Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 90: synergy-1.11.1: 1 advisory [6.5] #94007

Closed
1 task
ckauhaus opened this issue Jul 27, 2020 · 0 comments · Fixed by #94041
Closed
1 task

Vulnerability roundup 90: synergy-1.11.1: 1 advisory [6.5] #94007

ckauhaus opened this issue Jul 27, 2020 · 0 comments · Fixed by #94041
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@ckauhaus
Copy link
Contributor

search, files

Scanned versions: nixos-unstable: 28fce08. May contain false positives.

Cc @aszlig
Cc @Enzime
@ckauhaus ckauhaus added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Jul 27, 2020
aszlig added a commit that referenced this issue Jul 28, 2020
@aszlig
Unmaintain packages I don't use anymore
3873e0d 
Just got a reminder via the vulnerability roundup[1] that I'm still
listed as maintainer for Synergy, even though I stopped using it years
ago.

I'll also take this as an opportunity to remove myself from other
packages which I stopped using and thus most certainly won't be able to
maintain. The latter is already hard enough these days for software
which I *do* use.

[1]: #94007

Signed-off-by: aszlig <aszlig@nix.build>
@aszlig aszlig linked a pull request Jul 28, 2020 that will close this issue
synergy: Add patch to fix CVE-2020-15117 #94041
Merged
10 tasks
aszlig added a commit to aszlig/nixpkgs that referenced this issue Aug 4, 2020
@aszlig
synergy: Add patch to fix CVE-2020-15117
9e476fe 
From the description of CVE-2020-15117:

> In Synergy before version 1.12.0, a Synergy server can be crashed by
> receiving a kMsgHelloBack packet with a client name length set to
> 0xffffffff (4294967295) if the servers memory is less than 4 GB. It
> was verified that this issue does not cause a crash through the
> exception handler if the available memory of the Server is more than
> 4GB.

While I personally would consider this a pretty low-priority issue since
Synergy usually is only used in local environment, it's nevertheless
better to patch known issues.

Since the fix is part of version 1.12, which doesn't have a stable
release yet, I'm including the fix as a patch cherry-picked from the
upstream commit.

I originally had the CVE number as a comment prior to the fetchpatch
call in question, but since @mweinelt mentioned that https://broken.sh/
uses the patch file name[1] to match whether the software in question
has been patched, I've removed my initial comment as it would be
redundant.

[1]: https://github.com/andir/nix-vulnerability-scanner/blob/fb63998885462/src/report/nix_patches.rs#L83-L95

Signed-off-by: aszlig <aszlig@nix.build>
Fixes: NixOS#94007
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

synergy: Add patch to fix CVE-2020-15117 aszlig/nixpkgs
1 participant
@ckauhaus