syncthing package is vulnerable to CVE-2021-21404

Done

Details

2 participants

Leo Famulari
Léo Le Bouter

Owner: unassigned

Submitted by: Léo Le Bouter

Severity: normal

Léo Le Bouter wrote on 7 Apr 2021 00:40

Recipients:(address . bug-guix@gnu.org)

Message-ID:38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net

CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

Léo Le Bouter wrote on 7 Apr 2021 00:41

Recipients:(address . control@debbugs.gnu.org)

Message-ID:e680139bcfbd4cb950c09bd4bb6c82d109a89707.camel@zaclys.net

tags 47627 + security

quit

Leo Famulari wrote on 7 Apr 2021 00:51

Recipients:(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)

Message-ID:YGzmAwp2zOS9lTD6@jasmine.lan

On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:

Toggle quote (18 lines)> CVE-2021-21404	06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
> 
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
> 
> Previous discussion about updating syncthing: 
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the

bundled source code, which is freely licensed.

Leo Famulari wrote on 9 Apr 2021 02:01

Recipients:(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)

Message-ID:YG+ZVl0SMWko4LOJ@jasmine.lan

On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:

Toggle quote (3 lines)

> Yeah. Given this report, we could also just build Syncthing with the

> bundled source code, which is freely licensed.

I've attached the patch.

Attachment: 0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch

Léo Le Bouter wrote on 12 Apr 2021 02:27

Recipients:

Message-ID:1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net

On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:

Toggle quote (7 lines)

> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:

> > Yeah. Given this report, we could also just build Syncthing with

> > the

> > bundled source code, which is freely licensed.

> I've attached the patch.

I tested this patch on my system, works great with the syncthing

service also. LGTM from me.

Leo Famulari wrote on 12 Apr 2021 03:54

Recipients:(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47627-done@debbugs.gnu.org)

Message-ID:YHOobxPF9OMoiv7C@jasmine.lan

On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:

Toggle quote (11 lines)> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> > 
> > I've attached the patch.
> 
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as

ed3ef756f521a0df8596a88b66f65b7a1ad99252

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 47627@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 47627

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date