[meta-oe,kirkstone,13/26] synergy: patch CVE-2020-15117

Message ID	20251002125926.2624522-14-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.218.50, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 13/26] synergy: patch CVE-2020-15117 Date: Thu, 2 Oct 2025 14:59:13 +0200 Message-ID: <20251002125926.2624522-14-skandigraun@gmail.com> In-Reply-To: <20251002125926.2624522-1-skandigraun@gmail.com> References: <20251002125926.2624522-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Cherry-picks from Master Batch G \| expand [meta-oe,kirkstone,00/26] Cherry-picks from Master Batch G [meta-oe,kirkstone,01/26] dash: correct licence [meta-oe,kirkstone,02/26] libjs-jquery-icheck: Correct LIC_FILES_CHKSUM [meta-oe,kirkstone,03/26] liboop: set correct LICENSE [meta-oe,kirkstone,04/26] libtar: patch CVEs [meta-oe,kirkstone,05/26] libtinyxml: patch CVE-2021-42260 [meta-oe,kirkstone,06/26] libtinyxml: patch CVE-2023-34194 [meta-oe,kirkstone,07/26] multipath-tools: Use https for github [meta-oe,kirkstone,08/26] ne10: append +git instead of gitr+ [meta-oe,kirkstone,09/26] openct: Fix typo in SUMMARY variable [meta-oe,kirkstone,10/26] procmail: Update status for CVE-1999-0475 [meta-oe,kirkstone,11/26] procmail: patch CVE-2014-3618 [meta-oe,kirkstone,12/26] procmail: patch CVE-2017-16844. [meta-oe,kirkstone,13/26] synergy: patch CVE-2020-15117 [meta-oe,kirkstone,14/26] lcov: Fix Perl Path [meta-oe,kirkstone,15/26] smarty: upgrade 4.1.0 -> 4.1.1 [meta-oe,kirkstone,16/26] span-lite: do not inherit ptest [meta-oe,kirkstone,17/26] tree: fix broken links [meta-perl,kirkstone,18/26] libcrypt-openssl-guess-perl: fix syntax for PROVIDES [meta-python,kirkstone,19/26] python3-gsocketpool: add missing run-time dependencies [meta-python,kirkstone,20/26] python3-pyconnman: Add 'future' runtime dependency [meta-python,kirkstone,21/26] python3-txws: add missing run-time dependencies [meta-python,kirkstone,22/26] python3-hpack: add missing run-time dependencies [meta-python,kirkstone,23/26] python3-thrift: add missing run-time dependencies [meta-python,kirkstone,24/26] python3-pyparted: add missing run-time dependencies [meta-python,kirkstone,25/26] python3-send2trash: add missing run-time dependencies [meta-python,kirkstone,26/26] xfce4-sensors-plugin: correct netcat PACKAGECONFIG

Message ID

20251002125926.2624522-14-skandigraun@gmail.com

State

New

Headers

From: Gyorgy Sarvari <skandigraun@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [meta-oe][kirkstone][PATCH 13/26] synergy: patch CVE-2020-15117
Date: Thu,  2 Oct 2025 14:59:13 +0200
Message-ID: <20251002125926.2624522-14-skandigraun@gmail.com>
In-Reply-To: <20251002125926.2624522-1-skandigraun@gmail.com>
References: <20251002125926.2624522-1-skandigraun@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Cherry-picks from Master Batch G | expand

Commit Message

Gyorgy Sarvari Oct. 2, 2025, 12:59 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Pick commit based on [1].

Note that the pick is node from deskflow, which is open-source successor
of synergy.
If anyone uses thie recipe, it should be switched.

[1] https://github.com/deskflow/deskflow/security/advisories/GHSA-chfm-333q-gfpp

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit db283053d096cf77df8e4444ce91e5d882f8850c)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../synergy/synergy/CVE-2020-15117.patch      | 48 +++++++++++++++++++
 .../recipes-support/synergy/synergy_git.bb    |  1 +
 2 files changed, 49 insertions(+)
 create mode 100644 meta-oe/recipes-support/synergy/synergy/CVE-2020-15117.patch

diff --git a/meta-oe/recipes-support/synergy/synergy/CVE-2020-15117.patch b/meta-oe/recipes-support/synergy/synergy/CVE-2020-15117.patch
new file mode 100644
index 0000000000..4ad2a45275
--- /dev/null
+++ b/meta-oe/recipes-support/synergy/synergy/CVE-2020-15117.patch
@@ -0,0 +1,48 @@ 
+From 79efdb7c617b809e1a2daf17441d7a30f7046aa5 Mon Sep 17 00:00:00 2001
+From: Jnewbon <48688400+Jnewbon@users.noreply.github.com>
+Date: Tue, 14 Jul 2020 13:14:40 +0100
+Subject: [PATCH] Merge pull request from GHSA-chfm-333q-gfpp
+
+Attempts to fis DoS to servers with less then 4GB memory
+
+CVE: CVE-2020-15117
+Upstream-Status: Backport [https://github.com/deskflow/deskflow/commit/0a97c2be0da2d0df25cb86dfd642429e7a8bea39]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/lib/synergy/ProtocolUtil.cpp | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/synergy/ProtocolUtil.cpp b/src/lib/synergy/ProtocolUtil.cpp
+index d9f5dc324..7d2c37ff8 100644
+--- a/src/lib/synergy/ProtocolUtil.cpp
++++ b/src/lib/synergy/ProtocolUtil.cpp
+@@ -61,6 +61,9 @@ ProtocolUtil::readf(synergy::IStream* stream, const char* fmt, ...)
+     catch (XIO&) {
+         result = false;
+     }
++    catch (std::bad_alloc & exception) {
++        result = false;
++    }
+     va_end(args);
+     return result;
+ }
+@@ -216,7 +219,15 @@ ProtocolUtil::vreadf(synergy::IStream* stream, const char* fmt, va_list args)
+                 // allocate a buffer to read the data
+                 UInt8* sBuffer = buffer;
+                 if (!useFixed) {
+-                    sBuffer = new UInt8[len];
++                    try{
++                        sBuffer = new UInt8[len];
++                    }
++                    catch (std::bad_alloc & exception) {
++                        // Added try catch due to GHSA-chfm-333q-gfpp
++                        LOG((CLOG_ERR "ALLOC: Unable to allocate memory %d bytes", len));
++                        LOG((CLOG_DEBUG "bad_alloc detected: Do you have enough free memory?"));
++                        throw exception;
++                    }
+                 }
+ 
+                 // read the data
+-- 
+2.30.2
+
diff --git a/meta-oe/recipes-support/synergy/synergy_git.bb b/meta-oe/recipes-support/synergy/synergy_git.bb
index f2e7a91618..97891a6c86 100644
--- a/meta-oe/recipes-support/synergy/synergy_git.bb
+++ b/meta-oe/recipes-support/synergy/synergy_git.bb
@@ -10,6 +10,7 @@  DEPENDS = "virtual/libx11 libxtst libxinerama curl openssl"
 REQUIRED_DISTRO_FEATURES = "x11"
 
 SRC_URI = "git://github.com/symless/synergy-core;protocol=https;nobranch=1"
+SRC_URI += "file://CVE-2020-15117.patch"
 
 # Version 1.10.1-stable
 SRCREV ?= "1b4c076127687aceac931d269e898beaac1cad9f"

[meta-oe,kirkstone,13/26] synergy: patch CVE-2020-15117

Commit Message

Patch