Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

synergy: Add patch to fix CVE-2020-15117 #94041

Merged
merged 1 commit into from Aug 4, 2020
Merged

synergy: Add patch to fix CVE-2020-15117 #94041

merged 1 commit into from Aug 4, 2020

Conversation

aszlig
Copy link
Member

@aszlig aszlig commented Jul 28, 2020

From the description of CVE-2020-15117:

In Synergy before version 1.12.0, a Synergy server can be crashed by receiving a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295) if the servers memory is less than 4 GB. It was verified that this issue does not cause a crash through the exception handler if the available memory of the Server is more than 4GB.

While I personally would consider this a pretty low-priority issue since Synergy usually is only used in local environment, it's nevertheless better to patch known issues.

Since the fix is part of version 1.12, which doesn't have a stable release yet, I'm including the fix as a patch cherry-picked from the
upstream commit.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@aszlig aszlig requested a review from Enzime July 28, 2020 00:22
@aszlig aszlig linked an issue Jul 28, 2020 that may be closed by this pull request
Vulnerability roundup 90: synergy-1.11.1: 1 advisory [6.5] #94007
Closed
1 task
@aszlig aszlig added the 9.needs: port to stable A PR needs a backport to the stable release. label Jul 28, 2020
@Enzime
Copy link
Member

Enzime commented Jul 28, 2020

LGTM, I built this with nixpkgs-review pr 94041 and ran the server

mweinelt
mweinelt requested changes Jul 28, 2020
View reviewed changes
Copy link
Member

@mweinelt mweinelt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reference the CVE in the patches filename, so it can be matched by security scanners like broken.sh.

pkgs/applications/misc/synergy/default.nix Show resolved Hide resolved
@aszlig
synergy: Add patch to fix CVE-2020-15117
9e476fe 
From the description of CVE-2020-15117:

> In Synergy before version 1.12.0, a Synergy server can be crashed by
> receiving a kMsgHelloBack packet with a client name length set to
> 0xffffffff (4294967295) if the servers memory is less than 4 GB. It
> was verified that this issue does not cause a crash through the
> exception handler if the available memory of the Server is more than
> 4GB.

While I personally would consider this a pretty low-priority issue since
Synergy usually is only used in local environment, it's nevertheless
better to patch known issues.

Since the fix is part of version 1.12, which doesn't have a stable
release yet, I'm including the fix as a patch cherry-picked from the
upstream commit.

I originally had the CVE number as a comment prior to the fetchpatch
call in question, but since @mweinelt mentioned that https://broken.sh/
uses the patch file name[1] to match whether the software in question
has been patched, I've removed my initial comment as it would be
redundant.

[1]: https://github.com/andir/nix-vulnerability-scanner/blob/fb63998885462/src/report/nix_patches.rs#L83-L95

Signed-off-by: aszlig <aszlig@nix.build>
Fixes: NixOS#94007
@aszlig aszlig requested a review from mweinelt August 4, 2020 14:42
@mweinelt
Copy link
Member

mweinelt commented Aug 4, 2020

Result of nixpkgs-review pr 94041 1

3 packages built:
- quicksynergy
- synergy
- synergyWithoutGUI

@mweinelt mweinelt merged commit be7913f into NixOS:master Aug 4, 2020
@ofborg ofborg bot requested a review from Enzime August 4, 2020 14:59
@aszlig
Copy link
Member Author

aszlig commented Aug 4, 2020

@Enzime: Note that this still needs a backport to stable (see the label), but I currently don't have time to fix the conflicts plus I'm not even using Synergy anymore, so I can't adequately test it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mweinelt mweinelt mweinelt approved these changes

@Enzime Enzime Awaiting requested review from Enzime

Assignees
No one assigned
Labels
9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability roundup 90: synergy-1.11.1: 1 advisory [6.5]
3 participants
@aszlig @Enzime @mweinelt