[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928608: marked as done (unblock: matrix-synapse/0.99.2-5)

Your message dated Sat, 11 May 2019 18:32:46 +0100
with message-id <20190511173246.GA11785@powdarrmonkey.net>
and subject line Re: Bug#928608: unblock: matrix-synapse/0.99.2-5
has caused the Debian Bug report #928608,
regarding unblock: matrix-synapse/0.99.2-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928608: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928608
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Please unblock package matrix-synapse.

This upload backports two security updates from 0.99.3.

unblock matrix-synapse/0.99.2-5

- -- 
Cheers,
  Andrej

-----BEGIN PGP SIGNATURE-----

iQJTBAEBCAA9FiEE47V74F4CWMP6ghzXtke0/0DsYwMFAlzRoQ8fHGFuZHJldy5z
aGFkdXJhQGNvbGxhYm9yYS5jby51awAKCRC2R7T/QOxjAyrQEACo2di2PSfR7NbF
evPJxSV1iD83rZZf19ACH39XYR/rSAGOM2ypeEy6jpDSv4sRwYkB7ag85ns9OoTp
41F29yXL8ZdPVvlM7ThPvVZj3Fi9fp1zu8VfVxqZR0nglvA/6X+oiaNz5Xb3Sd8m
kh6Gld68k+6r4JDgR5IU7tuWabfMOU+lKPa6jMRQU25T6TCyc0qkNJiMgGTYba33
b9PWmTrhFL7+5Xt+u9YaaAPtC7zDU/8CkuPMEiZcsvdCwK7P2bcpc/il+TfM2f8n
s4OpFGT/dZC5TBW9rQnvXIinei9l33lf3yG2MWsibEIxwaJ8yySSb8jjr29tXNK6
wJqa+itgJLLI7IcYaFe/ndKBqhNN7XnP6QyWdFAsUdC9Ha4AbLRWvA9VEPFMT0tY
1xeeGn2UmNcoOFlwZ7Kr24yhk1xjK8twbOcubeyIXD7HkQ5FTbTkYSL0DP3vZl14
ZsnaYbElRsplpCSnpAqclAYEkpfL3CM4rrdALgk/3mxEgNcKUAzu6BwPVNfYcmsz
irUfTHgbJJug7HgGf8R8Q6qa0JcL8DyqUvtOZodQo//0BuI2dEuzc898WiaxyjVr
rUWzT7UmyB51ijDRPKc36hGIZwCXdnLmX2HCF9O2i3fGnXGkV/PkMIu4F7bN/3tW
lv0lsvm4A9rYJ7HuTscz1hKfOvNSig==
=23ET
-----END PGP SIGNATURE-----

diff --git a/debian/changelog b/debian/changelog
index 0dfdb8d..a786521 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+matrix-synapse (0.99.2-5) unstable; urgency=high
+
+  * Security updates backported from 0.99.3:
+    - Use SystemRandom for token generation
+    - Blacklist 0.0.0.0 and :: by default for URL previews
+
+ -- Andrej Shadura <andrewsh@debian.org>  Fri, 03 May 2019 22:26:41 +0200
+
 matrix-synapse (0.99.2-4) unstable; urgency=medium
 
   [ Antoine Beaupré ]
diff --git a/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
new file mode 100644
index 0000000..21853e9
--- /dev/null
+++ b/debian/patches/blacklist-localhost-by-default-for-URL-previews.patch
@@ -0,0 +1,85 @@
+From 1a7104fde3abc5392b90ca084efa896d46e24f91 Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <richard@matrix.org>
+Date: Fri, 3 May 2019 13:46:50 +0100
+Subject: [PATCH] Blacklist 0.0.0.0 and :: by default for URL previews
+
+---
+ changelog.d/5134.bugfix      |  1 +
+ docs/sample_config.yaml      | 14 +++++++++-----
+ synapse/config/repository.py | 28 ++++++++++++++++++----------
+ 3 files changed, 28 insertions(+), 15 deletions(-)
+ create mode 100644 changelog.d/5134.bugfix
+
+diff --git a/changelog.d/5134.bugfix b/changelog.d/5134.bugfix
+new file mode 100644
+index 0000000000..684d48c53a
+--- /dev/null
++++ b/changelog.d/5134.bugfix
+@@ -0,0 +1 @@
++Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too!
+diff --git a/synapse/config/repository.py b/synapse/config/repository.py
+index 3f34ad9b2a..d155d69d8a 100644
+--- a/synapse/config/repository.py
++++ b/synapse/config/repository.py
+@@ -154,17 +154,21 @@ def read_config(self, config):
+             except ImportError:
+                 raise ConfigError(MISSING_NETADDR)
+ 
+-            if "url_preview_ip_range_blacklist" in config:
+-                self.url_preview_ip_range_blacklist = IPSet(
+-                    config["url_preview_ip_range_blacklist"]
+-                )
+-            else:
++            if "url_preview_ip_range_blacklist" not in config:
+                 raise ConfigError(
+                     "For security, you must specify an explicit target IP address "
+                     "blacklist in url_preview_ip_range_blacklist for url previewing "
+                     "to work"
+                 )
+ 
++            self.url_preview_ip_range_blacklist = IPSet(
++                config["url_preview_ip_range_blacklist"]
++            )
++
++            # we always blacklist '0.0.0.0' and '::', which are supposed to be
++            # unroutable addresses.
++            self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])
++
+             self.url_preview_ip_range_whitelist = IPSet(
+                 config.get("url_preview_ip_range_whitelist", ())
+             )
+@@ -235,11 +239,11 @@ def default_config(self, data_dir_path, **kwargs):
+           height: 600
+           method: scale
+ 
+-        # Is the preview URL API enabled?  If enabled, you *must* specify
+-        # an explicit url_preview_ip_range_blacklist of IPs that the spider is
+-        # denied from accessing.
++        # Is the preview URL API enabled?
++        # 'False' by default: uncomment the following to enable it (and specify a
++        # url_preview_ip_range_blacklist blacklist).
+         #
+-        url_preview_enabled: False
++        #url_preview_enabled: True
+ 
+         # List of IP address CIDR ranges that the URL preview spider is denied
+         # from accessing.  There are no defaults: you must explicitly
+@@ -249,6 +253,9 @@ def default_config(self, data_dir_path, **kwargs):
+         # synapse to issue arbitrary GET requests to your internal services,
+         # causing serious security issues.
+         #
++        # This must be specified if url_preview_enabled. It is recommended that you
++        # uncomment the following list as a starting point.
++        #
+         #url_preview_ip_range_blacklist:
+         #  - '127.0.0.0/8'
+         #  - '10.0.0.0/8'
+@@ -259,7 +266,7 @@ def default_config(self, data_dir_path, **kwargs):
+         #  - '::1/128'
+         #  - 'fe80::/64'
+         #  - 'fc00::/7'
+-        #
++
+         # List of IP address CIDR ranges that the URL preview spider is allowed
+         # to access even if they are specified in url_preview_ip_range_blacklist.
+         # This is useful for specifying exceptions to wide-ranging blacklisted
diff --git a/debian/patches/series b/debian/patches/series
index dbc914f..b216485 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,5 @@
 0006-Avoid-pip-install.patch
 fix-deps.patch
 config-add-signing_key_path.patch
+blacklist-localhost-by-default-for-URL-previews.patch
+use-SystemRandom-for-token-generation.patch
diff --git a/debian/patches/use-SystemRandom-for-token-generation.patch b/debian/patches/use-SystemRandom-for-token-generation.patch
new file mode 100644
index 0000000..cfe8f8d
--- /dev/null
+++ b/debian/patches/use-SystemRandom-for-token-generation.patch
@@ -0,0 +1,44 @@
+From 247dc1bd0bd9ee2b9525495c0dbd819baf10ec1f Mon Sep 17 00:00:00 2001
+From: Richard van der Hoff <richard@matrix.org>
+Date: Fri, 3 May 2019 12:38:03 +0100
+Subject: [PATCH] Use SystemRandom for token generation
+
+---
+ changelog.d/5133.bugfix     | 1 +
+ synapse/util/stringutils.py | 9 +++++++--
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+ create mode 100644 changelog.d/5133.bugfix
+
+diff --git a/changelog.d/5133.bugfix b/changelog.d/5133.bugfix
+new file mode 100644
+index 0000000000..12a32a906b
+--- /dev/null
++++ b/changelog.d/5133.bugfix
+@@ -0,0 +1 @@
++Switch to using a cryptographically-secure random number generator for token strings, ensuring they cannot be predicted by an attacker. Thanks to @opnsec for for identifying and responsibly disclosing this issue!
+diff --git a/synapse/util/stringutils.py b/synapse/util/stringutils.py
+index fdcb375f95..69dffd8244 100644
+--- a/synapse/util/stringutils.py
++++ b/synapse/util/stringutils.py
+@@ -24,14 +24,19 @@
+     string.digits + string.ascii_letters + ".,;:^&*-_+=#~@"
+ )
+ 
++# random_string and random_string_with_symbols are used for a range of things,
++# some cryptographically important, some less so. We use SystemRandom to make sure
++# we get cryptographically-secure randoms.
++rand = random.SystemRandom()
++
+ 
+ def random_string(length):
+-    return ''.join(random.choice(string.ascii_letters) for _ in range(length))
++    return ''.join(rand.choice(string.ascii_letters) for _ in range(length))
+ 
+ 
+ def random_string_with_symbols(length):
+     return ''.join(
+-        random.choice(_string_with_symbols) for _ in range(length)
++        rand.choice(_string_with_symbols) for _ in range(length)
+     )
+ 
+

--- End Message ---
--- Begin Message --- 
On Tue, May 07, 2019 at 05:15:28PM +0200, Andrej Shadura wrote:
> Please unblock package matrix-synapse.
> 
> This upload backports two security updates from 0.99.3.

Unblocked; thanks.

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

--- End Message ---
Reply to: