syncthing package is vulnerable to CVE-2021-21404

  • Done
  • quality assurance status badge
Details
2 participants
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal

Debbugs page

L
L
Léo Le Bouter wrote on 6 Apr 2021 15:40
(address . bug-guix@gnu.org)
38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net
CVE-2021-21404 06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing:

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs40MACgkQRaix6GvN
EKaxnA/7BcM43O5eKXtzPLXkleZi2pMG1MYsvPjTCjabTJLOtPGzJES8bTAssC7n
4l0R4YIw03H7SvRLvpUJCTxpcHRr56HOcaOHBnkad4C0L1pdIkyZpMS9dzZ3R/E0
m+B1zsEq7o3bxlWhnQKfbaIFfIpC6IV78Nos+pntn2o4ICE7pTM6MuFcAiTw7RoP
1z0jXIh5EXfADwdULVvFAC83ybOOTG4nsdHs4yJbC4uJXcPH1fYRUgFocLNcSd4E
qefsisDCGFMTNZvQLfeBY0mSVxa5LgwOibGLaqoLtfQmBnaGqkRPmZMr3omj81f0
opRyu1/mspBQ+EqcjiSzyK6xw01cKQQQK+EvrBdo2+bRe6VTja4HWZJRqcfahJo3
12K8pQgG4RrN5wLiEj7OaC4RJyC/iZBAu/M/epgKVX39hHu6RIkq1iqKCGodv5XN
U7B3lRwoB/f03uSAfGhHLFlRqgvEhpWeuLkJYHAZd2fW7qh5C8yj/lsxVlerb731
Kz7CUJFp4wytZKrxP201OLElqMLetggVHVbxsqC+AAEO0+aX0Muy+exxI2Exs95/
hTnHo8gTg/LlI11LsMH+T+v0LnzYlMZjIfc0zgy6dEHINapF+mXhf6opY6W07yqC
qVAe7qULiq5+CR63vq5aPkv+LsvNx7ObC7GybJoZbVV4xMwdkac=
=RvYl
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 6 Apr 2021 15:41
(address . control@debbugs.gnu.org)
e680139bcfbd4cb950c09bd4bb6c82d109a89707.camel@zaclys.net
tags 47627 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBs45MACgkQRaix6GvN
EKa1Gw//a5PF0y7Ohg/8s5eAnRV3YxggYoqZ82Y4PR22+3TEunpD32bLjtAzd1rr
fmvRW2kz37UpHZQYb4NNcv9pJlTCCOaKgQPvitKGTg4vdSBoLFAroUxr7g7lLdpt
14zZuMNwFKuq3TYWaH3P29FopHyTyOrtur9BlfwT0iNYsAUmpL1wF6x6Q67Cl7eN
Zu6VSY7g59spMrvTan+XnwfOON6j528PStl+M9Vkseoe+K1z1ch5hqPEbiMbEqrK
ogKA+ehu/fve6/MhC1dqou7fTGYTLMfSWjkYAxp+1WPfRbz/7B2aSz+iKeydKEbJ
LDPGlhKTNNTTV9zx6lLiAHxKdawXQ/PSvKUEZl1CYU4qSyeb4rA/AW2IkGONhlyG
ivtNOtqadiSmtZ0INdUYytoPcCMhoVjylEOHPOquVlU4YAKQRb+ux8Q5ytIwPR/o
n0cpfGtZlUayZdNRCz7TwrOsPgF8t70OA7SQFD39PaHk2sjtq5S8Pk58E5KnkoXY
1KvGQz7DS6sCkEVwG1EbnRqZ5naJ13I3tQqSNneL8/p1krPvJzykx+uZ9DT743r3
S9xjVLoOyVrg5WtAnxfx3Yse2Iok2xAU10lgKdbXgvuWLr8EP0OwKikCGU7JRz1Q
/vKyU/F90VXrv5EIctyx7ltVqTd9kvNz1PE1jASoZnoEY53E3mM=
=Mlhr
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 6 Apr 2021 15:51
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YGzmAwp2zOS9lTD6@jasmine.lan
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (18 lines)
> CVE-2021-21404 06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
>
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
>
> Previous discussion about updating syncthing:
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBs5gMACgkQJkb6MLrK
fwiwAg/+IftBGQ7ZdZB31FztYTjpcp/jXBMU2h5Nn/O84Y89NVz+ljHrEcKwt2vV
rY4SsJosD48FBjLK8Aya6u+MhkYB8XFt7g/ed9nS3f+WFa2mupBJv4PAp9v8XwUT
NDwq9fb5CgDic1RqAD7SXFi0QHit0LBf3bK5SvbUEVu93a8ILmACQX78BubPTeMt
eLxCPGFWPrBVEmWzCZtbeJFUE5+bBOIS4N5Dt6HQMt8n1jYckjwUGb9ZNnOu4Sdq
BcgFZyGrTC4Ou2M4+/UMZMGDnG4n3VdPGFKp4nYItU2W9p5ttI3OqIcLhQk/n7To
Omf298qt7AEzFvAQWkLpEJVLzgcTG1C2/6IBf/rijsZdY5jel6NVS3W6gsdYcDV5
+pHoR45+O+OqphVuhTeJgdMf3OteGiKHRovLQ94Ms7y5W/OCtYECUWFgy4H7Dc6O
wT0YRdkIeWA6Tz+0cr4nV35RUfxmqPLb+qBk8JoNpdlPlcQ08M2THbtMwb5v1M0A
XRjwBe2B/1oW/KdxIUWTJsNpEkijQk78eQpGXVnBfsZs0lMzjCswTxhiDnemDFoe
dtf2SD2mWVeyyJ/9BsvzLOK/LfXIiZ4eqEmsE485n+3L3O2fB5yrbcVsHkFsoC3i
49GoeEjrFvxDi2lvsCoIZNzbUlLoeiroo9CLEukJ3X2eaxTe73I=
=uZLu
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 8 Apr 2021 17:01
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)(address . 47627@debbugs.gnu.org)
YG+ZVl0SMWko4LOJ@jasmine.lan
On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
Toggle quote (3 lines)
> Yeah. Given this report, we could also just build Syncthing with the
> bundled source code, which is freely licensed.

I've attached the patch.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBvmVIACgkQJkb6MLrK
fwiQRRAA8Bsk6FJzmVKvcm8xYBX9L+mdpueohfpTZZ6QHS6QhufJstmViWCjeIzM
dBgzSh2PS9GSx1SNHXXqTd8GaD9wa9/xb+6Yo9bsGT4GKJqZ8a62fBUmWyaj7yFg
IIukLwMr7Mn7aZZ/RWQ53gHdoC4ru7JoO7IbebZlTDGpQ22yEBCVPJDLZU9Yw5xx
87tW5LdkpAWoUK06N7HIQVddj0/PJRdGLTGFk//1Tcv+sGEYzSigeEu7w322+xBm
YebDTeH9EtcRmh/8n4jSn/ydHqInTXU0cWdceeS9gOYguJUCeZlUr1aDwIQCzzla
xBRbcV+OO/mS95gd51cfLVZjhvBPX0T3gLj1dh7JQ7ss/Xsw/wKtP2Ue+IIGr6qc
4gOxeizFi0D7/iXkCHyNalKvYaYNka4JatRBc9ZwPLVCToxT0CKDzbbOKTzH9j2s
rO4rWo+qt1b861qpBXnEfuvJOJDKDTWsy6CE87kMpdRT9dgIum08ZhmHZWtc1YWH
pGx0ZRZgudfTQNlmPGXscbu19j0xiqae8Q1tMe7cUj/eJuiJ8po6n4Oaa72PAWCM
SP9V7zNogYVajDI4mCzsxvxDwJ48P/K79I9BlFuxYWrEXvwdO2pJjtwA4bQJCSIO
R/KX/xk92gfbqjf0D0ZSRGSRtbzgV+uTsDO5NkIIS4GEUb8dwTE=
=flkF
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 11 Apr 2021 17:27
1594339afcb287329f672249f6ae8ad89e8dbba3.camel@zaclys.net
On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
Toggle quote (7 lines)
> On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > Yeah. Given this report, we could also just build Syncthing with
> > the
> > bundled source code, which is freely licensed.
>
> I've attached the patch.

I tested this patch on my system, works great with the syncthing
service also. LGTM from me.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBzlAcACgkQRaix6GvN
EKbWRQ//d/3d2AB+ysC3od88/Tna7CwkaoQlupCLDZhzc0of3AcK2Y2aKsCpiWek
+QGcBD9Aamiu4G5H3rt7tt1Cs3mN9Huf4GyGoq+i9Veqk7K0JC4L1d+BAklfV/un
lr2/UT3MSgWQAttflxHPpj+YxIQt10IjGfiZ1jMXGsA3figD8Q/cmyIwDvmDygmj
POrkSFPijmbvFHDX8hUm7Y5Oss8lpy+p9S39ChRWY60aTfJr3QZ+IpZ42v4E8udd
KucpizY/LybEj++wlqBWErJYaUCBfYXPQ7RnV9ObWUcvm2Xt4LFRBvuhVgDWmGop
sLfGSURRZFFDW1GLOnCJBI7MSrvL7Ur82hv3DPYSOkwgJf5KOvVtuhAqenPME0iB
f+kVPRU2Ax6VNyMIgoIOdnmrbba5vqeRmoBRxgPOZ+3X1IK/T0CG2BvvmQoOWnXn
Bxn5qwZ7kklVPe6saWiorH95eLml5sJMaEyn7o/zLk28t2cB9cLPSukvhf1sAaDz
wNRuFEDty5O10N1GyhkGRyRIK7UeZw40hUZPq3l6ES9frwod+BYjsW/HBk8/pv8W
Pk3bDohF2K6AO/Iz0Wt9BIrmwFaA3scrbNp+dAQ3hZwMGnwJizO3DVvSwYjGXpdf
ZjoKMJS1QVV5fuo9oVnWzNkADlps03ella0CT+cvsaNn7MWrXSo=
=66/c
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 11 Apr 2021 18:54
(name . Léo Le Bouter)(address . lle-bout@zaclys.net)(address . 47627-done@debbugs.gnu.org)
YHOobxPF9OMoiv7C@jasmine.lan
On Mon, Apr 12, 2021 at 02:27:51AM +0200, Léo Le Bouter wrote:
Toggle quote (11 lines)
> On Thu, 2021-04-08 at 20:01 -0400, Leo Famulari wrote:
> > On Tue, Apr 06, 2021 at 06:51:47PM -0400, Leo Famulari wrote:
> > > Yeah. Given this report, we could also just build Syncthing with
> > > the
> > > bundled source code, which is freely licensed.
> >
> > I've attached the patch.
>
> I tested this patch on my system, works great with the syncthing
> service also. LGTM from me.

Thanks for the review. Pushed as
ed3ef756f521a0df8596a88b66f65b7a1ad99252
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBzqG8ACgkQJkb6MLrK
fwh2LBAAhzCyPbj7IJqDlBY0knvNDUcAjZPStM0X4TZxwUtPlyrd1vqOzHIs0ww6
7G/tIdm+A9NWH/jOr/y1ixw4Z7/tuuaHEVG2hdTawuIIub1HAJiB/zKYB0cKE8qV
dTyPO+1msZY3/H3yvPVVycGvM20t4jst3XjOwWA2y32VFHxEfh5zCfcxUIdE8t8v
gl2iKTm/uK13PtEAKKK1tLkUtGuMMa26UdA8JN9bMvpN57BKaRGjyPzeoi7wGFpN
BEPC3GPujo0aXK4a0Xnd5W+Um0ZMhDvhRVnaypkvVfoyHnUp9XvA7JUKq7rGkj25
QgJxawx2HXXWo0z5ynab/EFS0GaWFW8udM/IBpYkVXTJiDF7swltQRaHjmrfSkyt
PcXBoAo2KvCecPczzSrFhZIur3Z+szjyscUronxKBYcE6jpQSK5q41eShMiKoTAu
G6wuF5YkdwD6jiCuUpbwKg8v9cZI34attpWzalfT42Vg180JFeLW31tJvpQNumql
xt4o3jDsOfFw8O2qoWQokaSd9+bhW9RL7+D+J6N/iTxejnyIrgzK1B/Bg20GpYT/
zz8VlPqp31p1m+NNXHl2satLHzp/kCaUalnxJB3e9OlgwxCinFQGElOCT8mlxZQQ
Rok91siV7s2cWRwCBtWOfr/8G2JDIq8M6Eq7+R4XEDRV0mgWXrU=
=aK40
-----END PGP SIGNATURE-----


Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 47627@patchwise.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 47627
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch