Fedora has issued an advisory today (December 16):
The issue is fixed upstream in 1.12.0.
Mageia 7 is also affected.
Another homeless SRPM, so assigning the bug globally.
Done for both Cauldron and mga7!
Updated synergy packages fix security vulnerability:
In Synergy before version 1.12.0, a Synergy server can be crashed by receiving
a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295)
if the servers memory is less than 4 GB. It was verified that this issue does
not cause a crash through the exception handler if the available memory of the
Server is more than 4GB (CVE-2020-15117).
The synergy package has been updated to version 1.12.0, fixing this issue and
several other bugs.
Updated packages in core/updates_testing:
"Synergy is a software application for sharing a keyboard and mouse between multiple computers."
There appears to be a reproducer for the CVE-2020-15117 issue.
But - this does not appear to be free software.
$ ll *synergy*
-rwxr-xr-x 1 root root 1234568 Apr 13 2019 synergy*
-rwxr-xr-x 1 root root 553824 Apr 13 2019 synergyc*
-rwxr-xr-x 1 root root 734440 Apr 13 2019 synergys*
Presents a gui - chose English - set up server
SSL fingerprint - configure interactively - configure server
Here it gets stuck. A window is presented for the "serial key"
"This can be found on your account page"
Clicking on the word 'account' takes you to https://members.symless.com/ where you can sign but the banner indicates that you need a licence - it says "Buy now".
How do we get round that? There is a free version released under GNU GPL.
It looks like the licence requirement can be bypassed by enabling auto-config in settings. Trying that now but had to remove the application and reinstall it.
Continuation from comment 6:
Tried to set up the client on another computer but could not add the server name in the client configuration. There was a message
"*** WARNING *** The program 'synergy' uses the Apple Bonjour compatibility layer of Avahi.
*** WARNING *** Please fix your application to use the native API of Avahi!"
and in the info panel "stopping synergy desktop process" and "Synergy is not running".
On the server side dozens of popup error messages similar to "Unknown client canopus" started to flood the screen and the server had to be killed. canopus is the name of the other workstation.
Handing this over to anybody with more knowledge.
$ rpm -qa|grep synergy
I've been using this package since 2012. On the system with the mouse/keyboard
$ cat .config/autostart-scripts/synergy
killall -9 synergys 2>/dev/null
synergys -n desktop --debug FATAL
On the system where I don't normally use it's keyboard/mouse ...
$ cat .config/autostart-scripts/synergy-client
/usr/bin/synergyc --name laptop --restart --debug FATAL 192.168.10.2
In addition to being able to use the same keyboard/mouse for both systems, I can
copy to the clipboard on either of the two systems, and paste on the other.
I haven't tried to reproduce the problem, but can confirm that no regressions
have been found.
Validating the update.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.