Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 922059 (CVE-2023-49295)

Summary: <net-p2p/syncthing-1.27.2: DoS in bundled quic-go's path validation
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: maintainer-needed, marecki
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/syncthing/syncthing/releases/tag/v1.27.2
Whiteboard: B3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 922105    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-01-13 20:24:49 UTC 
CVE-2023-49295 (https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf):

quic-go is an implementation of the QUIC protocol (RFC 9000, RFC 9001, RFC 9002) in Go. An attacker can cause its peer to run out of memory sending a large number of PATH_CHALLENGE frames. The receiver is supposed to respond to each PATH_CHALLENGE frame with a PATH_RESPONSE frame. The attacker can prevent the receiver from sending out (the vast majority of) these PATH_RESPONSE frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. This vulnerability has been patched in versions 0.37.7, 0.38.2 and 0.39.4.

Fixed in syncthing 1.27.2 according to URL, please bump.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 14:13:14 UTC 
commit 9f763e4a6da965488e80eca7a9b2aca9d2429074 (HEAD -> master, origin/master, origin/HEAD)
Author: Marek Szuba <marecki@gentoo.org>
Date:   Sun Jan 14 12:38:56 2024 +0000

    net-p2p/syncthing: add 1.27.2, drop 1.27.1

    Guess what, another problem with bundled quic-go.

    Signed-off-by: Marek Szuba <marecki@gentoo.org>

Please tag bugs.
Comment 2 Marek Szuba (RETIRED) archtester gentoo-dev 2024-01-14 20:30:21 UTC 
(In reply to Sam James from comment #1)
> Please tag bugs.
You CAN see the stablereq for 1.27.2 being a blocker for this issue, cannot you.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-14 20:32:18 UTC 
(In reply to Marek Szuba from comment #2)
> (In reply to Sam James from comment #1)
> > Please tag bugs.
> You CAN see the stablereq for 1.27.2 being a blocker for this issue, cannot
> you.

You should still tag the bugs.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-15 15:32:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6486bf82209e475faa36a20f2e0a5ab0fea4120f

commit 6486bf82209e475faa36a20f2e0a5ab0fea4120f
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2024-01-15 15:31:01 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2024-01-15 15:31:07 +0000

    net-p2p/syncthing: drop 1.26.1
    
    No versions vulnerable to CVE-2023-49295 left in the tree.
    
    Bug: https://bugs.gentoo.org/922059
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-p2p/syncthing/Manifest                |   1 -
 net-p2p/syncthing/syncthing-1.26.1.ebuild | 113 ------------------------------
 2 files changed, 114 deletions(-)