Bug#928608: unblock: matrix-synapse/0.99.2-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Please unblock package matrix-synapse.
This upload backports two security updates from 0.99.3.
unblock matrix-synapse/0.99.2-5
- --
Cheers,
Andrej
-----BEGIN PGP SIGNATURE-----
iQJTBAEBCAA9FiEE47V74F4CWMP6ghzXtke0/0DsYwMFAlzRoQ8fHGFuZHJldy5z
aGFkdXJhQGNvbGxhYm9yYS5jby51awAKCRC2R7T/QOxjAyrQEACo2di2PSfR7NbF
evPJxSV1iD83rZZf19ACH39XYR/rSAGOM2ypeEy6jpDSv4sRwYkB7ag85ns9OoTp
41F29yXL8ZdPVvlM7ThPvVZj3Fi9fp1zu8VfVxqZR0nglvA/6X+oiaNz5Xb3Sd8m
kh6Gld68k+6r4JDgR5IU7tuWabfMOU+lKPa6jMRQU25T6TCyc0qkNJiMgGTYba33
b9PWmTrhFL7+5Xt+u9YaaAPtC7zDU/8CkuPMEiZcsvdCwK7P2bcpc/il+TfM2f8n
s4OpFGT/dZC5TBW9rQnvXIinei9l33lf3yG2MWsibEIxwaJ8yySSb8jjr29tXNK6
wJqa+itgJLLI7IcYaFe/ndKBqhNN7XnP6QyWdFAsUdC9Ha4AbLRWvA9VEPFMT0tY
1xeeGn2UmNcoOFlwZ7Kr24yhk1xjK8twbOcubeyIXD7HkQ5FTbTkYSL0DP3vZl14
ZsnaYbElRsplpCSnpAqclAYEkpfL3CM4rrdALgk/3mxEgNcKUAzu6BwPVNfYcmsz
irUfTHgbJJug7HgGf8R8Q6qa0JcL8DyqUvtOZodQo//0BuI2dEuzc898WiaxyjVr
rUWzT7UmyB51ijDRPKc36hGIZwCXdnLmX2HCF9O2i3fGnXGkV/PkMIu4F7bN/3tW
lv0lsvm4A9rYJ7HuTscz1hKfOvNSig==
=23ET
-----END PGP SIGNATURE-----
diff --git a/debian/changelog b/debian/changelog
index 0dfdb8d..a786521 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+matrix-synapse (0.99.2-5) unstable; urgency=high
+
+ * Security updates backported from 0.99.3:
+ - Use SystemRandom for token generation
+ - Blacklist 0.0.0.0 and :: by default for URL previews
+
+ -- Andrej Shadura <andrewsh@debian.org> Fri, 03 May 2019 22:26:41 +0200
+
matrix-synapse (0.99.2-4) unstable; urgency=medium
[ Antoine Beaupré ]
diff --git a/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
new file mode 100644
index 0000000..21853e9
--- /dev/null
+++ b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
@@ -0,0 +1,85 @@
+From 1a7104fde3abc5392b90ca084efa896d46e24f91 Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <richard@matrix.org>
+Date: Fri, 3 May 2019 13:46:50 +0100
+Subject: [PATCH] Blacklist 0.0.0.0 and :: by default for URL previews
+
+---
+ changelog.d/5134.bugfix | 1 +
+ docs/sample_config.yaml | 14 +++++++++-----
+ synapse/config/repository.py | 28 ++++++++++++++++++----------
+ 3 files changed, 28 insertions(+), 15 deletions(-)
+ create mode 100644 changelog.d/5134.bugfix
+
+diff --git a/changelog.d/5134.bugfix b/changelog.d/5134.bugfix
+new file mode 100644
+index 0000000000..684d48c53a
+--- /dev/null
++++ b/changelog.d/5134.bugfix
+@@ -0,0 +1 @@
++Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too!
+diff --git a/synapse/config/repository.py b/synapse/config/repository.py
+index 3f34ad9b2a..d155d69d8a 100644
+--- a/synapse/config/repository.py
++++ b/synapse/config/repository.py
+@@ -154,17 +154,21 @@ def read_config(self, config):
+ except ImportError:
+ raise ConfigError(MISSING_NETADDR)
+
+- if "url_preview_ip_range_blacklist" in config:
+- self.url_preview_ip_range_blacklist = IPSet(
+- config["url_preview_ip_range_blacklist"]
+- )
+- else:
++ if "url_preview_ip_range_blacklist" not in config:
+ raise ConfigError(
+ "For security, you must specify an explicit target IP address "
+ "blacklist in url_preview_ip_range_blacklist for url previewing "
+ "to work"
+ )
+
++ self.url_preview_ip_range_blacklist = IPSet(
++ config["url_preview_ip_range_blacklist"]
++ )
++
++ # we always blacklist '0.0.0.0' and '::', which are supposed to be
++ # unroutable addresses.
++ self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])
++
+ self.url_preview_ip_range_whitelist = IPSet(
+ config.get("url_preview_ip_range_whitelist", ())
+ )
+@@ -235,11 +239,11 @@ def default_config(self, data_dir_path, **kwargs):
+ height: 600
+ method: scale
+
+- # Is the preview URL API enabled? If enabled, you *must* specify
+- # an explicit url_preview_ip_range_blacklist of IPs that the spider is
+- # denied from accessing.
++ # Is the preview URL API enabled?
++ # 'False' by default: uncomment the following to enable it (and specify a
++ # url_preview_ip_range_blacklist blacklist).
+ #
+- url_preview_enabled: False
++ #url_preview_enabled: True
+
+ # List of IP address CIDR ranges that the URL preview spider is denied
+ # from accessing. There are no defaults: you must explicitly
+@@ -249,6 +253,9 @@ def default_config(self, data_dir_path, **kwargs):
+ # synapse to issue arbitrary GET requests to your internal services,
+ # causing serious security issues.
+ #
++ # This must be specified if url_preview_enabled. It is recommended that you
++ # uncomment the following list as a starting point.
++ #
+ #url_preview_ip_range_blacklist:
+ # - '127.0.0.0/8'
+ # - '10.0.0.0/8'
+@@ -259,7 +266,7 @@ def default_config(self, data_dir_path, **kwargs):
+ # - '::1/128'
+ # - 'fe80::/64'
+ # - 'fc00::/7'
+- #
++
+ # List of IP address CIDR ranges that the URL preview spider is allowed
+ # to access even if they are specified in url_preview_ip_range_blacklist.
+ # This is useful for specifying exceptions to wide-ranging blacklisted
diff --git a/debian/patches/series b/debian/patches/series
index dbc914f..b216485 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
0006-Avoid-pip-install.patch
fix-deps.patch
config-add-signing_key_path.patch
+blacklist-localhost-by-default-for-URL-previews.patch
+use-SystemRandom-for-token-generation.patch
diff --git a/debian/patches/use-SystemRandom-for-token-generation.patch b/debian/patches/use-SystemRandom-for-token-generation.patch
new file mode 100644
index 0000000..cfe8f8d
--- /dev/null
+++ b/debian/patches/use-SystemRandom-for-token-generation.patch
@@ -0,0 +1,44 @@
+From 247dc1bd0bd9ee2b9525495c0dbd819baf10ec1f Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <richard@matrix.org>
+Date: Fri, 3 May 2019 12:38:03 +0100
+Subject: [PATCH] Use SystemRandom for token generation
+
+---
+ changelog.d/5133.bugfix | 1 +
+ synapse/util/stringutils.py | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+ create mode 100644 changelog.d/5133.bugfix
+
+diff --git a/changelog.d/5133.bugfix b/changelog.d/5133.bugfix
+new file mode 100644
+index 0000000000..12a32a906b
+--- /dev/null
++++ b/changelog.d/5133.bugfix
+@@ -0,0 +1 @@
++Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for for identifying and responsibly disclosing this issue!
+diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py
+index fdcb375f95..69dffd8244 100644
+--- a/synapse/util/stringutils.py
++++ b/synapse/util/stringutils.py
+@@ -24,14 +24,19 @@
+ string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
+ )
+
++# random_string and random_string_with_symbols are used for a range of things,
++# some cryptographically important, some less so. We use SystemRandom to make sure
++# we get cryptographically-secure randoms.
++rand = random.SystemRandom()
++
+
+ def random_string(length):
+- return ''.join(random.choice(string.ascii_letters) for _ in range(length))
++ return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
+
+
+ def random_string_with_symbols(length):
+ return ''.join(
+- random.choice(_string_with_symbols) for _ in range(length)
++ rand.choice(_string_with_symbols) for _ in range(length)
+ )
+
+
Reply to: