Bug 249375

Summary: net-im/py-matrix-synapse: Update to 1.19.3
Product: Ports & Packages Reporter: Sascha Biberhofer <ports>
Component: Individual Port(s)Assignee: Danilo G. Baio <dbaio>
Status: Closed FIXED    
Severity: Affects Many People CC: arcade, dbaio, dkasak, jordan, linus.sundqvist, ports-secteam, ports, python
Priority: Normal Flags: ports: maintainer-feedback+
dbaio: merge-quarterly+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
net-im/py-matrix-synapse: Update to 1.19.2
none
Add a vuxml entry for py-matrix-synapse 1.19.1 and below
ports: maintainer-approval+
net-im/py-matrix-synapse: Update to 1.19.3
ports: maintainer-approval+
Updated vuxml entry for py-matrix-synapse 1.19.1 and below none

Description Sascha Biberhofer 2020-09-16 14:15:35 UTC
Created attachment 218006 [details]
net-im/py-matrix-synapse: Update to 1.19.2

The synapse developers just released 1.19.2, fixing a bug in synapse's handling of certain events that may break federated rooms[1].

This patch bumps the version of synapse to 1.19.2 to fix these issues.

portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1142 tests in 417.952s, PASSED (skips=5, successes=1137))

Package seems to run fine on my server. I'll append a patch for the corresponding vuxml entry in the next message. :)


Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/releases/tag/v1.19.2
Comment 1 Sascha Biberhofer 2020-09-16 14:17:40 UTC
Created attachment 218007 [details]
Add a vuxml entry for py-matrix-synapse 1.19.1 and below

This is the corresponding vuln.xml entry, as best as I could create one from the commit.
Comment 2 Denis Kasak 2020-09-16 14:26:00 UTC
*** Bug 249373 has been marked as a duplicate of this bug. ***
Comment 3 Volodymyr Kostyrko 2020-09-17 10:21:22 UTC
Hello.

As I'm using Synapse at home too I'd like to ask a for a favor:

1. Please set "Importance" to "Affects some people".

2. Add "Keywords" "easy, patch-ready", can speed up things a lot.

3. As you are maintainer don't forget to approve patches/ticket. Without maintainer approval we are falling into long maintainer timeout period until someone will take a look.

4. If that's a security issue it probably should be propagated to quaterly replacing older vulnerable version there.

Big thanks for porting Synapse!
Comment 4 Sascha Biberhofer 2020-09-17 11:09:01 UTC
(In reply to Volodymyr Kostyrko from comment #3)
Thank you for the feedback!

Ad 1 and 3: The last time I submitted an update, I set the importance to "affects some people" but it was downgraded to "affects only me" afterwards, so I'm not sure which level is appropriate here. Also, I've been told that the maintainer feedback flags are only meant to be used if the feedback has been explicitly requested for some reason, so I don't set them when I simply submit a bug.

Ad 2: I'll add that, thank you :)
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2020-09-18 04:04:04 UTC
^Triage: Please set the maintainer-approval attachment flag (to +) on patches for ports you maintain to signify approval

Attachment -> Details -> maintainer-approval [+]
Comment 6 Sascha Biberhofer 2020-09-19 15:39:34 UTC
Created attachment 218081 [details]
net-im/py-matrix-synapse: Update to 1.19.3

The synapse developers have now released 1.19.3, containing an additonal bugfix for malformed events. I've updated that patch accordingly. The resulting port builds and tests just as fine as 1.19.2 did.


portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 121amd64)
do-test: OK (Ran 1142 tests in 417.952s, PASSED (skips=5, successes=1137))

There's a new release (1.20.0) planned for next week, which will contain these fixes as well as further feature updates.

Is there anything else I can do to help this get merged?

Cheers,
Sascha
Comment 7 Danilo G. Baio freebsd_committer 2020-09-19 17:50:37 UTC
I think we don't need to merge it to the quarterly branch or add an entry to the vuxml, anyway thanks for that.

Waiting for build tests.
Comment 8 commit-hook freebsd_committer 2020-09-19 18:14:07 UTC
A commit references this bug:

Author: dbaio
Date: Sat Sep 19 18:13:56 UTC 2020
New revision: 549046
URL: https://svnweb.freebsd.org/changeset/ports/549046

Log:
  net-im/py-matrix-synapse: Update to 1.19.3

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md

  PR:		249375
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Event:		September 2020 Bugathon

Changes:
  head/net-im/py-matrix-synapse/Makefile
  head/net-im/py-matrix-synapse/distinfo
Comment 9 Danilo G. Baio freebsd_committer 2020-09-19 18:15:32 UTC
Committed, thanks!
Comment 10 Denis Kasak 2020-09-19 21:44:26 UTC
(In reply to Danilo G. Baio from comment #7)

Out of curiosity, why not a vuxml entry?
Comment 11 Danilo G. Baio freebsd_committer 2020-09-19 22:27:07 UTC
(In reply to Denis Kasak from comment #10)

Usually the project (matrix-org/synapse) documents its security issues, they didn't with this.

"malformed events may prevent users from joining federated rooms"
this looks like a simple bug to me.

That's why I understood that there is no security implication here.

I'm not a synapse user, so I can be wrong, and I'll be happy in push a vuxml entry, but we will need to improve that wording a little.

Regards.
Comment 12 Denis Kasak 2020-09-19 22:37:04 UTC
(In reply to Danilo G. Baio from comment #11)

The security implication is that this is a classic DoS attack. An attacker sends a malformed event and breaks the application for other users, preventing them to join.

Due to the federation, this is not limited to only the attacker's homeserver but to also all other participating homeservers in the room with the malformed event.

It definitely seems like a security issue to me, but I'm curious to hear your opinion about it.
Comment 13 Danilo G. Baio freebsd_committer 2020-09-19 23:00:07 UTC
(In reply to Denis Kasak from comment #12)

Thanks for the information, could you update the vuxml patch?

If version 1.15.2 is affected, I'll ask for approval to merge this update (with the other ones) to the quarterly branch 2020Q3.
Comment 14 Denis Kasak 2020-09-21 11:33:04 UTC
Created attachment 218143 [details]
Updated vuxml entry for py-matrix-synapse 1.19.1 and below

Here's an updated vuxml entry with a more detailed description. Sending as an ordinary diff instead of a git patch since I don't have a git clone of ports ready and it takes ages. (Is there already an official git mirror somewhere?)

Let me know if there's anything else.
Comment 15 Sascha Biberhofer 2020-09-21 14:43:13 UTC
Comment on attachment 218143 [details]
Updated vuxml entry for py-matrix-synapse 1.19.1 and below

Hi, sorry for the slight delay here and thank you for clearing up the impact of the issue. Updated vuxml entry looks fine for me. :-)
Comment 16 commit-hook freebsd_committer 2020-09-21 21:08:18 UTC
A commit references this bug:

Author: dbaio
Date: Mon Sep 21 21:07:57 UTC 2020
New revision: 549530
URL: https://svnweb.freebsd.org/changeset/ports/549530

Log:
  security/vuxml: Document net-im/py-matrix-synapse issue

  PR:		249375
  Submitted by:	Denis Kasak <dkasak@termina.org.uk>
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (earlier version)

Changes:
  head/security/vuxml/vuln.xml
Comment 17 Danilo G. Baio freebsd_committer 2020-09-21 21:29:12 UTC
Thank you both.

Waiting for approval to merge this (and the other updates) to 2020Q3 branch.
Comment 18 commit-hook freebsd_committer 2020-09-21 22:37:39 UTC
A commit references this bug:

Author: dbaio
Date: Mon Sep 21 22:36:35 UTC 2020
New revision: 549534
URL: https://svnweb.freebsd.org/changeset/ports/549534

Log:
  MFH: r542468 r544604 r545291 r549046

  net-im/py-matrix-synapse: update to 1.17.0

  PR:		248016
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)

  net-im/py-matrix-synapse: Update to 1.18.0

  PR:		248566
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)

  net-im/py-matrix-synapse: Update to 1.19.0

  PR:		248719
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)

  net-im/py-matrix-synapse: Update to 1.19.3

  Changelog:	https://github.com/matrix-org/synapse/blob/v1.19.3/CHANGES.md

  PR:		249375
  Submitted by:	Sascha Biberhofer <ports@skyforge.at> (maintainer)
  Event:		September 2020 Bugathon

  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net-im/py-matrix-synapse/Makefile
  branches/2020Q3/net-im/py-matrix-synapse/distinfo
  branches/2020Q3/net-im/py-matrix-synapse/files/patch-python_dependencies.py
  branches/2020Q3/net-im/py-matrix-synapse/files/patch-synapse_python__dependencies.py
Comment 19 Danilo G. Baio freebsd_committer 2020-09-21 22:40:33 UTC
Merged, thank you all!
Comment 20 linus.sundqvist 2020-09-22 19:40:46 UTC
I am unable to build this package in 2020Q3 because it depends on py37-canonicaljson>=1.2.0, but only 1.1.4 is available in 2020Q3 at the moment using these options:

     DOCS=on: Build and/or install documentation
     LDAP=off: LDAP protocol support
     OIDC=off: Add dependencies for OpenID Connect based logins
     PGSQL=on: PostgreSQL database support
     REDIS=off: Add support replication over Redis for synapse workers
     SQLITE=off: SQLite database support
     URLPREVIEW=on: Add dependencies necessary for URL previews

===>   py37-matrix-synapse-1.19.3 depends on package: py37-canonicaljson>=1.2.0 - not found
===>   Installing existing package /packages/All/py37-canonicaljson-1.1.4.txz
[12_1-FreeBSD-2020Q3-job-01] Installing py37-canonicaljson-1.1.4...
[12_1-FreeBSD-2020Q3-job-01] `-- Installing py37-simplejson-3.17.0...
[12_1-FreeBSD-2020Q3-job-01] `-- Extracting py37-simplejson-3.17.0: .......... done
[12_1-FreeBSD-2020Q3-job-01] Extracting py37-canonicaljson-1.1.4: ......... done
===>   py37-matrix-synapse-1.19.3 depends on package: py37-canonicaljson>=1.2.0 - not found
*** Error code 1
Comment 21 Danilo G. Baio freebsd_committer 2020-09-22 23:49:52 UTC
(In reply to linus.sundqvist from comment #20)

Thanks for reporting it.

Update devel/py-canonicaljson to 1.2.0 (alone), will break bulk -a.

This is what I tracked, I've sent an email to ports-secteam and portmgr to see their thoughts (and approval) to merge.

devel/py-canonicaljson:
  ports r544404 - Update to 1.2.0 (USES= python --> USES= python:3.5+)

security/py-signedjson:
  ports r542025 - Fix RUN_DEPENDS Python 3.8 (devel/py-importlib-metadata)
  ports r542200 - Manually, just on security/py-signedjson (USES= python --> USES= python:3.6+)
Comment 22 commit-hook freebsd_committer 2020-09-23 21:17:33 UTC
A commit references this bug:

Author: dbaio
Date: Wed Sep 23 21:17:31 UTC 2020
New revision: 549855
URL: https://svnweb.freebsd.org/changeset/ports/549855

Log:
  MFH: r542025 r544404

  Fix RUN_DEPENDS

  - Bump PORTREVISION for dependency change

  devel/py-importlib-metadata is not required for python 3.8+.

  Update to 1.2.0

  Changes:	https://github.com/matrix-org/python-canonicaljson/blob/master/CHANGES.md

  MFH: r542200 (partial)
    Update Python requirements for security/py-signedjson (avoid break bulk -a)

  PR:		249375
  Approved by:	ports-secteam (fluffy)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/devel/py-canonicaljson/Makefile
  branches/2020Q3/devel/py-canonicaljson/distinfo
  branches/2020Q3/security/py-signedjson/Makefile
  branches/2020Q3/security/py-signedjson/files/