[gentoo-commits] repo/gentoo:master commit in: net-im/synapse/

[Petr Vaněk]

commit:     df3e9a2457545ad613f6e3d1ce46f162d5631556
Author:     Petr Vaněk <arkamar <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 27 07:23:02 2025 +0000
Commit:     Petr Vaněk <arkamar <AT> gentoo <DOT> org>
CommitDate: Thu Mar 27 08:12:02 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df3e9a24

net-im/synapse: add 1.127.1, CVE-2025-30355

Fixes an issue where a malicious server can craft events which, when
received, prevent Synapse version up to 1.127.0 from federating with
other servers. The vulnerability has been exploited in the wild.

CVE: https://www.cve.org/CVERecord?id=CVE-2025-30355
GHSA: 
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
Bug: https://bugs.gentoo.org/952122
Signed-off-by: Petr Vaněk <arkamar <AT> gentoo.org>

 net-im/synapse/Manifest               |   1 +
 net-im/synapse/synapse-1.127.1.ebuild | 242 ++++++++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+)

diff --git a/net-im/synapse/Manifest b/net-im/synapse/Manifest
index c12d517dd5aa..93ac238579fc 100644
--- a/net-im/synapse/Manifest
+++ b/net-im/synapse/Manifest
@@ -83,6 +83,7 @@ DIST synapse-1.124.0.gh.tar.gz 8866869 BLAKE2B 
441e371638673569073b019a30f421441
 DIST synapse-1.125.0.gh.tar.gz 8871511 BLAKE2B 
ac11524fedb4664b0f873721115da1ebb9c8f08c48102c881c6315bee69bf573e60bc3dd74d0669eecc2db7a5da27a894bd6e4b1ab2b2ebcfdf81caa04e0255c
 SHA512 
0a35e4a425b0a1ce2a33fab4aef49e551cd5163ce34d83125f84b059000eb3d185a43de3c689649c77ed2060e791e7a3961b68fd85b8f1ec9dd38245a1adb8c3
 DIST synapse-1.126.0.gh.tar.gz 8882168 BLAKE2B 
baf563c551720556eec25c70eecce2db77ddeaa925c7f36700e6045e871c8604f85846a7c8eaaeb26e40b2cbb40439d838bf751b8c9008971b25062c65cb8cd8
 SHA512 
c97d9110b800995413c97884002f70f08c095d063adbd6baf1b13065ed9c0768a8573105031104937fadb7c710eca58a81058a315785c2d787c75da66f3183a9
 DIST synapse-1.127.0.gh.tar.gz 8885163 BLAKE2B 
77b6f6eef3c7cbf759d928cea0b75427d7dcb5cedd25388446ff59b9963c4d382406bf00047f553c487c76a3d5eaadedc5e481257b3dc09624debc1894215d02
 SHA512 
807f0020396d3818b079137648b7a11f10e4c4ff568454a7a5e1feee8e1d5e3fb107d8cdbac2f656db4bf41b9587d80bfb61aeae61a20a5611cc46170e66f1e6
+DIST synapse-1.127.1.gh.tar.gz 8885485 BLAKE2B 
1d4793ab121af0ab149090bcd272b708c795e55a2d3bc749432c9dc802985798b5faf474b67567eaa1bc6303033e49f904e48813e5894196ce4e9d9f801cb616
 SHA512 
d469bc7e7c6b8f0554e5f4d40cba775ca865157815948e13a1bcf51fc11fd2e73ac36e87f2e632126625b96dda088cf92f4f6952b3e92d9ecaa8d5e2af85882c
 DIST target-lexicon-0.12.14.crate 25508 BLAKE2B 
5ebb6b49e5c3b0057959557651287d4bf5ffe5b499340019ff64d5fc3b64e780e344982e358c94b1b25a20bf0f526a584aeecc704695b50a55cc268dd65edb97
 SHA512 
3410ecc0faf854f49c41c99f83972960e67065b1e0e78557a7c4996d996109bfd167d2121a019f5256f996c896cd45af032038ab7918fdcc6ee6311693ce951a
 DIST typenum-1.17.0.crate 42849 BLAKE2B 
a6d1162050679e2c4ab2467f3a77d301f6861882eb7c9749f31d047f383dd5bd2ed5846ad63eed99ccc04d6ac36cc697a305861e1d65880b4d2ef04ee0a79b94
 SHA512 
99773d5d9f850c0602db4bb67dd062b0ade6f086e155216f1bb2fb6569461ba7e1b7c2f2af81ea8833bc3bfcf3fe5033edecb7c438adae63f59d3e30cf63a508
 DIST ulid-1.1.4.crate 11367 BLAKE2B 
f8dabe988f5a65cd2ffa66196bc3540601cc47e45f56d41542d4edd02232bda632eb5a0fff833ebadacba8e537d496f04806a9297bee9161bbf1abf25a6a3e23
 SHA512 
6221a1f8616678e63ea7875830cef8d7759f56f40b97c83706aae74a678abc771dc5a382dcfb05e0a40637178814e3352d724ba72e4eb18d7da8244ade7a5280

diff --git a/net-im/synapse/synapse-1.127.1.ebuild 
b/net-im/synapse/synapse-1.127.1.ebuild
new file mode 100644
index 000000000000..13d9456bb938
--- /dev/null
+++ b/net-im/synapse/synapse-1.127.1.ebuild
@@ -0,0 +1,242 @@
+# Copyright 2022-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DISTUTILS_EXT=1
+DISTUTILS_USE_PEP517=poetry
+PYTHON_COMPAT=( python3_{10..13} )
+
+CRATES="
+       aho-corasick@1.1.3
+       anyhow@1.0.97
+       arc-swap@1.7.1
+       autocfg@1.3.0
+       base64@0.21.7
+       bitflags@2.8.0
+       blake2@0.10.6
+       block-buffer@0.10.4
+       bumpalo@3.16.0
+       bytes@1.10.1
+       cfg-if@1.0.0
+       cpufeatures@0.2.12
+       crypto-common@0.1.6
+       digest@0.10.7
+       fnv@1.0.7
+       generic-array@0.14.7
+       getrandom@0.3.1
+       headers-core@0.3.0
+       headers@0.4.0
+       heck@0.5.0
+       hex@0.4.3
+       http@1.3.1
+       httpdate@1.0.3
+       indoc@2.0.5
+       itoa@1.0.11
+       js-sys@0.3.69
+       lazy_static@1.5.0
+       libc@0.2.154
+       log@0.4.26
+       memchr@2.7.2
+       memoffset@0.9.1
+       mime@0.3.17
+       once_cell@1.19.0
+       portable-atomic@1.6.0
+       ppv-lite86@0.2.17
+       proc-macro2@1.0.89
+       pyo3-build-config@0.23.5
+       pyo3-ffi@0.23.5
+       pyo3-log@0.12.1
+       pyo3-macros-backend@0.23.5
+       pyo3-macros@0.23.5
+       pyo3@0.23.5
+       pythonize@0.23.0
+       quote@1.0.36
+       rand@0.9.0
+       rand_chacha@0.9.0
+       rand_core@0.9.0
+       regex-automata@0.4.8
+       regex-syntax@0.8.5
+       regex@1.11.1
+       ryu@1.0.18
+       serde@1.0.219
+       serde_derive@1.0.219
+       serde_json@1.0.140
+       sha1@0.10.6
+       sha2@0.10.8
+       subtle@2.5.0
+       syn@2.0.85
+       target-lexicon@0.12.14
+       typenum@1.17.0
+       ulid@1.2.1
+       unicode-ident@1.0.12
+       unindent@0.2.3
+       version_check@0.9.4
+       wasi@0.13.3+wasi-0.2.2
+       wasm-bindgen-backend@0.2.92
+       wasm-bindgen-macro-support@0.2.92
+       wasm-bindgen-macro@0.2.92
+       wasm-bindgen-shared@0.2.92
+       wasm-bindgen@0.2.92
+       web-time@1.1.0
+       windows-targets@0.52.6
+       windows_aarch64_gnullvm@0.52.6
+       windows_aarch64_msvc@0.52.6
+       windows_i686_gnu@0.52.6
+       windows_i686_gnullvm@0.52.6
+       windows_i686_msvc@0.52.6
+       windows_x86_64_gnu@0.52.6
+       windows_x86_64_gnullvm@0.52.6
+       windows_x86_64_msvc@0.52.6
+       wit-bindgen-rt@0.33.0
+       zerocopy-derive@0.8.17
+       zerocopy@0.8.17
+"
+
+inherit cargo distutils-r1 multiprocessing optfeature systemd
+
+DESCRIPTION="Reference implementation of Matrix homeserver"
+HOMEPAGE="
+       https://matrix.org/
+       https://github.com/element-hq/synapse
+"
+SRC_URI="
+       https://github.com/element-hq/${PN}/archive/v${PV}.tar.gz
+               -> ${P}.gh.tar.gz
+       ${CARGO_CRATE_URIS}
+"
+
+LICENSE="AGPL-3+"
+# Dependent crate licenses
+LICENSE+="
+       Apache-2.0-with-LLVM-exceptions BSD MIT Unicode-DFS-2016
+       || ( Apache-2.0 Boost-1.0 )
+"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~ppc64"
+IUSE="postgres systemd test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+       acct-user/synapse
+       acct-group/synapse
+       dev-python/attrs[${PYTHON_USEDEP}]
+       dev-python/bcrypt[${PYTHON_USEDEP}]
+       dev-python/bleach[${PYTHON_USEDEP}]
+       >=dev-python/canonicaljson-2[${PYTHON_USEDEP}]
+       dev-python/cryptography[${PYTHON_USEDEP}]
+       dev-python/ijson[${PYTHON_USEDEP}]
+       dev-python/immutabledict[${PYTHON_USEDEP}]
+       >=dev-python/jinja2-3.0[${PYTHON_USEDEP}]
+       dev-python/jsonschema[${PYTHON_USEDEP}]
+       >=dev-python/matrix-common-1.3.0[${PYTHON_USEDEP}]
+       dev-python/msgpack[${PYTHON_USEDEP}]
+       dev-python/netaddr[${PYTHON_USEDEP}]
+       dev-python/packaging[${PYTHON_USEDEP}]
+       dev-python/phonenumbers[${PYTHON_USEDEP}]
+       >=dev-python/pillow-10.0.1[${PYTHON_USEDEP},webp]
+       dev-python/prometheus-client[${PYTHON_USEDEP}]
+       dev-python/pyasn1-modules[${PYTHON_USEDEP}]
+       dev-python/pyasn1[${PYTHON_USEDEP}]
+       dev-python/pydantic[${PYTHON_USEDEP}]
+       dev-python/pymacaroons[${PYTHON_USEDEP}]
+       dev-python/pyopenssl[${PYTHON_USEDEP}]
+       >=dev-python/python-multipart-0.0.12-r100[${PYTHON_USEDEP}]
+       dev-python/pyyaml[${PYTHON_USEDEP}]
+       dev-python/service-identity[${PYTHON_USEDEP}]
+       dev-python/signedjson[${PYTHON_USEDEP}]
+       dev-python/sortedcontainers[${PYTHON_USEDEP}]
+       dev-python/treq[${PYTHON_USEDEP}]
+       dev-python/twisted[${PYTHON_USEDEP}]
+       dev-python/typing-extensions[${PYTHON_USEDEP}]
+       dev-python/unpaddedbase64[${PYTHON_USEDEP}]
+       postgres? ( dev-python/psycopg:2[${PYTHON_USEDEP}] )
+       systemd? ( dev-python/python-systemd[${PYTHON_USEDEP}] )
+"
+BDEPEND="
+       acct-user/synapse
+       acct-group/synapse
+       dev-python/setuptools-rust[${PYTHON_USEDEP}]
+       test? (
+               ${RDEPEND}
+               dev-python/hiredis[${PYTHON_USEDEP}]
+               dev-python/idna[${PYTHON_USEDEP}]
+               dev-python/parameterized[${PYTHON_USEDEP}]
+               dev-python/pyicu[${PYTHON_USEDEP}]
+               dev-python/txredisapi[${PYTHON_USEDEP}]
+               postgres? ( dev-db/postgresql[server] )
+       )
+"
+
+# Rust extension
+QA_FLAGS_IGNORED="usr/lib/python3.*/site-packages/synapse/synapse_rust.abi3.so"
+
+PATCHES=(
+       "${FILESDIR}/${PN}-1.123.0-skip-recovery-test.patch"
+)
+
+src_test() {
+       if use postgres; then
+               einfo "Preparing postgres test instance"
+               initdb --pgdata="${T}/pgsql" || die
+               pg_ctl --wait --pgdata="${T}/pgsql" start \
+                       --options="-h '' -k '${T}'" || die
+               createdb --host="${T}" synapse_test || die
+
+               # See 
https://matrix-org.github.io/synapse/latest/development/contributing_guide.html#running-tests-under-postgresql
+               local -x SYNAPSE_POSTGRES=1
+               local -x SYNAPSE_POSTGRES_HOST="${T}"
+       fi
+
+       # This remove is necessary otherwise python is not able to locate
+       # synapse_rust.abi3.so.
+       rm -rf synapse || die
+
+       nonfatal distutils-r1_src_test
+       local ret=${?}
+
+       if use postgres; then
+               einfo "Stopping postgres test instance"
+               pg_ctl --wait --pgdata="${T}/pgsql" stop || die
+       fi
+
+       [[ ${ret} -ne 0 ]] && die
+}
+
+python_test() {
+       "${EPYTHON}" -m twisted.trial -j "$(makeopts_jobs)" tests
+}
+
+src_install() {
+       distutils-r1_src_install
+       keepdir /var/{lib,log}/synapse /etc/synapse
+       fowners synapse:synapse /var/{lib,log}/synapse /etc/synapse
+       fperms 0750 /var/{lib,log}/synapse /etc/synapse
+       newinitd "${FILESDIR}/${PN}.initd-r1" "${PN}"
+       systemd_dounit "${FILESDIR}/synapse.service"
+}
+
+pkg_postinst() {
+       optfeature "Improve user search for international display names" 
dev-python/pyicu
+       optfeature "Redis support" dev-python/txredisapi
+       optfeature "VoIP relaying on your homeserver with turn" net-im/coturn
+
+       if [[ -z "${REPLACING_VERSIONS}" ]]; then
+               einfo
+               elog "In order to generate initial configuration run:"
+               elog "sudo -u synapse synapse_homeserver \\"
+               elog "    --server-name matrix.domain.tld \\"
+               elog "    --config-path /etc/synapse/homeserver.yaml \\"
+               elog "    --generate-config \\"
+               elog "    --data-directory /var/lib/synapse \\"
+               elog "    --report-stats=no"
+               einfo
+       else
+               einfo
+               elog "Please refer to upgrade notes if any special steps are 
required"
+               elog "to upgrade from the version you currently have installed:"
+               elog
+               elog "  
https://github.com/element-hq/synapse/blob/develop/docs/upgrade.md";
+               einfo
+       fi
+}