Fedora has issued an advisory today (December 16): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFDEQED64YLWQK2TF73EMXZDYX7YT2DD/ The issue is fixed upstream in 1.12.0. Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Another homeless SRPM, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Done for both Cauldron and mga7!
CC: (none) => geiger.david68210
src: synergy-1.12.0-1.mga7
Whiteboard: MGA7TOO => (none)CC: (none) => mageiaAssignee: pkg-bugs => qa-bugsVersion: Cauldron => 7
Advisory: ======================== Updated synergy packages fix security vulnerability: In Synergy before version 1.12.0, a Synergy server can be crashed by receiving a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295) if the servers memory is less than 4 GB. It was verified that this issue does not cause a crash through the exception handler if the available memory of the Server is more than 4GB (CVE-2020-15117). The synergy package has been updated to version 1.12.0, fixing this issue and several other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15117 https://github.com/symless/synergy-core/security/advisories/GHSA-chfm-333q-gfpp https://github.com/symless/synergy-core/releases/tag/1.11.0-stable https://github.com/symless/synergy-core/releases/tag/v1.11.1-stable https://github.com/symless/synergy-core/releases/tag/v1.12.0-stable ======================== Updated packages in core/updates_testing: ======================== synergy-1.12.0-1.mga7 synergy-gui-1.12.0-1.mga7 from synergy-1.12.0-1.mga7.src.rpm
mga7, x64 "Synergy is a software application for sharing a keyboard and mouse between multiple computers." There appears to be a reproducer for the CVE-2020-15117 issue. But - this does not appear to be free software. $ ll *synergy* -rwxr-xr-x 1 root root 1234568 Apr 13 2019 synergy* -rwxr-xr-x 1 root root 553824 Apr 13 2019 synergyc* -rwxr-xr-x 1 root root 734440 Apr 13 2019 synergys* Setting up: $ synergy Presents a gui - chose English - set up server SSL fingerprint - configure interactively - configure server Here it gets stuck. A window is presented for the "serial key" "This can be found on your account page" Clicking on the word 'account' takes you to https://members.symless.com/ where you can sign but the banner indicates that you need a licence - it says "Buy now". How do we get round that? There is a free version released under GNU GPL.
CC: (none) => tarazed25
It looks like the licence requirement can be bypassed by enabling auto-config in settings. Trying that now but had to remove the application and reinstall it.
Continuation from comment 6: Tried to set up the client on another computer but could not add the server name in the client configuration. There was a message "*** WARNING *** The program 'synergy' uses the Apple Bonjour compatibility layer of Avahi. *** WARNING *** Please fix your application to use the native API of Avahi!" and in the info panel "stopping synergy desktop process" and "Synergy is not running". On the server side dozens of popup error messages similar to "Unknown client canopus" started to flood the screen and the server had to be killed. canopus is the name of the other workstation. Handing this over to anybody with more knowledge.
$ rpm -qa|grep synergy synergy-1.12.0-1.mga7 synergy-gui-1.12.0-1.mga7 I've been using this package since 2012. On the system with the mouse/keyboard connected ... $ cat .config/autostart-scripts/synergy #!/bin/bash killall -9 synergys 2>/dev/null synergys -n desktop --debug FATAL On the system where I don't normally use it's keyboard/mouse ... $ cat .config/autostart-scripts/synergy-client #!/bin/bash killall synergyc sleep 2 /usr/bin/synergyc --name laptop --restart --debug FATAL 192.168.10.2 In addition to being able to use the same keyboard/mouse for both systems, I can copy to the clipboard on either of the two systems, and paste on the other. I haven't tried to reproduce the problem, but can confirm that no regressions have been found. Validating the update.
Whiteboard: (none) => MGA7-64-OKCC: (none) => davidwhodgins, sysadmin-bugsKeywords: (none) => validated_update
Advisory pushed to SVN.
CVE: (none) => CVE-2020-15117Keywords: (none) => advisoryCC: (none) => ouaurelienSource RPM: synergy-1.10.3-2.mga8.src.rpm => synergy-1.10.1-1.mga7.src.rpm
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0040.html
Status: NEW => RESOLVEDResolution: (none) => FIXED