Bugzilla – Bug 1215172
VUL-0: croc: multiple security issues in croc
Last modified: 2024-06-17 08:45:43 UTC
I have reviewed the Croc codebase during the past month and have found a series of security issues, mostly in the area of a receiver of files which can be harmed by a malicious sender. There are now public GitHub issues about the most pressing issues: - possible creation of files in dangerous path location: https://github.com/schollz/croc/issues/593 - Interactive File Overwrite Prompt can be Circumvented by Sending ZIP file: https://github.com/schollz/croc/issues/594 - Escape Sequences in Filenames are not Filtered: https://github.com/schollz/croc/issues/595 - Use of Parts of the Shared Secret as Room Name: https://github.com/schollz/croc/issues/596 - Unencrypted "ips?" Message Leaks Information from the Sender Side: https://github.com/schollz/croc/issues/597 - Shared Secret Passed on Command Line Possibly Leaks to other Local Users: https://github.com/schollz/croc/issues/598 Nothing of this is currently fixed and it sounds like they also won't be fixed for a longer time, because the upstream author is lacking time to take care of this. As maintainers of croc you may be able to help out upstream to fix these issues or you may consider dropping this package from openSUSE until it becomes better.
For reference this is the full review report I just posted on the oss-security mailing list: https://www.openwall.com/lists/oss-security/2023/09/08/2
I fear that these issues won't be fixed anytime soon. Looking at the upstream issue tracker (> 100 pending issues) we could even say it is nearly unmaintained. You should consider whether dropping the package from Factory is the easier solution for now.
It seems very unfortunate that the package has these issues. Hopefully they'll be mitigated in the future so we can see a return of croc, but until then I've requested the removal of croc from Factory. Thank you!
There is no progress upstream although there recently was a not too productive discussion about one of the issues on GitHub. Given the range of issues we should either drop the package from Factory, or, as a workaround, we could try to wrap croc in a namespace jail that restricts it to a specific download directory. This would address at least most of the issues.
It seems so. This was already removed in SR#111035, so I believe the issue could be closed. Thanks for the reminder! https://build.opensuse.org/request/show/1110357
Ah indeed, I overlooked that. Closing as WONTFIX then.
9.6.5 is in openSUSE:Backports:SLE-15-SP6/croc in
drop request https://build.opensuse.org/request/show/1177190
This is an autogenerated message for OBS integration: This bug (1215172) was mentioned in https://build.opensuse.org/request/show/1177272 Factory / croc
dropped from Leap 15.6
Matthias, just so you're aware, this is being re-introduced to Factory in https://build.opensuse.org/request/show/1177272. Not sure whether you are satisfied with the fixes released by upstream, or if you would still want the application to be confined with e.g. nsjail in our packaging.
I was under the impression that all issues were addressed as of 10.0.5
I am not sure everything is actually fixed, or sufficiently fixed. I don't believe Matthias has had the chance to take a look at the software version you were submitting. Unless you're in a hurry to add this to Factory, I would wait for Matthias to take another look and give the green light (unfortunately he is now away until mid June).
Not in a hurry. Dropped from Leap too so we are good
I did not have time yet to check the individual fixes that the upstream author has come up with. It happened all rather quickly, after a long time, and with a sense of rejection on the upstream author's part, so it's possible that some things might still be insufficiently addressed. I have the review of the upstream fixes on my todo list, but it don't know when I'll get around to actually do it. I will update this bug here once I have news.