diff options
author | Michał Polański <michal@polanski.me> | 2021-04-07 00:20:12 +0200 |
---|---|---|
committer | Michał Polański <michal@polanski.me> | 2021-04-07 00:20:12 +0200 |
commit | 590ff46d7233019895449bedacc07ef4bac61c2f (patch) | |
tree | 8cd1c5d718a36bb2f031c8d194b21dc02464c533 | |
parent | 1d8544a99400416630b6cec5bb0f8f93b4a1b951 (diff) |
community/syncthing: fix CVE-2021-21404
security advisory:
https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
-rw-r--r-- | community/syncthing/APKBUILD | 8 | ||||
-rw-r--r-- | community/syncthing/cve-2021-21404.patch | 28 |
2 files changed, 35 insertions, 1 deletions
diff --git a/community/syncthing/APKBUILD b/community/syncthing/APKBUILD index cc5ba20ca1c..b523cb5fec2 100644 --- a/community/syncthing/APKBUILD +++ b/community/syncthing/APKBUILD @@ -4,7 +4,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=syncthing pkgver=1.12.1 -pkgrel=0 +pkgrel=1 pkgdesc="Open Source Continuous File Synchronization" options="chmod-clean" url="https://syncthing.net/" @@ -17,9 +17,14 @@ install="$pkgname.pre-install" subpackages="$pkgname-doc $pkgname-utils $pkgname-openrc" source="$pkgname-$pkgver.tar.gz::https://github.com/syncthing/syncthing/archive/v$pkgver.tar.gz only-test-with-race-when-provided.patch + cve-2021-21404.patch $pkgname.initd " +# secfixes: +# 1.12.1-r1: +# - CVE-2021-21404 + build() { # Build syncthing + server utils local cmd @@ -67,4 +72,5 @@ utils() { sha512sums="1683bc9ae3f8ba1337a319d8f3ae5e809b9d437c96cfabf325c4da34fb2627af177ece7d365267062eeed7e48471aa94e76ea6034d02d8a09f1531e99c8ee656 syncthing-1.12.1.tar.gz 81bcb6b2e0956624b596201d1de24a3b6fcb10d08761f2c426081350b611295a7f4d47775d175f2ee5dbbb289b98bc022389fc9992f0d31bcdbfde855ceafaf8 only-test-with-race-when-provided.patch +74dc1d13bdd37b1fba978ca8222e164b60f10226de8b0b74e7d3729a67c8dd2711b6fe65f655422d2589031cf189ffe24af2f41dbb1f3e663fe447b5a55e877e cve-2021-21404.patch 7fe49210180827c28f3ee9a1a95da3884dbef34de9bdc643f4455c9a056adba81f16c1c6ac059e83bee360aea091ace98b8a6f4c4b26a32c450f61f15206d3f5 syncthing.initd" diff --git a/community/syncthing/cve-2021-21404.patch b/community/syncthing/cve-2021-21404.patch new file mode 100644 index 00000000000..90579128c7b --- /dev/null +++ b/community/syncthing/cve-2021-21404.patch @@ -0,0 +1,28 @@ +commit 8e38ecdeb20756014ffaad25a88511604c1117cb +Author: Jakob Borg <jakob@kastelo.net> +Date: Tue Apr 6 08:00:00 2021 +0200 + + Merge pull request from GHSA-x462-89pf-6r5h + +diff --git a/lib/relay/protocol/protocol.go b/lib/relay/protocol/protocol.go +index 97dee8d4..0bc079ab 100644 +--- a/lib/relay/protocol/protocol.go ++++ b/lib/relay/protocol/protocol.go +@@ -4,6 +4,7 @@ package protocol + + import ( + "errors" ++ "fmt" + "io" + ) + +@@ -86,6 +87,9 @@ func ReadMessage(r io.Reader) (interface{}, error) { + if header.magic != magic { + return nil, errors.New("magic mismatch") + } ++ if header.messageLength < 0 || header.messageLength > 1024 { ++ return nil, fmt.Errorf("bad length (%d)", header.messageLength) ++ } + + buf = make([]byte, int(header.messageLength)) + if _, err := io.ReadFull(r, buf); err != nil { |