GNU bug report logs - #47627
syncthing package is vulnerable to CVE-2021-21404

Previous Next

Package: guix;

Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>

Date: Tue, 6 Apr 2021 22:41:02 UTC

Severity: normal

Tags: security

Done: Leo Famulari <leo <at> famulari.name>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Léo Le Bouter <lle-bout <at> zaclys.net>
To: bug-guix <at> gnu.org
Subject: syncthing package is vulnerable to CVE-2021-21404
Date: Wed, 07 Apr 2021 00:40:03 +0200

[Message part 1 (text/plain, inline)]
CVE-2021-21404	06.04.21 22:15
Syncthing is a continuous file synchronization program. In Syncthing
before version 1.15.0, the relay server `strelaysrv` can be caused to
crash and exit by sending a relay message with a negative length field.
Similarly, Syncthing itself can crash for the same reason if given a
malformed message from a malicious relay server when attempting to join
the relay. Relay joins are essentially random (from a subset of low
latency relays) and Syncthing will by default restart when crashing, at
which point it's likely to pick another non-malicious relay. This flaw
is fixed in version 1.15.0.

We still ship 1.5.0, we crucially need to update that *very* useful
networked daemon package. With the new go importer maybe that's easier.
Also work in the go build system needs to happen IIRC.

Previous discussion about updating syncthing: 
https://issues.guix.gnu.org/45476

Léo

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 42 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.