952122 – (CVE-2025-30355) <net-im/synapse-1.127.1: Federation denial of service via malformed events

Bug 952122 (CVE-2025-30355) - <net-im/synapse-1.127.1: Federation denial of service via malformed events

Summary: <net-im/synapse-1.127.1: Federation denial of service via malformed events

Status:	CONFIRMED

Alias:	CVE-2025-30355

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://github.com/element-hq/synapse...
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	952123
Blocks:
	Show dependency tree

Reported:	2025-03-27 07:20 UTC by Petr Vaněk
Modified:	2025-03-29 13:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Petr Vaněk gentoo-dev

2025-03-27 07:20:47 UTC

A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.
Patches

Fixed in Synapse v1.127.1.

Workarounds

Closed federation environments of trusted servers or non-federating installations are not affected.

Comment 1 Larry the Git Cow gentoo-dev

2025-03-27 08:13:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df3e9a2457545ad613f6e3d1ce46f162d5631556

commit df3e9a2457545ad613f6e3d1ce46f162d5631556
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2025-03-27 07:23:02 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2025-03-27 08:12:02 +0000

    net-im/synapse: add 1.127.1, CVE-2025-30355
    
    Fixes an issue where a malicious server can craft events which, when
    received, prevent Synapse version up to 1.127.0 from federating with
    other servers. The vulnerability has been exploited in the wild.
    
    CVE: https://www.cve.org/CVERecord?id=CVE-2025-30355
    GHSA: https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
    Bug: https://bugs.gentoo.org/952122
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 net-im/synapse/Manifest               |   1 +
 net-im/synapse/synapse-1.127.1.ebuild | 242 ++++++++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2025-03-29 13:31:38 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288171eb5e640b0fc61edad972fe94f6530d5e78

commit 288171eb5e640b0fc61edad972fe94f6530d5e78
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2025-03-29 13:30:02 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2025-03-29 13:30:02 +0000

    net-im/synapse: drop 1.124.0, 1.125.0, 1.126.0, 1.127.0
    
    Bug: https://bugs.gentoo.org/952122
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 net-im/synapse/Manifest               |  30 -----
 net-im/synapse/synapse-1.124.0.ebuild | 229 --------------------------------
 net-im/synapse/synapse-1.125.0.ebuild | 242 ----------------------------------
 net-im/synapse/synapse-1.126.0.ebuild | 242 ----------------------------------
 net-im/synapse/synapse-1.127.0.ebuild | 242 ----------------------------------
 5 files changed, 985 deletions(-)