Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access to previously freed memory #704

Closed
FilipeMaia opened this issue Jan 15, 2025 · 0 comments · Fixed by #706
Closed

Access to previously freed memory #704

FilipeMaia opened this issue Jan 15, 2025 · 0 comments · Fixed by #706

Comments

@FilipeMaia
Copy link

FilipeMaia commented Jan 15, 2025
edited
Loading

As full_fname returns a static pointer when it's used twice in the same print message the second call will free the space allocated for by the first full_fname call, causing rsyserr to read freed memory, as in here:

rsync/generator.c

Lines 2044 to 2045 in dacadd5

rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
full_fname(tmpname), full_fname(fname));

This may cause gibberish output or potentially even a SIGSEV.
@sthen sthen mentioned this issue Jan 15, 2025
Closed
ncopa added a commit to ncopa/rsync that referenced this issue Jan 15, 2025
@ncopa
Fix use-after-free in generator
f923b19 
full_fname() will free the return value in the next call so we need to
duplicate it before passing it to rsyserr.

Fixes: RsyncProject#704
@ncopa ncopa mentioned this issue Jan 15, 2025
Merged
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jan 15, 2025
@ncopa
main/rsync: security upgrade to 3.4.0
10532b7 
Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jan 15, 2025
@ncopa
main/rsync: security upgrade to 3.4.0
e37649c 
Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
(cherry picked from commit 10532b7)
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jan 15, 2025
@ncopa
main/rsync: security upgrade to 3.4.0
0fe6a23 
Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
(cherry picked from commit 10532b7)
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jan 15, 2025
@ncopa
main/rsync: security upgrade to 3.4.0
3a66ced 
Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
(cherry picked from commit 10532b7)
algitbot pushed a commit to alpinelinux/aports that referenced this issue Jan 15, 2025
@ncopa
main/rsync: security upgrade to 3.4.0
063919d 
Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
(cherry picked from commit 10532b7)
(cherry picked from commit 3a66ced)
@LeSuisse LeSuisse mentioned this issue Jan 15, 2025
Merged
13 tasks
tridge pushed a commit that referenced this issue Jan 15, 2025
@ncopa @tridge
Fix use-after-free in generator
81ead9e 
full_fname() will free the return value in the next call so we need to
duplicate it before passing it to rsyserr.

Fixes: #704
@solardiz solardiz mentioned this issue Jan 15, 2025
Closed
bell-sw pushed a commit to bell-sw/alpaquita-aports that referenced this issue Jan 16, 2025
@ncopa @kholmanskikh
universe/rsync: security upgrade to 3.4.0
1afed0f 
[ commit 10532b77dcbf95eec84c2c6b07f4680492cc7615 ]

Fixes the following CVEs:
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747

Also backport fixes for a regression and a use-after-free.

ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025
ref: RsyncProject/rsync#702
ref: RsyncProject/rsync#704
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix use-after-free in generator ncopa/rsync
1 participant
@FilipeMaia