GNU bug report logs - #47627
syncthing package is vulnerable to CVE-2021-21404

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Tue, 6 Apr 2021 22:41:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 47627 in the body.
You can then email your comments to 47627 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Tue, 06 Apr 2021 22:41:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 06 Apr 2021 22:41:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: syncthing package is vulnerable to CVE-2021-21404
Date: Wed, 07 Apr 2021 00:40:03 +0200

[Message part 1 (text/plain, inline)]
CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

[signature.asc (application/pgp-signature, inline)]
Added tag(s) security. Request was from Léo Le Bouter <lle-bout <at> zaclys.net> to control <at> debbugs.gnu.org. (Tue, 06 Apr 2021 22:42:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Tue, 06 Apr 2021 22:52:01 GMT) Full text and rfc822 format available.

Message #10 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix <at> gnu.org>
Cc: 47627 <at> debbugs.gnu.org
Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Date: Tue, 6 Apr 2021 18:51:47 -0400

[Message part 1 (text/plain, inline)]
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-21404	06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
> 
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
> 
> Previous discussion about updating syncthing: 
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Tue, 06 Apr 2021 22:52:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Fri, 09 Apr 2021 00:02:02 GMT) Full text and rfc822 format available.

Message #16 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix <at> gnu.org>
Cc: 47627 <at> debbugs.gnu.org
Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Date: Thu, 8 Apr 2021 20:01:26 -0400

[Message part 1 (text/plain, inline)]
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.

I've attached the patch.

[0001-gnu-Syncthing-Update-to-1.15.1-fixes-CVE-2021-21404.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Fri, 09 Apr 2021 00:02:02 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#47627; Package guix. (Mon, 12 Apr 2021 00:29:02 GMT) Full text and rfc822 format available.

Message #22 received at 47627 <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: Leo Famulari <leo <at> famulari.name>, 47627 <at> debbugs.gnu.org
Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Date: Mon, 12 Apr 2021 02:27:51 +0200

[Message part 1 (text/plain, inline)]
On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > Yeah. Given this report, we could also just build Syncthing with
> > the
> > bundled source code, which is freely licensed.
> 
> I've attached the patch.

I tested this patch on my system, works great with the syncthing
service also. LGTM from me.

[signature.asc (application/pgp-signature, inline)]
Reply sent to Leo Famulari <leo <at> famulari.name>:
You have taken responsibility. (Mon, 12 Apr 2021 01:56:01 GMT) Full text and rfc822 format available.
Notification sent to Léo Le Bouter <lle-bout <at> zaclys.net>:
bug acknowledged by developer. (Mon, 12 Apr 2021 01:56:01 GMT) Full text and rfc822 format available.

Message #27 received at 47627-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Léo Le Bouter <lle-bout <at> zaclys.net>
Cc: 47627-done <at> debbugs.gnu.org
Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Date: Sun, 11 Apr 2021 21:54:55 -0400

[Message part 1 (text/plain, inline)]
On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> > 
> > I've attached the patch.
> 
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as
ed3ef756f521a0df8596a88b66f65b7a1ad99252

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 10 May 2021 11:24:05 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years and 349 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.