Bug 1212085 (CVE-2022-46165) - VUL-0: CVE-2022-46165: syncthing: Cross-site scripting through malicious files
Summary: VUL-0: CVE-2022-46165: syncthing: Cross-site scripting through malicious files
Status: IN_PROGRESS
Alias: CVE-2022-46165
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marius Kittler
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/368591/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-07 06:49 UTC by Robert Frohl
Modified: 2023-06-16 14:46 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2023-06-07 06:49:54 UTC 
CVE-2022-46165

Syncthing is an open source, continuous file synchronization program. In
versions prior to 1.23.5 a compromised instance with shared folders could sync
malicious files which contain arbitrary HTML and JavaScript in the name. If the
owner of another device looks over the shared folder settings and moves the
mouse over the latest sync, a script could be executed to change settings for
shared folders or add devices automatically. Additionally adding a new device
with a malicious name could embed HTML or JavaScript inside parts of the page.
As a result the webUI may be subject to a stored cross site scripting attack.
This issue has been addressed in version 1.23.5. Users are advised to upgrade.
Users unable to upgrade should avoid sharing folders with untrusted users.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-46165
https://bugzilla.redhat.com/show_bug.cgi?id=2213010
https://www.cve.org/CVERecord?id=CVE-2022-46165
https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238
https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h
Comment 1 Robert Frohl 2023-06-07 06:54:40 UTC 
Fixed for Factory, but open for openSUSE:Backports:*. 

Maybe we could get a submission to SLE-15-SP4 and SLE-15-SP5 if possible?
Comment 2 Marius Kittler 2023-06-07 08:37:14 UTC 
Unfortunately this doesn't build for Leap 15.4:

```
[   60s] # github.com/hashicorp/golang-lru/v2/simplelru
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:8:14: syntax error: unexpected comparable, expecting ]
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:27:15: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:36:16: syntax error: unexpected comparable, expecting ]
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:42:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:50:13: syntax error: unexpected [, expecting (
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:54:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:57:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:65:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:72:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:83:17: syntax error: unexpected [, expecting comma or )
[   60s] vendor/github.com/hashicorp/golang-lru/v2/simplelru/list.go:83:17: too many errors
[   60s] note: module requires Go 1.18
[   60s] internal/sysinfo
…
[   65s] vendor/github.com/quic-go/quic-go/internal/qtls/go_oldversion.go:5:5: cannot use "The version of quic-go you're using can't be built using outdated Go... (type untyped string) as type int in assignment
…
[   65s] golang.org/x/exp/constraints
[   65s] # golang.org/x/exp/constraints
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:13:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:20:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:27:9: syntax error: unexpected |, expecting semicolon or newline or }
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:34:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:41:2: syntax error: unexpected ~, expecting method or interface name
[   65s] vendor/golang.org/x/exp/constraints/constraints.go:49:10: syntax error: unexpected |, expecting semicolon or newline or }
[   65s] note: module requires Go 1.18
```

So submitting it to Leap 15.4 wouldn't make much sense. I can try submitting it to 15.5, though.
Comment 3 Marius Kittler 2023-06-07 08:56:47 UTC 
I've been creating https://build.opensuse.org/request/show/1091227 for Leap 15.5.
Comment 4 Marius Kittler 2023-06-07 09:17:47 UTC 
For Leap 15.4 I suggest users follow the advice given in the CVE: "Users unable to upgrade should avoid sharing folders with untrusted users."
Comment 5 Marcus Meissner 2023-06-16 14:46:02 UTC 
openSUSE-SU-2023:0126-1: An update that fixes one vulnerability is now available.\n\nCategory: security (moderate)\nBug References: 1212085\nCVE References: CVE-2022-46165\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    syncthing-1.23.5-bp155.2.3.1\n\n