org-x-crypto" ,go-golang-org-x-crypto)- ("go-github-com-flynn-archive-go-shlex"- ,go-github-com-flynn-archive-go-shlex)- ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-go)- ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse)- ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun)- ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusbutkevicius-pfilter)- ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemente-quic-go)- ("go-github-com-willf-bloom" ,go-github-com-willf-bloom)-- ;; For tests.- ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff)))- (arguments `(#:modules ((srfi srfi-26) ; for cut (guix build utils)@@ -136,8 +80,8 @@ ;; updater and to build the utilities is to "build all" and then ;; "build syncthing" again with -no-upgrade. ;; https://github.com/syncthing/syncthing/issues/6118- (invoke "go" "run" "build.go" "build" "all")- (delete-file "syncthing")+ (invoke "go" "run" "build.go")+ (delete-file "bin/syncthing") (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncthing")))) (replace 'check@@ -149,10 +93,10 @@ (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out")) (utils (assoc-ref outputs "utils")))- (with-directory-excursion "src/github.com/syncthing/syncthing"- (install-file "syncthing" (string-append out "/bin"))+ (with-directory-excursion "src/github.com/syncthing/syncthing/bin"+ (install-file "../syncthing" (string-append out "/bin")) (for-each (cut install-file <> (string-append utils "/bin/"))- '("stcli" "stcompdirs" "stcrashreceiver"+ '("stcompdirs" "stcrashreceiver" "stdisco" "stdiscosrv" "stevents" "stfileinfo" "stfinddevice" "stfindignored" "stgenfiles" "stindex" "strelaypoolsrv" "strelaysrv" "stsigtool"-- 2.31.1
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrKfwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzMdBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFgIIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBmYebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzlaxBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2srO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWHpGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCMSP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIOR/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE==flkF-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 12 Apr 02:27 +0200
1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net
On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
Toggle quote (7 lines)> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:> > Yeah. Given this report, we could also just build Syncthing with> > the> > bundled source code, which is freely licensed.> > I've attached the patch.
I tested this patch on my system, works great with the syncthingservice also. LGTM from me.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBzlAcACgkQRaix6GvNEKbWRQ//d/3d2AB+ysC3od88/Tna7CwkaoQlupCLDZhzc0of3AcK2Y2aKsCpiWek+QGcBD9Aamiu4G5H3rt7tt1Cs3mN9Huf4GyGoq+i9Veqk7K0JC4L1d+BAklfV/unlr2/UT3MSgWQAttflxHPpj+YxIQt10IjGfiZ1jMXGsA3figD8Q/cmyIwDvmDygmjPOrkSFPijmbvFHDX8hUm7Y5Oss8lpy+p9S39ChRWY60aTfJr3QZ+IpZ42v4E8uddKucpizY/LybEj++wlqBWErJYaUCBfYXPQ7RnV9ObWUcvm2Xt4LFRBvuhVgDWmGopsLfGSURRZFFDW1GLOnCJBI7MSrvL7Ur82hv3DPYSOkwgJf5KOvVtuhAqenPME0iBf+kVPRU2Ax6VNyMIgoIOdnmrbba5vqeRmoBRxgPOZ+3X1IK/T0CG2BvvmQoOWnXnBxn5qwZ7kklVPe6saWiorH95eLml5sJMaEyn7o/zLk28t2cB9cLPSukvhf1sAaDzwNRuFEDty5O10N1GyhkGRyRIK7UeZw40hUZPq3l6ES9frwod+BYjsW/HBk8/pv8WPk3bDohF2K6AO/Iz0Wt9BIrmwFaA3scrbNp+dAQ3hZwMGnwJizO3DVvSwYjGXpdfZjoKMJS1QVV5fuo9oVnWzNkADlps03ella0CT+cvsaNn7MWrXSo==66/c-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 12 Apr 03:54 +0200
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47627-done@debbugs.gnu.org)
YHOobxPF9OMoiv7C@jasmine.lan
On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
Toggle quote (11 lines)> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:> > > Yeah. Given this report, we could also just build Syncthing with> > > the> > > bundled source code, which is freely licensed.> > > > I've attached the patch.> > I tested this patch on my system, works great with the syncthing> service also. LGTM from me.
Thanks for the review. Pushed ased3ef756f521a0df8596a88b66f65b7a1ad99252
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBzqG8ACgkQJkb6MLrKfwh2LBAAhzCyPbj7IJqDlBY0knvNDUcAjZPStM0X4TZxwUtPlyrd1vqOzHIs0ww67G/tIdm+A9NWH/jOr/y1ixw4Z7/tuuaHEVG2hdTawuIIub1HAJiB/zKYB0cKE8qVdTyPO+1msZY3/H3yvPVVycGvM20t4jst3XjOwWA2y32VFHxEfh5zCfcxUIdE8t8vgl2iKTm/uK13PtEAKKK1tLkUtGuMMa26UdA8JN9bMvpN57BKaRGjyPzeoi7wGFpNBEPC3GPujo0aXK4a0Xnd5W+Um0ZMhDvhRVnaypkvVfoyHnUp9XvA7JUKq7rGkj25QgJxawx2HXXWo0z5ynab/EFS0GaWFW8udM/IBpYkVXTJiDF7swltQRaHjmrfSkytPcXBoAo2KvCecPczzSrFhZIur3Z+szjyscUronxKBYcE6jpQSK5q41eShMiKoTAuG6wuF5YkdwD6jiCuUpbwKg8v9cZI34attpWzalfT42Vg180JFeLW31tJvpQNumqlxt4o3jDsOfFw8O2qoWQokaSd9+bhW9RL7+D+J6N/iTxejnyIrgzK1B/Bg20GpYT/zz8VlPqp31p1m+NNXHl2satLHzp/kCaUalnxJB3e9OlgwxCinFQGElOCT8mlxZQQRok91siV7s2cWRwCBtWOfr/8G2JDIq8M6Eq7+R4XEDRV0mgWXrU==aK40-----END PGP SIGNATURE-----

Closed
?