GNU bug report logs - #47627
syncthing package is vulnerable to CVE-2021-21404

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix; Reported by: Léo Le Bouter <lle-bout@HIDDEN>; Keywords: security; dated Tue, 6 Apr 2021 22:41:02 UTC; Maintainer for guix is bug-guix@HIDDEN.
Added tag(s) security. Request was from Léo Le Bouter <lle-bout@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:40:27 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Apr 06 18:40:26 2021
Received: from localhost ([127.0.0.1]:42233 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lTuN0-0000t4-MV
	for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 18:40:26 -0400
Received: from lists.gnu.org ([209.51.188.17]:56080)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lTuMy-0000sw-SK
 for submit <at> debbugs.gnu.org; Tue, 06 Apr 2021 18:40:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:58724)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lTuMx-0007Sh-Fa
 for bug-guix@HIDDEN; Tue, 06 Apr 2021 18:40:24 -0400
Received: from mail.zaclys.net ([178.33.93.72]:36723)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@HIDDEN>)
 id 1lTuMo-00040e-H3
 for bug-guix@HIDDEN; Tue, 06 Apr 2021 18:40:23 -0400
Received: from [192.168.1.115] (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 136Me9ob008145
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@HIDDEN>; Wed, 7 Apr 2021 00:40:09 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 136Me9ob008145
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617748809;
 bh=gq1aCB/ajQ92WI8YN4k0uwKMGI+zbv5NAuIZw6t6dDo=;
 h=Subject:From:To:Date:From;
 b=IQacYDQznfI9VFy8zkeLUrodZClm2qinyyE/44wZXpztAYX7f5I1bEeozr25vx3Le
 uDiPHuwWxuVYd28Upbyu395lZ0hsVlJtqXiJknlN/nv5Z6NwAojZlkm/TcK8H5B2w9
 NIcOr7nG9YmgnY/TOseAO8KX9iBAYJgUvBZQoJpo=
Message-ID: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@HIDDEN>
Subject: syncthing package is vulnerable to CVE-2021-21404
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: bug-guix@HIDDEN
Date: Wed, 07 Apr 2021 00:40:03 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-OqnRjtrBkMTSY/RlyOLS"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@HIDDEN;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.5 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: CVE-2021-21404 06.04.21 22:15 Syncthing is a continuous file
 synchronization program. In Syncthing before version 1.15.0, the relay server
 `strelaysrv` can be caused to crash and exit by sending a rel [...] 
 Content analysis details:   (1.5 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.8 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)


--=-OqnRjtrBkMTSY/RlyOLS
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing:=20
https://issues.guix.gnu.org/45476

L=C3=A9o

--=-OqnRjtrBkMTSY/RlyOLS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs40MACgkQRaix6GvN
EKaxnA/7BcM43O5eKXtzPLXkleZi2pMG1MYsvPjTCjabTJLOtPGzJES8bTAssC7n
4l0R4YIw03H7SvRLvpUJCTxpcHRr56HOcaOHBnkad4C0L1pdIkyZpMS9dzZ3R/E0
m+B1zsEq7o3bxlWhnQKfbaIFfIpC6IV78Nos+pntn2o4ICE7pTM6MuFcAiTw7RoP
1z0jXIh5EXfADwdULVvFAC83ybOOTG4nsdHs4yJbC4uJXcPH1fYRUgFocLNcSd4E
qefsisDCGFMTNZvQLfeBY0mSVxa5LgwOibGLaqoLtfQmBnaGqkRPmZMr3omj81f0
opRyu1/mspBQ+EqcjiSzyK6xw01cKQQQK+EvrBdo2+bRe6VTja4HWZJRqcfahJo3
12K8pQgG4RrN5wLiEj7OaC4RJyC/iZBAu/M/epgKVX39hHu6RIkq1iqKCGodv5XN
U7B3lRwoB/f03uSAfGhHLFlRqgvEhpWeuLkJYHAZd2fW7qh5C8yj/lsxVlerb731
Kz7CUJFp4wytZKrxP201OLElqMLetggVHVbxsqC+AAEO0+aX0Muy+exxI2Exs95/
hTnHo8gTg/LlI11LsMH+T+v0LnzYlMZjIfc0zgy6dEHINapF+mXhf6opY6W07yqC
qVAe7qULiq5+CR63vq5aPkv+LsvNx7ObC7GybJoZbVV4xMwdkac=
=RvYl
-----END PGP SIGNATURE-----

--=-OqnRjtrBkMTSY/RlyOLS--





Acknowledgement sent to Léo Le Bouter <lle-bout@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#47627; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Tue, 6 Apr 2021 22:45:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.