Bug 1212085 (CVE-2022-46165)

Summary: VUL-0: CVE-2022-46165: syncthing: Cross-site scripting through malicious files
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Marius Kittler <marius.kittler>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, sor.alexei
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/368591/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-07 06:49:54 UTC 
CVE-2022-46165

Syncthing is an open source, continuous file synchronization program. In
versions prior to 1.23.5 a compromised instance with shared folders could sync
malicious files which contain arbitrary HTML and JavaScript in the name. If the
owner of another device looks over the shared folder settings and moves the
mouse over the latest sync, a script could be executed to change settings for
shared folders or add devices automatically. Additionally adding a new device
with a malicious name could embed HTML or JavaScript inside parts of the page.
As a result the webUI may be subject to a stored cross site scripting attack.
This issue has been addressed in version 1.23.5. Users are advised to upgrade.
Users unable to upgrade should avoid sharing folders with untrusted users.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46165
https://bugzilla.redhat.com/show_bug.cgi?id=2213010
https://www.cve.org/CVERecord?id=CVE-2022-46165
https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238
https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h
Comment 1 Robert Frohl 2023-06-07 06:54:40 UTC 
Fixed for Factory, but open for openSUSE:Backports:*. 

Maybe we could get a submission to SLE-15-SP4 and SLE-15-SP5 if possible?
Comment 2 Marius Kittler 2023-06-07 08:37:14 UTC 
Unfortunately this doesn't build for Leap 15.4:

```
[   60s] # github.com/hashicorp/golang-lru/v2/simplelru
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:8:14: syntax error: unexpected comparable, expecting ]
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:27:15: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:36:16: syntax error: unexpected comparable, expecting ]
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:42:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:50:13: syntax error: unexpected [, expecting (
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:54:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:57:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:65:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:72:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:83:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:83:17: too many errors
[   60s] note: module requires Go 1.18
[   60s] internal/sysinfo
…
[   65s] vendor/github.com/quic-go/quic-go/internal/qtls/go_oldversion.go:5:5: cannot use "The version of quic-go you're using can't be built using outdated Go... (type untyped string) as type int in assignment
…
[   65s] golang.org/x/exp/constraints
[   65s] # golang.org/x/exp/constraints
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:13:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:20:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:27:9: syntax error: unexpected |, expecting semicolon or newline or }
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:34:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:41:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:49:10: syntax error: unexpected |, expecting semicolon or newline or }
[   65s] note: module requires Go 1.18
```

So submitting it to Leap 15.4 wouldn't make much sense. I can try submitting it to 15.5, though.
Comment 3 Marius Kittler 2023-06-07 08:56:47 UTC 
I've been creating https://build.opensuse.org/request/show/1091227 for Leap 15.5.
Comment 4 Marius Kittler 2023-06-07 09:17:47 UTC 
For Leap 15.4 I suggest users follow the advice given in the CVE: "Users unable to upgrade should avoid sharing folders with untrusted users."
Comment 5 Marcus Meissner 2023-06-16 14:46:02 UTC 
openSUSE-SU-2023:0126-1: An update that fixes one vulnerability is now available.\n\nCategory: security (moderate)\nBug References: 1212085\nCVE References: CVE-2022-46165\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    syncthing-1.23.5-bp155.2.3.1\n\n