Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 916609 (CVE-2023-43796, CVE-2023-45129) - <net-im/synapse-1.96.0: Leak of remote user device information
Summary: <net-im/synapse-1.96.0: Leak of remote user device information
Status: RESOLVED FIXED
Alias: CVE-2023-43796, CVE-2023-45129
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/matrix-org/synapse...
Whiteboard: B3 [glsa+]
Keywords: PullRequest
Depends on: 919062
Blocks:
  Show dependency tree
 
Reported: 2023-11-01 07:32 UTC by Petr Vaněk
Modified: 2024-01-07 10:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Vaněk gentoo-dev 2023-11-01 07:32:38 UTC
GHSA-mp92-3jfm-3575 / CVE-2023-43796 — Moderate Severity

Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver.
Comment 1 Larry the Git Cow gentoo-dev 2023-11-17 11:09:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fb805c997a284706c5cc3c2cb53a920969d0094

commit 9fb805c997a284706c5cc3c2cb53a920969d0094
Author:     Petr Vaněk <arkamar@atlas.cz>
AuthorDate: 2023-11-17 09:05:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-11-17 11:07:52 +0000

    net-im/synapse: add 1.96.0
    
    Bug: https://bugs.gentoo.org/916609
    Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
    Closes: https://github.com/gentoo/gentoo/pull/33616
    Signed-off-by: Sam James <sam@gentoo.org>

 net-im/synapse/Manifest              |   3 +
 net-im/synapse/synapse-1.96.0.ebuild | 210 +++++++++++++++++++++++++++++++++++
 2 files changed, 213 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 19:12:00 UTC
CVE-2023-45129 (https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4):

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

This one fixed in 1.94.0.
Comment 3 Larry the Git Cow gentoo-dev 2023-12-02 21:22:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fac4d05cd64b3cea825d9c1e6707bbad389abf48

commit fac4d05cd64b3cea825d9c1e6707bbad389abf48
Author:     Petr Vaněk <arkamar@gentoo.org>
AuthorDate: 2023-12-02 21:21:38 +0000
Commit:     Petr Vaněk <arkamar@gentoo.org>
CommitDate: 2023-12-02 21:21:38 +0000

    net-im/synapse: drop 1.93.0-r1, 1.95.0-r1
    
    Bug: https://bugs.gentoo.org/916609
    Signed-off-by: Petr Vaněk <arkamar@gentoo.org>

 net-im/synapse/Manifest                 |  16 ---
 net-im/synapse/synapse-1.93.0-r1.ebuild | 211 --------------------------------
 net-im/synapse/synapse-1.95.0-r1.ebuild | 210 -------------------------------
 3 files changed, 437 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 10:31:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=17e2b155a748af5cd1276229d389b4641fec18c7

commit 17e2b155a748af5cd1276229d389b4641fec18c7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 10:31:28 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 10:31:54 +0000

    [ GLSA 202401-12 ] Synapse: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/914765
    Bug: https://bugs.gentoo.org/916609
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-12.xml | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)