Multiple vulnerabilities were found in Barrier, the worst of which could result in an attacker gaining unauthorized access to a remote server session. See: https://www.openwall.com/lists/oss-security/2021/11/02/4
"4) Action Items / Recommendations / Upstream Fixes -------------------------------------------------- - `barriers` needs to verify the authenticity of connecting clients (items 2a, 2f). This got addressed via upstream PR#1346 [5]. - For checking SSL certificate fingerprints SHA256 should be used (item 1a). This got addressed via upstream PR#1343 [6]. - Maximum message size limits should be enforced (items 1c, 2c, 2i). This got addressed via upstream PR#1347 [7]. - Maximum receive buffer / message backlog should be enforced (item 1b) - Cleanly close socket file descriptors on the server side (item 2d). This got addressed via upstream PR#1350 [8]. - Fix race condition (?) to avoid invalid memory access (item 2e). This got addressed via upstream PR#1351 [9]. - Parsing errors should be diligently checked for (item 1d) - Out of bound memory access needs to be prevented (item 2j) - Non-blocking operation of SSL sockets needs to be fixed (item 2b) - Apply quality assurance by using tools like Valgrind, Address Sanitizer (item 2g). In the long term maybe refactor / improve the EventQueue mechanism. - Remove hacky static variables (item 2h) Upstream told me that the remaining recommendations will be worked on during the next months. Upstream release v2.4.0 [10] contains all mentioned fixes including incompatible ones (using SHA-256 fingerprints, authenticating clients). Upstream release v2.3.4 [11] contains only the backward compatible fixes and thus still no client authentication. Updating to version v2.4.0 is thus strongly recommended. [10]: https://github.com/debauchee/barrier/releases/tag/v2.4.0 [11]: https://github.com/debauchee/barrier/releases/tag/v2.3.4" So not all of the issues are fixed in 2.4.0.
I already started looking at 2.4.0 today, but it has a new dependency that we don't have a package for. I'll turn this around as soon as I can.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=637b9e78ba884167eaba3211a49d7266555de924 commit 637b9e78ba884167eaba3211a49d7266555de924 Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2021-11-02 22:35:22 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2021-11-02 22:36:06 +0000 x11-misc/barrier: Drop and old vulnerable 2.3.3 Bug: https://bugs.gentoo.org/821337 Signed-off-by: James Le Cuirot <chewi@gentoo.org> x11-misc/barrier/Manifest | 1 - x11-misc/barrier/barrier-2.3.3.ebuild | 82 ------------- x11-misc/barrier/files/barrier-2.3.3-gtest.patch | 116 ------------------ x11-misc/barrier/files/barrier-2.3.3-tests.patch | 150 ----------------------- 4 files changed, 349 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23c07da7a8d7acd22ea09c586fcbe61d31ff6c8f commit 23c07da7a8d7acd22ea09c586fcbe61d31ff6c8f Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2021-11-02 22:32:40 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2021-11-02 22:36:02 +0000 x11-misc/barrier: Version bump to 2.4.0, EAPI 8 Bug: https://bugs.gentoo.org/821337 Signed-off-by: James Le Cuirot <chewi@gentoo.org> x11-misc/barrier/Manifest | 1 + x11-misc/barrier/barrier-2.4.0.ebuild | 82 ++++++++++++++++++++++ .../barrier/files/barrier-2.4.0-includes.patch | 39 ++++++++++ 3 files changed, 122 insertions(+)
I suppose there's nothing more we can do here. Thanks Chewi!
