GNU bug report logs -
#47627
syncthing package is vulnerable to CVE-2021-21404
Previous Next
Reported by: Léo Le Bouter <lle-bout <at> zaclys.net>
Date: Tue, 6 Apr 2021 22:41:02 UTC
Severity: normal
Tags: security
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
On Wed, Apr 07, 2021 at 12:40:03AM +0200, Léo Le Bouter via Bug reports for GNU Guix wrote:
> CVE-2021-21404 06.04.21 22:15
> Syncthing is a continuous file synchronization program. In Syncthing
> before version 1.15.0, the relay server `strelaysrv` can be caused to
> crash and exit by sending a relay message with a negative length field.
> Similarly, Syncthing itself can crash for the same reason if given a
> malformed message from a malicious relay server when attempting to join
> the relay. Relay joins are essentially random (from a subset of low
> latency relays) and Syncthing will by default restart when crashing, at
> which point it's likely to pick another non-malicious relay. This flaw
> is fixed in version 1.15.0.
>
> We still ship 1.5.0, we crucially need to update that *very* useful
> networked daemon package. With the new go importer maybe that's easier.
> Also work in the go build system needs to happen IIRC.
>
> Previous discussion about updating syncthing:
> https://issues.guix.gnu.org/45476
Yeah. Given this report, we could also just build Syncthing with the
bundled source code, which is freely licensed.
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 4 years and 42 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.