Bug 27851 - synergy new security issue CVE-2020-15117
Summary: synergy new security issue CVE-2020-15117
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-12-16 15:47 CET by David Walser
Modified: 2021-01-17 17:08 CET (History)
6 users (show)

See Also:
Source RPM: synergy-1.10.1-1.mga7.src.rpm
CVE: CVE-2020-15117
Status comment:


Attachments

Description David Walser 2020-12-16 15:47:44 CET
Fedora has issued an advisory today (December 16):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFDEQED64YLWQK2TF73EMXZDYX7YT2DD/

The issue is fixed upstream in 1.12.0.

Mageia 7 is also affected.
David Walser 2020-12-16 15:48:06 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-12-17 10:28:26 CET
Another homeless SRPM, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2020-12-24 11:29:45 CET
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 3 Nicolas Lécureuil 2020-12-24 11:56:32 CET
src:
synergy-1.12.0-1.mga7

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7

Comment 4 David Walser 2020-12-24 16:19:16 CET
Advisory:
========================

Updated synergy packages fix security vulnerability:

In Synergy before version 1.12.0, a Synergy server can be crashed by receiving
a kMsgHelloBack packet with a client name length set to 0xffffffff (4294967295)
if the servers memory is less than 4 GB. It was verified that this issue does
not cause a crash through the exception handler if the available memory of the
Server is more than 4GB (CVE-2020-15117).

The synergy package has been updated to version 1.12.0, fixing this issue and
several other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15117
https://github.com/symless/synergy-core/security/advisories/GHSA-chfm-333q-gfpp
https://github.com/symless/synergy-core/releases/tag/1.11.0-stable
https://github.com/symless/synergy-core/releases/tag/v1.11.1-stable
https://github.com/symless/synergy-core/releases/tag/v1.12.0-stable
========================

Updated packages in core/updates_testing:
========================
synergy-1.12.0-1.mga7
synergy-gui-1.12.0-1.mga7

from synergy-1.12.0-1.mga7.src.rpm
Comment 5 Len Lawrence 2020-12-28 19:26:57 CET
mga7, x64

"Synergy is a software application for sharing a keyboard and mouse between multiple computers."
There appears to be a reproducer for the CVE-2020-15117 issue.

But - this does not appear to be free software.

$ ll *synergy*
-rwxr-xr-x 1 root root 1234568 Apr 13  2019 synergy*
-rwxr-xr-x 1 root root  553824 Apr 13  2019 synergyc*
-rwxr-xr-x 1 root root  734440 Apr 13  2019 synergys*
Setting up:
$ synergy
Presents a gui - chose English - set up server
SSL fingerprint - configure interactively - configure server

Here it gets stuck.  A window is presented for the "serial key"
"This can be found on your account page"
Clicking on the word 'account' takes you to https://members.symless.com/ where you can sign but the banner indicates that you need a licence - it says "Buy now".

How do we get round that?  There is a free version released under GNU GPL.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2020-12-28 19:36:47 CET
It looks like the licence requirement can be bypassed by enabling auto-config in settings.  Trying that now but had to remove the application and reinstall it.
Comment 7 Len Lawrence 2020-12-28 20:06:12 CET
Continuation from comment 6:

Tried to set up the client on another computer but could not add the server name in the client configuration.  There was a message 
"*** WARNING *** The program 'synergy' uses the Apple Bonjour compatibility layer of Avahi.
*** WARNING *** Please fix your application to use the native API of Avahi!"
and in the info panel "stopping synergy desktop process" and "Synergy is not running".
On the server side dozens of popup error messages similar to "Unknown client canopus" started to flood the screen and the server had to be killed.  canopus is the name of the other workstation.
Handing this over to anybody with more knowledge.
Comment 8 Dave Hodgins 2021-01-14 19:10:59 CET
$ rpm -qa|grep synergy
synergy-1.12.0-1.mga7
synergy-gui-1.12.0-1.mga7

I've been using this package since 2012. On the system with the mouse/keyboard
connected ...
$ cat .config/autostart-scripts/synergy 
#!/bin/bash
killall -9 synergys 2>/dev/null
synergys -n desktop --debug FATAL

On the system where I don't normally use it's keyboard/mouse ...
$ cat .config/autostart-scripts/synergy-client 
#!/bin/bash
killall synergyc
sleep 2
/usr/bin/synergyc --name laptop --restart --debug FATAL 192.168.10.2

In addition to being able to use the same keyboard/mouse for both systems, I can
copy to the clipboard on either of the two systems, and paste on the other.

I haven't tried to reproduce the problem, but can confirm that no regressions
have been found.
Validating the update.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => validated_update

Comment 9 Aurelien Oudelet 2021-01-17 15:22:18 CET
Advisory pushed to SVN.

CVE: (none) => CVE-2020-15117
Keywords: (none) => advisory
CC: (none) => ouaurelien
Source RPM: synergy-1.10.3-2.mga8.src.rpm => synergy-1.10.1-1.mga7.src.rpm

Comment 10 Mageia Robot 2021-01-17 17:08:38 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0040.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.