Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780678 (CVE-2021-21404) - <net-p2p/syncthing-1.15.1: relay server/client DoS
Summary: <net-p2p/syncthing-1.15.1: relay server/client DoS
Status: IN_PROGRESS
Alias: CVE-2021-21404
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/syncthing/syncthin...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-07 00:15 UTC by John Helmert III
Modified: 2022-01-13 15:49 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-07 00:15:56 UTC
CVE-2021-21404:

Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.


Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-04-07 08:08:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3a39dc0c31ae1bb493766e48a0ca9e39ed9f05d

commit d3a39dc0c31ae1bb493766e48a0ca9e39ed9f05d
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-04-07 08:02:15 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-04-07 08:08:23 +0000

    net-p2p/syncthing: bump to 1.15.1
    
    Addresses CVE-2021-21404.
    
    Bug: https://bugs.gentoo.org/780678
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-p2p/syncthing/Manifest                |  30 ++
 net-p2p/syncthing/syncthing-1.15.1.ebuild | 781 ++++++++++++++++++++++++++++++
 2 files changed, 811 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 22:21:09 UTC
ppc64 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 00:34:14 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 07:47:24 UTC
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-11 15:49:06 UTC
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-12 01:24:41 UTC
amd64 done

all arches done
Comment 7 John Helmert III gentoo-dev Security 2021-04-12 13:01:03 UTC
Please cleanup.
Comment 8 Larry the Git Cow gentoo-dev 2021-04-12 16:59:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d36439b60ace1b6e526717543e33e8475a94f64

commit 6d36439b60ace1b6e526717543e33e8475a94f64
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2021-04-12 16:58:17 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2021-04-12 16:58:57 +0000

    net-p2p/syncthing: remove versions vulnerable to CVE-2021-21404
    
    Bug: https://bugs.gentoo.org/780678
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-p2p/syncthing/Manifest                |  46 --
 net-p2p/syncthing/syncthing-1.13.1.ebuild | 797 ------------------------------
 2 files changed, 843 deletions(-)
Comment 9 John Helmert III gentoo-dev Security 2021-04-12 17:19:21 UTC
Thanks!
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:23:15 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 17:31:35 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:39:32 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:47:42 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 18:03:38 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 18:11:56 UTC
Package list is empty or all packages have requested keywords.
Comment 16 Marek Szuba archtester gentoo-dev 2021-11-19 21:57:50 UTC
Shouldn't we close this, or something?
Comment 17 John Helmert III gentoo-dev Security 2021-11-20 17:16:26 UTC
(In reply to Marek Szuba from comment #16)
> Shouldn't we close this, or something?

Yes, once a GLSA is released.