GNU bug report logs

#47627 syncthing package is vulnerable to CVE-2021-21404

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #10 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 6 Apr 2021 22:51:54 +0000
From debbugs-submit-bounces@debbugs.gnu.org Tue Apr 06 18:51:54 2021
Received: from localhost ([127.0.0.1]:42295 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lTuY6-0003KN-BL
	for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:54 -0400
Received: from lists.gnu.org ([209.51.188.17]:34996)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lTuY5-0003KH-EZ
 for submit@debbugs.gnu.org; Tue, 06 Apr 2021 18:51:53 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33214)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lTuY5-0002mO-6W
 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:51:53 -0400
Received: from wout2-smtp.messagingengine.com ([64.147.123.25]:37361)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lTuY3-0000p6-AQ
 for bug-guix@gnu.org; Tue, 06 Apr 2021 18:51:52 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.west.internal (Postfix) with ESMTP id 8A8081286;
 Tue,  6 Apr 2021 18:51:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
 by compute3.internal (MEProxy); Tue, 06 Apr 2021 18:51:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=3rZNttmwAKBp5ekEvuYEHfHN
 qxzLXQ8TZUgl+AgBLLU=; b=lVAau1t+/gEiw9fh2MWamQDk7qTMOTIzUkGls9v7
 ExhASpoypGkN7UKELv0dV/2PiaRlmjkNbGNcG8VhbwCQUGZ/gB4NvUfWAgDVR036
 OSnTwI78z/FHDRKlzmVMkBclcK+Da7GOkTC7ZRN7qDjRdQ6oorc3JZeN6tiSn3ZG
 Im4=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=3rZNtt
 mwAKBp5ekEvuYEHfHNqxzLXQ8TZUgl+AgBLLU=; b=mxAJWIZLYl+cXCQqsVbSPU
 gttWmpfrQkFCtIyoga9RnDHGE9ztqI/Hk/XIjRGaidCGr36jAFYlI5dA4gqWJngf
 SQJDbQuvbEGgStuBGTa4AWm6m4cKNs3qMg3IRHENl3WVgfxgRaQMnzGxlgIqxEBq
 U/2zzu6hLMWcr6NRuNzyu3/VciKj2TArG0VCG/LKpNYVOYHbVkBIjtE57QP7qjER
 1jwjUIcnbA6pTTguGwwnVfYcIHcJ2lD6E6NKPFGjXQ1S8f+O+PY38Qm8C481OawF
 bmXOvY4TGhwb7J8Cv3L2k/7XMh5YhzpspecOuUDHY3BjEwacUm+9ToVCLk2EusrQ
 ==
X-ME-Sender: <xms:BOZsYEmdiE69kcr22_Ebw08cVIkUjieckGthKW5jVU6JLsAvIy1PLA>
 <xme:BOZsYD2qvMJRChzjbmaLPY_gU4tfs_eFiTavbOLM_PxBH-iL3cLIY5dGZYtnNF-fn
 aXab-s4g8i_gRBNmA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudejiedgudehucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddunecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpedtheeigefgfefgiedtteeihefhkeffudeiveevheehleetiefgiedvueffkeev
 jeenucffohhmrghinhepghhnuhdrohhrghenucfkphepuddttddruddurdduieelrdduud
 eknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgv
 ohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:BOZsYCqi4zhD1VNgTqYQHjeQH_0yas9qympfQoXSzjEcaxIXXNrkfw>
 <xmx:BOZsYAk0OezK-Vdat9HRkSfkWlUQTWRqP0_vblLCf1fB5Hfd_oM6Rw>
 <xmx:BOZsYC0Cq_vF8Q63ZR-fX-hOqCkErsXifE1qMmr5Ki80egamVPESRQ>
 <xmx:BeZsYLgHozXNwPdSxY7J0MaT6qixXTL0ZaB7ZDQKgQAcwdXG-FHPkw>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 9972E24005C;
 Tue,  6 Apr 2021 18:51:48 -0400 (EDT)
Date: Tue, 6 Apr 2021 18:51:47 -0400
From: Leo Famulari <leo@famulari.name>
To: Léo Le Bouter via Bug reports for GNU Guix
 <bug-guix@gnu.org>
Subject: Re: bug#47627: syncthing package is vulnerable to CVE-2021-21404
Message-ID: <YGzmAwp2zOS9lTD6@jasmine.lan>
References: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="P8wpwDeUZwqY//ac"
Content-Disposition: inline
In-Reply-To: <38a8a1cb8749b422642dfa6d5374c242ddb80b42.camel@zaclys.net>
Received-SPF: pass client-ip=64.147.123.25; envelope-from=leo@famulari.name;
 helo=wout2-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 47627@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

[Message part 1 (text/plain, inline)]
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-21404	06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
> 
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
> 
> Previous discussion about updating syncthing: 
> https://issues.guix.gnu.org/45476

Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:06:30 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.