syncthing package is vulnerable to CVE-2021-21404

DoneSubmitted by Léo Le Bouter.
Details
2 participants
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 7 Apr 2021 00:40
(address . bug-guix@gnu.org)
38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net
CVE-2021-21404 06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing:

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs40MACgkQRaix6GvN
EKaxnA/7BcM43O5eKXtzPLXkleZi2pMG1MYsvPjTCjabTJLOtPGzJES8bTAssC7n
4l0R4YIw03H7SvRLvpUJCTxpcHRr56HOcaOHBnkad4C0L1pdIkyZpMS9dzZ3R/E0
m+B1zsEq7o3bxlWhnQKfbaIFfIpC6IV78Nos+pntn2o4ICE7pTM6MuFcAiTw7RoP
1z0jXIh5EXfADwdULVvFAC83ybOOTG4nsdHs4yJbC4uJXcPH1fYRUgFocLNcSd4E
qefsisDCGFMTNZvQLfeBY0mSVxa5LgwOibGLaqoLtfQmBnaGqkRPmZMr3omj81f0
opRyu1/mspBQ+EqcjiSzyK6xw01cKQQQK+EvrBdo2+bRe6VTja4HWZJRqcfahJo3
12K8pQgG4RrN5wLiEj7OaC4RJyC/iZBAu/M/epgKVX39hHu6RIkq1iqKCGodv5XN
U7B3lRwoB/f03uSAfGhHLFlRqgvEhpWeuLkJYHAZd2fW7qh5C8yj/lsxVlerb731
Kz7CUJFp4wytZKrxP201OLElqMLetggVHVbxsqC+AAEO0+aX0Muy+exxI2Exs95/
hTnHo8gTg/LlI11LsMH+T+v0LnzYlMZjIfc0zgy6dEHINapF+mXhf6opY6W07yqC
qVAe7qULiq5+CR63vq5aPkv+LsvNx7ObC7GybJoZbVV4xMwdkac=
=RvYl
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 7 Apr 2021 00:41
(address . control@debbugs.gnu.org)
e680139bcfbd4cb950c09bd4bb6c82d109a89707.camel@zaclys.net
tags 47627 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs45MACgkQRaix6GvN
EKa1Gw//a5PF0y7Ohg/8s5eAnRV3YxggYoqZ82Y4PR22+3TEunpD32bLjtAzd1rr
fmvRW2kz37UpHZQYb4NNcv9pJlTCCOaKgQPvitKGTg4vdSBoLFAroUxr7g7lLdpt
14zZuMNwFKuq3TYWaH3P29FopHyTyOrtur9BlfwT0iNYsAUmpL1wF6x6Q67Cl7eN
Zu6VSY7g59spMrvTan+XnwfOON6j528PStl+M9Vkseoe+K1z1ch5hqPEbiMbEqrK
ogKA+ehu/fve6/MhC1dqou7fTGYTLMfSWjkYAxp+1WPfRbz/7B2aSz+iKeydKEbJ
LDPGlhKTNNTTV9zx6lLiAHxKdawXQ/PSvKUEZl1CYU4qSyeb4rA/AW2IkGONhlyG
ivtNOtqadiSmtZ0INdUYytoPcCMhoVjylEOHPOquVlU4YAKQRb+ux8Q5ytIwPR/o
n0cpfGtZlUayZdNRCz7TwrOsPgF8t70OA7SQFD39PaHk2sjtq5S8Pk58E5KnkoXY
1KvGQz7DS6sCkEVwG1EbnRqZ5naJ13I3tQqSNneL8/p1krPvJzykx+uZ9DT743r3
S9xjVLoOyVrg5WtAnxfx3Yse2Iok2xAU10lgKdbXgvuWLr8EP0OwKikCGU7JRz1Q
/vKyU/F90VXrv5EIctyx7ltVqTd9kvNz1PE1jASoZnoEY53E3mM=
=Mlhr
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 7 Apr 2021 00:51
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YGzmAwp2zOS9lTD6@jasmine.lan
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (18 lines)
> CVE-2021-21404 06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
>
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
>
> Previous discussion about updating syncthing:
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBs5gMACgkQJkb6MLrK
fwiwAg/+IftBGQ7ZdZB31FztYTjpcp/jXBMU2h5Nn/O84Y89NVz+ljHrEcKwt2vV
rY4SsJosD48FBjLK8Aya6u+MhkYB8XFt7g/ed9nS3f+WFa2mupBJv4PAp9v8XwUT
NDwq9fb5CgDic1RqAD7SXFi0QHit0LBf3bK5SvbUEVu93a8ILmACQX78BubPTeMt
eLxCPGFWPrBVEmWzCZtbeJFUE5+bBOIS4N5Dt6HQMt8n1jYckjwUGb9ZNnOu4Sdq
BcgFZyGrTC4Ou2M4+/UMZMGDnG4n3VdPGFKp4nYItU2W9p5ttI3OqIcLhQk/n7To
Omf298qt7AEzFvAQWkLpEJVLzgcTG1C2/6IBf/rijsZdY5jel6NVS3W6gsdYcDV5
+pHoR45+O+OqphVuhTeJgdMf3OteGiKHRovLQ94Ms7y5W/OCtYECUWFgy4H7Dc6O
wT0YRdkIeWA6Tz+0cr4nV35RUfxmqPLb+qBk8JoNpdlPlcQ08M2THbtMwb5v1M0A
XRjwBe2B/1oW/KdxIUWTJsNpEkijQk78eQpGXVnBfsZs0lMzjCswTxhiDnemDFoe
dtf2SD2mWVeyyJ/9BsvzLOK/LfXIiZ4eqEmsE485n+3L3O2fB5yrbcVsHkFsoC3i
49GoeEjrFvxDi2lvsCoIZNzbUlLoeiroo9CLEukJ3X2eaxTe73I=
=uZLu
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 9 Apr 2021 02:01
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YG+ZVl0SMWko4LOJ@jasmine.lan
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.

I've attached the patch.
From 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 10 Dec 2020 14:47:10 -0500
Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404].

* gnu/packages/syncthing.scm (syncthing): Update to 1.15.1.
[source]: Use bundled dependencies.
[inputs]: Remove field.
[arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1.
---
gnu/packages/syncthing.scm | 72 +++++---------------------------------
1 file changed, 8 insertions(+), 64 deletions(-)

Toggle diff (118 lines)
diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm
index eb6cb7b4e3..e490c41905 100644
--- a/gnu/packages/syncthing.scm
+++ b/gnu/packages/syncthing.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016 Petter <petter@mykolab.ch>
-;;; Copyright © 2016, 2017, 2018, 2019, 2020 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
 ;;; Copyright © 2020 Efraim Flashner <efraim@flashner.co.il>
 ;;; Copyright © 2020 Giacomo Leidi <goodoldpaul@autistici.org>
@@ -44,7 +44,7 @@
 (define-public syncthing
   (package
     (name "syncthing")
-    (version "1.5.0")
+    (version "1.15.1")
     (source (origin
               (method url-fetch)
               (uri (string-append "https://github.com/syncthing/syncthing"
@@ -52,68 +52,12 @@
                                   "/syncthing-source-v" version ".tar.gz"))
               (sha256
                (base32
-                "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb"))
-              (modules '((guix build utils)))
-              ;; Delete bundled ("vendored") free software source code.
-              (snippet '(begin
-                          (delete-file-recursively "vendor")
-                          #t))))
+                "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq"))))
     (build-system go-build-system)
     ;; The primary Syncthing executable goes to "out", while the auxiliary
     ;; server programs and utility tools go to "utils".  This reduces the size
     ;; of "out" by ~80 MiB.
     (outputs '("out" "utils"))
-    ;; When updating Syncthing, check 'go.mod' in the source distribution to
-    ;; ensure we are using the correct versions of these dependencies.
-    (inputs
-     `(("go-github-com-jackpal-go-nat-pmp"
-        ,go-github-com-jackpal-go-nat-pmp)
-       ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4)
-       ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr)
-       ("go-github-com-chmduquesne-rollinghash"
-        ,go-github-com-chmduquesne-rollinghash)
-       ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob)
-       ("go-github-com-golang-groupcache-lru"
-        ,go-github-com-golang-groupcache-lru)
-       ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway)
-       ("go-github-com-kballard-go-shellquote"
-        ,go-github-com-kballard-go-shellquote)
-       ("go-github-com-lib-pq" ,go-github-com-lib-pq)
-       ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd)
-       ("go-github-com-oschwald-geoip2-golang"
-        ,go-github-com-oschwald-geoip2-golang)
-       ("go-github-com-pkg-errors" ,go-github-com-pkg-errors)
-       ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-metrics)
-       ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-deadlock)
-       ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify)
-       ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb)
-       ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture)
-       ("go-golang-org-x-time" ,go-golang-org-x-time)
-       ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap)
-       ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf)
-       ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil)
-       ("go-github-com-prometheus-client-golang"
-        ,go-github-com-prometheus-client-golang)
-       ("go-golang-org-x-net" ,go-golang-org-x-net)
-       ("go-golang-org-x-text" ,go-golang-org-x-text)
-       ("go-github-com-audriusbutkevicius-recli"
-        ,go-github-com-audriusbutkevicius-recli)
-       ("go-github-com-urfave-cli" ,go-github-com-urfave-cli)
-       ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart)
-       ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty)
-       ("go-golang-org-x-crypto" ,go-golang-org-x-crypto)
-       ("go-github-com-flynn-archive-go-shlex"
-        ,go-github-com-flynn-archive-go-shlex)
-       ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-go)
-       ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse)
-       ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun)
-       ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusbutkevicius-pfilter)
-       ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemente-quic-go)
-       ("go-github-com-willf-bloom" ,go-github-com-willf-bloom)
-
-       ;; For tests.
-       ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff)))
-
     (arguments
      `(#:modules ((srfi srfi-26) ; for cut
                   (guix build utils)
@@ -136,8 +80,8 @@
                ;; updater and to build the utilities is to "build all" and then
                ;; "build syncthing" again with -no-upgrade.
                ;; https://github.com/syncthing/syncthing/issues/6118
-               (invoke "go" "run" "build.go" "build" "all")
-               (delete-file "syncthing")
+               (invoke "go" "run" "build.go")
+               (delete-file "bin/syncthing")
                (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncthing"))))
 
          (replace 'check
@@ -149,10 +93,10 @@
            (lambda* (#:key outputs #:allow-other-keys)
              (let ((out (assoc-ref outputs "out"))
                    (utils (assoc-ref outputs "utils")))
-               (with-directory-excursion "src/github.com/syncthing/syncthing"
-                 (install-file "syncthing" (string-append out "/bin"))
+               (with-directory-excursion "src/github.com/syncthing/syncthing/bin"
+                 (install-file "../syncthing" (string-append out "/bin"))
                  (for-each (cut install-file <> (string-append utils "/bin/"))
-                           '("stcli" "stcompdirs" "stcrashreceiver"
+                           '("stcompdirs" "stcrashreceiver"
                              "stdisco" "stdiscosrv" "stevents" "stfileinfo"
                              "stfinddevice" "stfindignored" "stgenfiles"
                              "stindex" "strelaypoolsrv" "strelaysrv" "stsigtool"
-- 
2.31.1
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrK
fwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzM
dBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFg
IIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx
87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBm
YebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzla
xBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc
4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2s
rO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWH
pGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCM
SP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIO
R/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE=
=flkF
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 12 Apr 2021 02:27
1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net
On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > Yeah. Given this report, we could also just build Syncthing with
> > the
> > bundled source code, which is freely licensed.
>
> I've attached the patch.

I tested this patch on my system, works great with the syncthing
service also. LGTM from me.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBzlAcACgkQRaix6GvN
EKbWRQ//d/3d2AB+ysC3od88/Tna7CwkaoQlupCLDZhzc0of3AcK2Y2aKsCpiWek
+QGcBD9Aamiu4G5H3rt7tt1Cs3mN9Huf4GyGoq+i9Veqk7K0JC4L1d+BAklfV/un
lr2/UT3MSgWQAttflxHPpj+YxIQt10IjGfiZ1jMXGsA3figD8Q/cmyIwDvmDygmj
POrkSFPijmbvFHDX8hUm7Y5Oss8lpy+p9S39ChRWY60aTfJr3QZ+IpZ42v4E8udd
KucpizY/LybEj++wlqBWErJYaUCBfYXPQ7RnV9ObWUcvm2Xt4LFRBvuhVgDWmGop
sLfGSURRZFFDW1GLOnCJBI7MSrvL7Ur82hv3DPYSOkwgJf5KOvVtuhAqenPME0iB
f+kVPRU2Ax6VNyMIgoIOdnmrbba5vqeRmoBRxgPOZ+3X1IK/T0CG2BvvmQoOWnXn
Bxn5qwZ7kklVPe6saWiorH95eLml5sJMaEyn7o/zLk28t2cB9cLPSukvhf1sAaDz
wNRuFEDty5O10N1GyhkGRyRIK7UeZw40hUZPq3l6ES9frwod+BYjsW/HBk8/pv8W
Pk3bDohF2K6AO/Iz0Wt9BIrmwFaA3scrbNp+dAQ3hZwMGnwJizO3DVvSwYjGXpdf
ZjoKMJS1QVV5fuo9oVnWzNkADlps03ella0CT+cvsaNn7MWrXSo=
=66/c
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 12 Apr 2021 03:54
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47627-done@debbugs.gnu.org)
YHOobxPF9OMoiv7C@jasmine.lan
On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
Toggle quote (11 lines)
> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> >
> > I've attached the patch.
>
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as
ed3ef756f521a0df8596a88b66f65b7a1ad99252
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBzqG8ACgkQJkb6MLrK
fwh2LBAAhzCyPbj7IJqDlBY0knvNDUcAjZPStM0X4TZxwUtPlyrd1vqOzHIs0ww6
7G/tIdm+A9NWH/jOr/y1ixw4Z7/tuuaHEVG2hdTawuIIub1HAJiB/zKYB0cKE8qV
dTyPO+1msZY3/H3yvPVVycGvM20t4jst3XjOwWA2y32VFHxEfh5zCfcxUIdE8t8v
gl2iKTm/uK13PtEAKKK1tLkUtGuMMa26UdA8JN9bMvpN57BKaRGjyPzeoi7wGFpN
BEPC3GPujo0aXK4a0Xnd5W+Um0ZMhDvhRVnaypkvVfoyHnUp9XvA7JUKq7rGkj25
QgJxawx2HXXWo0z5ynab/EFS0GaWFW8udM/IBpYkVXTJiDF7swltQRaHjmrfSkyt
PcXBoAo2KvCecPczzSrFhZIur3Z+szjyscUronxKBYcE6jpQSK5q41eShMiKoTAu
G6wuF5YkdwD6jiCuUpbwKg8v9cZI34attpWzalfT42Vg180JFeLW31tJvpQNumql
xt4o3jDsOfFw8O2qoWQokaSd9+bhW9RL7+D+J6N/iTxejnyIrgzK1B/Bg20GpYT/
zz8VlPqp31p1m+NNXHl2satLHzp/kCaUalnxJB3e9OlgwxCinFQGElOCT8mlxZQQ
Rok91siV7s2cWRwCBtWOfr/8G2JDIq8M6Eq7+R4XEDRV0mgWXrU=
=aK40
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 47627@debbugs.gnu.org