Bug 259994 - net-im/py-matrix-synapse: Security update to 1.47.1
Summary: net-im/py-matrix-synapse: Security update to 1.47.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ashish SHUKLA
URL: https://github.com/matrix-org/synapse...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-23 14:36 UTC by Sascha Biberhofer
Modified: 2021-11-24 12:53 UTC (History)
2 users (show)

See Also:
ashish: merge-quarterly+


Attachments
net-im/py-matrix-synapse: Update to 1.47.1 (989 bytes, patch)
2021-11-23 14:36 UTC, Sascha Biberhofer
ports: maintainer-approval+
Details | Diff
vuxml for CVE-2021-41281 (1.81 KB, patch)
2021-11-23 15:49 UTC, Evilham
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Biberhofer 2021-11-23 14:36:02 UTC
Created attachment 229668 [details]
net-im/py-matrix-synapse: Update to 1.47.1

This updates py-matrix-synapse to 1.47.1, which fixes a critical path traversal vulnerability when downloading remote media, see [1].

portlint: "OK" (3 Warnings, none new)
testport: OK (poudriere: 130amd64)
do-test: OK (Ran 2017 tests in 1007.761s, PASSED (skips=36, successes=1981))

Since this affects all versions of synapse we should probably MFH it to our quarterly branch, if possible. I'll also try and write a vuln.xml entry later tonight.

Cheers,
Sascha

[1] https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
Comment 1 Evilham 2021-11-23 15:49:23 UTC
Created attachment 229671 [details]
vuxml for CVE-2021-41281

Thank you Sascha, here is the vuxml :-).
Comment 2 commit-hook freebsd_committer 2021-11-23 16:54:19 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a3987e103053782333cdcc1a0cd772d61f333b4e

commit a3987e103053782333cdcc1a0cd772d61f333b4e
Author:     Sascha Biberhofer <ports@skyforge.at>
AuthorDate: 2021-11-23 16:49:37 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-11-23 16:53:03 +0000

    net-im/py-matrix-synapse: Update to 1.47.1

    PR:             259994
    MFH:            2021Q4
    Security:       27aa2253-4c72-11ec-b6b9-e86a64caca56
    Security:       CVE-2021-41281

 net-im/py-matrix-synapse/Makefile | 2 +-
 net-im/py-matrix-synapse/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 3 commit-hook freebsd_committer 2021-11-23 16:54:20 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c6782b5ef530f87268d42d171eef424244fb2822

commit c6782b5ef530f87268d42d171eef424244fb2822
Author:     Evilham <contact@evilham.com>
AuthorDate: 2021-11-23 16:45:05 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-11-23 16:53:00 +0000

    security/vuxml: Document vulnerability in Matrix Synapse

    PR:             259994
    Reported by:    Sascha Biberhofer <ports at skyforge dot at>
    Security:       27aa2253-4c72-11ec-b6b9-e86a64caca56
    Security:       CVE-2021-41281

 security/vuxml/vuln-2021.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
Comment 4 Ashish SHUKLA freebsd_committer 2021-11-23 17:20:05 UTC
Just an update here to explain the delay in merging to quarterly branch. Apparently  1.47.1 depends on www/py-pyjwt1 which is not in the quarterly branch :/.
Comment 5 commit-hook freebsd_committer 2021-11-24 11:22:27 UTC
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6

commit 06d01a3e6b0a2d6ac9f2c29b2f0a68605f30e0b6
Author:     Sascha Biberhofer <ports@skyforge.at>
AuthorDate: 2021-11-23 16:49:37 +0000
Commit:     Ashish SHUKLA <ashish@FreeBSD.org>
CommitDate: 2021-11-24 11:20:29 +0000

    net-im/py-matrix-synapse: Update to 1.47.1

    PR:             259994
    MFH:            2021Q4
    Security:       27aa2253-4c72-11ec-b6b9-e86a64caca56
    Security:       CVE-2021-41281
    (cherry picked from commit a3987e103053782333cdcc1a0cd772d61f333b4e)

 net-im/py-matrix-synapse/Makefile | 2 +-
 net-im/py-matrix-synapse/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 6 Ashish SHUKLA freebsd_committer 2021-11-24 11:26:38 UTC
Committed to quarterly after making sure it does not break INDEX, and builds fine, and checking with portmgr@ (Thanks tcberner@).

Thanks!
Comment 7 Evilham 2021-11-24 11:32:21 UTC
Lovely, thank you!

Ignorance asking here: shouldn't vuxml be updated too in 2021Q4 referring to this PR?
Comment 8 Ashish SHUKLA freebsd_committer 2021-11-24 12:53:09 UTC
(In reply to Evilham from comment #7)

AFAIK, vuxml does not need to be updated, as end-users don't directly use security/vuxml port, but instead they use the audit file (using pkg-audit(8)) available from FreeBSD mirrors.

And also, I don't see any commits in security/vuxml commit log[0] for the time frame of 2021Q4 branch, or in older quarterly branches for that matter.

References:
[0] https://cgit.freebsd.org/ports/log/security/vuxml?h=2021Q4

HTH