CVS commit: pkgsrc/net/syncthing

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Wed Dec 14 12:14:59 UTC 2016

Modified Files:
        pkgsrc/net/syncthing: Makefile distinfo

Log Message:
Updated syncthing to 0.14.14.

This is a security release recommended for all users.

Two distinct security vulnerabilities have been corrected in this
release. Either would let a remote attacker, controlling a device
that is already accepted by Syncthing, perform arbitrary reads and
writes to files outside the configured folders.

The first issue is that path validation was lacking in several
places, resulting in Syncthing accepting index entries for files
like "../../foo", thus resulting in a path above the configured
folder.

The second issue is that where path validation was correct, symlinks
could be used to trick Syncthing. An attacker could create a symlink
"foo -> ../../" and then request the contents of "foo/something",
again escaping the constraints of the folder.

Syncing symlinks between v0.14.14 and previous versions will not
work.

This is due to the fix to the above issue. Normal files and
directories will sync fine. To continue syncing symlinks, both
sides must be upgraded to v0.14.14.

Further resolved issues:

    #3753: The build no longer requires Go 1.7.
    #3769: The wording in the GUI around "last file received" is
    now clearer.


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 pkgsrc/net/syncthing/Makefile
cvs rdiff -u -r1.29 -r1.30 pkgsrc/net/syncthing/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/syncthing/Makefile
diff -u pkgsrc/net/syncthing/Makefile:1.36 pkgsrc/net/syncthing/Makefile:1.37
--- pkgsrc/net/syncthing/Makefile:1.36  Sun Dec  4 16:30:00 2016
+++ pkgsrc/net/syncthing/Makefile       Wed Dec 14 12:14:59 2016
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.36 2016/12/04 16:30:00 bsiegert Exp $
+# $NetBSD: Makefile,v 1.37 2016/12/14 12:14:59 wiz Exp $
 
 # Upstream regularly breaks protocol compatibility.  While users of
 # pkgsrc syncthing on multiple systems can update synchronously, an
@@ -13,8 +13,7 @@
 # Note that the android versioning is disconnected from syncthing versioning;
 # see https://github.com/syncthing/syncthing-android/issues/652 for
 # a fuller explanation.
-DISTNAME=      syncthing-0.14.13
-PKGREVISION=   1
+DISTNAME=      syncthing-0.14.14
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=syncthing/}
 

Index: pkgsrc/net/syncthing/distinfo
diff -u pkgsrc/net/syncthing/distinfo:1.29 pkgsrc/net/syncthing/distinfo:1.30
--- pkgsrc/net/syncthing/distinfo:1.29  Wed Nov 30 09:52:11 2016
+++ pkgsrc/net/syncthing/distinfo       Wed Dec 14 12:14:59 2016
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.29 2016/11/30 09:52:11 wiz Exp $
+$NetBSD: distinfo,v 1.30 2016/12/14 12:14:59 wiz Exp $
 
-SHA1 (syncthing-0.14.13.tar.gz) = 23d0ef78bc3b81adc024328f7333e3512636ea96
-RMD160 (syncthing-0.14.13.tar.gz) = 3c8a4410141c950516910efa1ddd28657cf15131
-SHA512 (syncthing-0.14.13.tar.gz) = 24f7f46e965df962a3759b1fdad15bded4b2b3c81a9a266798570b9686c3aad40a7ba99507ad5955ee2a5f1ed5224a8ba89b20459c65ca5f5338f2958d42fcf8
-Size (syncthing-0.14.13.tar.gz) = 6468568 bytes
+SHA1 (syncthing-0.14.14.tar.gz) = 3555fe5d9a4512084f3f26f1958f522450f771dc
+RMD160 (syncthing-0.14.14.tar.gz) = 8f7448b58e68556c00d7a7a52158e9db5844bb03
+SHA512 (syncthing-0.14.14.tar.gz) = 0b5934d87aa04b23e1059249c2dc3e4f1214825826e9c2b201487af33c991187e7b9909f41b29ee424cf4ec9d93be42f584af995eaee06d35297e0bfd8e316b4
+Size (syncthing-0.14.14.tar.gz) = 5947169 bytes
 SHA1 (patch-lib_config_optionsconfiguration.go) = 341c1c032c9551e17c86a6fb5d3552b1d79041c8