From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 08 20:01:42 2021 Received: (at 47627) by debbugs.gnu.org; 9 Apr 2021 00:01:42 +0000 Received: from localhost ([127.0.0.1]:48595 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeak-0006ap-A7 for submit@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:42 -0400 Received: from wout3-smtp.messagingengine.com ([64.147.123.19]:36147) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lUeac-0006aN-SQ for 47627@debbugs.gnu.org; Thu, 08 Apr 2021 20:01:35 -0400 Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id F0FF8161D; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Thu, 08 Apr 2021 20:01:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=ymg66VmiJ1PRuau5sHytN5LF 5xxt9BqO4tm1seltMdo=; b=DDx4vdvQ+oiYL2WPR1XMGkgZ2CLZuYdmOlRpnyiJ lzOsfkaAaX0uEZVSKWx1pNfoG2dXchg+wjtYLHsERBxjuYNeZKTyvT5w1dXS8kh8 UgKGfY/T3vE/+GvdebZkkvm+QXcWGWYG2zzbYIVyEj+MhxXFgJ5n6CHYVKAGXOSF fH4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ymg66V miJ1PRuau5sHytN5LF5xxt9BqO4tm1seltMdo=; b=Yoe598bmNlCGBZg4xOaKEg 1wcFFr2vw87cmeWCgfTBlWHvg21VlyCUMXeTUMuwRspZZLFMNerz1hn+GMXZXge+ 1r3+VdzV6mCsA7vFRvHnmlNZcFZ3jqxsMPPKDic9cm/0RPZxUWcJPc+q2FFB5+Pg qScqLq2aFd6o402dOTL39/t5R4RgcXArGZIoHU2cqjtXXee2BEpvxin32KoKX4pW yW9pm4hO/ZOdTF9RfaHcnD8CXvZywu4UJpoUcc+qn8pW0u+pNU0jbs0ezzggmfFg 8avu3nJXqP5dz5vfeX40lFRWB4+QZvxRAXymzlqD2uGYnNx0GUmj+Ulo/BjMI4wA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudektddgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 0FA6A240057; Thu, 8 Apr 2021 20:01:28 -0400 (EDT) Date: Thu, 8 Apr 2021 20:01:26 -0400 From: Leo Famulari To: =?iso-8859-1?B?TOlv?= Le Bouter via Bug reports for GNU Guix Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404 Message-ID: References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hJNysbSMk7R5YAXi" Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 47627 Cc: 47627@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --hJNysbSMk7R5YAXi Content-Type: multipart/mixed; boundary="wIphN++gTpALrKph" Content-Disposition: inline --wIphN++gTpALrKph Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote: > Yeah. Given this report, we could also just build Syncthing with the > bundled source code, which is freely licensed. I've attached the patch. --wIphN++gTpALrKph Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch" Content-Transfer-Encoding: quoted-printable =46rom 86a8d8d9f628ba8dde5d5e3382e56bf83dd4fb1b Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Thu, 10 Dec 2020 14:47:10 -0500 Subject: [PATCH] gnu: Syncthing: Update to 1.15.1 [fixes CVE-2021-21404]. * gnu/packages/syncthing.scm (syncthing): Update to 1.15.1. [source]: Use bundled dependencies. [inputs]: Remove field. [arguments]: Adjust the custom 'build' and 'install' phases for 1.15.1. --- gnu/packages/syncthing.scm | 72 +++++--------------------------------- 1 file changed, 8 insertions(+), 64 deletions(-) diff --git a/gnu/packages/syncthing.scm b/gnu/packages/syncthing.scm index eb6cb7b4e3..e490c41905 100644 --- a/gnu/packages/syncthing.scm +++ b/gnu/packages/syncthing.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =A9 2016 Petter -;;; Copyright =A9 2016, 2017, 2018, 2019, 2020 Leo Famulari +;;; Copyright =A9 2016, 2017, 2018, 2019, 2020, 2021 Leo Famulari ;;; Copyright =A9 2020 Tobias Geerinckx-Rice ;;; Copyright =A9 2020 Efraim Flashner ;;; Copyright =A9 2020 Giacomo Leidi @@ -44,7 +44,7 @@ (define-public syncthing (package (name "syncthing") - (version "1.5.0") + (version "1.15.1") (source (origin (method url-fetch) (uri (string-append "https://github.com/syncthing/syncthing" @@ -52,68 +52,12 @@ "/syncthing-source-v" version ".tar.gz")) (sha256 (base32 - "1394b8y4nllihnjngc0kjpdy7pvyh6v1h09hkn8rdmwxpsdkqkjb")) - (modules '((guix build utils))) - ;; Delete bundled ("vendored") free software source code. - (snippet '(begin - (delete-file-recursively "vendor") - #t)))) + "04b90zwinl7frxrpjliq41mkbhpnkszmhdc5j2vbqwyhd82warxq")))) (build-system go-build-system) ;; The primary Syncthing executable goes to "out", while the auxiliary ;; server programs and utility tools go to "utils". This reduces the = size ;; of "out" by ~80 MiB. (outputs '("out" "utils")) - ;; When updating Syncthing, check 'go.mod' in the source distribution = to - ;; ensure we are using the correct versions of these dependencies. - (inputs - `(("go-github-com-jackpal-go-nat-pmp" - ,go-github-com-jackpal-go-nat-pmp) - ("go-github-com-bkaradzic-go-lz4" ,go-github-com-bkaradzic-go-lz4) - ("go-github-com-calmh-xdr" ,go-github-com-calmh-xdr) - ("go-github-com-chmduquesne-rollinghash" - ,go-github-com-chmduquesne-rollinghash) - ("go-github-com-gobwas-glob" ,go-github-com-gobwas-glob) - ("go-github-com-golang-groupcache-lru" - ,go-github-com-golang-groupcache-lru) - ("go-github-com-jackpal-gateway" ,go-github-com-jackpal-gateway) - ("go-github-com-kballard-go-shellquote" - ,go-github-com-kballard-go-shellquote) - ("go-github-com-lib-pq" ,go-github-com-lib-pq) - ("go-github-com-minio-sha256-simd" ,go-github-com-minio-sha256-simd) - ("go-github-com-oschwald-geoip2-golang" - ,go-github-com-oschwald-geoip2-golang) - ("go-github-com-pkg-errors" ,go-github-com-pkg-errors) - ("go-github-com-rcrowley-go-metrics" ,go-github-com-rcrowley-go-met= rics) - ("go-github-com-sasha-s-go-deadlock" ,go-github-com-sasha-s-go-dead= lock) - ("go-github-com-syncthing-notify" ,go-github-com-syncthing-notify) - ("go-github-com-syndtr-goleveldb" ,go-github-com-syndtr-goleveldb) - ("go-github-com-thejerf-suture" ,go-github-com-thejerf-suture) - ("go-golang-org-x-time" ,go-golang-org-x-time) - ("go-github-com-go-ldap-ldap" ,go-github-com-go-ldap-ldap) - ("go-github-com-gogo-protobuf" ,go-github-com-gogo-protobuf) - ("go-github-com-shirou-gopsutil" ,go-github-com-shirou-gopsutil) - ("go-github-com-prometheus-client-golang" - ,go-github-com-prometheus-client-golang) - ("go-golang-org-x-net" ,go-golang-org-x-net) - ("go-golang-org-x-text" ,go-golang-org-x-text) - ("go-github-com-audriusbutkevicius-recli" - ,go-github-com-audriusbutkevicius-recli) - ("go-github-com-urfave-cli" ,go-github-com-urfave-cli) - ("go-github-com-vitrun-qart" ,go-github-com-vitrun-qart) - ("go-github-com-mattn-go-isatty" ,go-github-com-mattn-go-isatty) - ("go-golang-org-x-crypto" ,go-golang-org-x-crypto) - ("go-github-com-flynn-archive-go-shlex" - ,go-github-com-flynn-archive-go-shlex) - ("go-github-com-getsentry-raven-go" ,go-github-com-getsentry-raven-= go) - ("go-github-com-maruel-panicparse" ,go-github-com-maruel-panicparse) - ("go-github-com-ccding-go-stun" ,go-github-com-ccding-go-stun) - ("go-github-com-audriusbutkevicius-pfilter" ,go-github-com-audriusb= utkevicius-pfilter) - ("go-github-com-lucas-clemente-quic-go" ,go-github-com-lucas-clemen= te-quic-go) - ("go-github-com-willf-bloom" ,go-github-com-willf-bloom) - - ;; For tests. - ("go-github-com-d4l3k-messagediff" ,go-github-com-d4l3k-messagediff= ))) - (arguments `(#:modules ((srfi srfi-26) ; for cut (guix build utils) @@ -136,8 +80,8 @@ ;; updater and to build the utilities is to "build all" and= then ;; "build syncthing" again with -no-upgrade. ;; https://github.com/syncthing/syncthing/issues/6118 - (invoke "go" "run" "build.go" "build" "all") - (delete-file "syncthing") + (invoke "go" "run" "build.go") + (delete-file "bin/syncthing") (invoke "go" "run" "build.go" "-no-upgrade" "build" "syncth= ing")))) =20 (replace 'check @@ -149,10 +93,10 @@ (lambda* (#:key outputs #:allow-other-keys) (let ((out (assoc-ref outputs "out")) (utils (assoc-ref outputs "utils"))) - (with-directory-excursion "src/github.com/syncthing/syncthi= ng" - (install-file "syncthing" (string-append out "/bin")) + (with-directory-excursion "src/github.com/syncthing/syncthi= ng/bin" + (install-file "../syncthing" (string-append out "/bin")) (for-each (cut install-file <> (string-append utils "/bin= /")) - '("stcli" "stcompdirs" "stcrashreceiver" + '("stcompdirs" "stcrashreceiver" "stdisco" "stdiscosrv" "stevents" "stfileinfo" "stfinddevice" "stfindignored" "stgenfiles" "stindex" "strelaypoolsrv" "strelaysrv" "stsi= gtool" --=20 2.31.1 --wIphN++gTpALrKph-- --hJNysbSMk7R5YAXi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrK fwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzM dBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFg IIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx 87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBm YebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzla xBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc 4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2s rO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWH pGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCM SP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIO R/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE= =flkF -----END PGP SIGNATURE----- --hJNysbSMk7R5YAXi--