Bug 1215172

Summary: VUL-0: croc: multiple security issues in croc
Product: [openSUSE] openSUSE Distribution Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Smith <jsmithfpv>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: Andreas.Stieger, filippo.bonazzi, security-team
Version: Leap 15.6   
Target Milestone: Leap 15.6   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1224165    

Description Matthias Gerstner 2023-09-08 13:48:06 UTC 
I have reviewed the Croc codebase during the past month and have found a
series of security issues, mostly in the area of a receiver of files which can
be harmed by a malicious sender.

There are now public GitHub issues about the most pressing issues:

- possible creation of files in dangerous path location: https://github.com/schollz/croc/issues/593
- Interactive File Overwrite Prompt can be Circumvented by Sending ZIP file: https://github.com/schollz/croc/issues/594
- Escape Sequences in Filenames are not Filtered: https://github.com/schollz/croc/issues/595
- Use of Parts of the Shared Secret as Room Name: https://github.com/schollz/croc/issues/596
- Unencrypted "ips?" Message Leaks Information from the Sender Side: https://github.com/schollz/croc/issues/597
- Shared Secret Passed on Command Line Possibly Leaks to other Local Users: https://github.com/schollz/croc/issues/598

Nothing of this is currently fixed and it sounds like they also won't be fixed
for a longer time, because the upstream author is lacking time to take care of
this.

As maintainers of croc you may be able to help out upstream to fix these
issues or you may consider dropping this package from openSUSE until it
becomes better.
Comment 1 Matthias Gerstner 2023-09-08 13:50:02 UTC 
For reference this is the full review report I just posted on the oss-security
mailing list:

https://www.openwall.com/lists/oss-security/2023/09/08/2
Comment 2 Matthias Gerstner 2023-09-11 12:46:26 UTC 
I fear that these issues won't be fixed anytime soon. Looking at the upstream
issue tracker (> 100 pending issues) we could even say it is nearly
unmaintained.

You should consider whether dropping the package from Factory is the easier
solution for now.
Comment 3 Smith 2023-09-11 19:16:25 UTC 
It seems very unfortunate that the package has these issues. Hopefully they'll be mitigated in the future so we can see a return of croc, but until then I've requested the removal of croc from Factory. Thank you!
Comment 4 Matthias Gerstner 2024-02-13 09:05:32 UTC 
There is no progress upstream although there recently was a not too productive
discussion about one of the issues on GitHub.

Given the range of issues we should either drop the package from Factory, or,
as a workaround, we could try to wrap croc in a namespace jail that restricts
it to a specific download directory. This would address at least most of the
issues.
Comment 5 Smith 2024-02-13 15:07:09 UTC 
It seems so. This was already removed in SR#111035, so I believe the issue could be closed. Thanks for the reminder!

https://build.opensuse.org/request/show/1110357
Comment 6 Matthias Gerstner 2024-02-14 08:43:48 UTC 
Ah indeed, I overlooked that. Closing as WONTFIX then.
Comment 7 Andreas Stieger 2024-05-27 20:45:24 UTC 
9.6.5 is in openSUSE:Backports:SLE-15-SP6/croc in
Comment 8 Andreas Stieger 2024-05-27 20:46:18 UTC 
drop request https://build.opensuse.org/request/show/1177190
Comment 9 OBSbugzilla Bot 2024-05-28 06:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1215172) was mentioned in
https://build.opensuse.org/request/show/1177272 Factory / croc
Comment 10 Andreas Stieger 2024-05-28 08:12:48 UTC 
dropped from Leap 15.6
Comment 11 Filippo Bonazzi 2024-05-28 08:23:07 UTC 
Matthias, just so you're aware, this is being re-introduced to Factory in https://build.opensuse.org/request/show/1177272. Not sure whether you are satisfied with the fixes released by upstream, or if you would still want the application to be confined with e.g. nsjail in our packaging.
Comment 12 Andreas Stieger 2024-05-28 08:49:15 UTC 
I was under the impression that all issues were addressed as of 10.0.5
Comment 14 Filippo Bonazzi 2024-05-28 09:46:41 UTC 
I am not sure everything is actually fixed, or sufficiently fixed. I don't believe Matthias has had the chance to take a look at the software version you were submitting.

Unless you're in a hurry to add this to Factory, I would wait for Matthias to take another look and give the green light (unfortunately he is now away until mid June).
Comment 15 Andreas Stieger 2024-05-28 10:20:06 UTC 
Not in a hurry. Dropped from Leap too so we are good
Comment 16 Matthias Gerstner 2024-06-17 08:45:43 UTC 
I did not have time yet to check the individual fixes that the upstream author
has come up with. It happened all rather quickly, after a long time, and with
a sense of rejection on the upstream author's part, so it's possible that some
things might still be insufficiently addressed.

I have the review of the upstream fixes on my todo list, but it don't know
when I'll get around to actually do it. I will update this bug here once I
have news.