-
-
Notifications
You must be signed in to change notification settings - Fork 695
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
main/rsync: security upgrade to 3.4.0
Fixes the following CVEs: - CVE-2024-12084 - CVE-2024-12085 - CVE-2024-12086 - CVE-2024-12087 - CVE-2024-12088 - CVE-2024-12747 Also backport fixes for a regression and a use-after-free. ref: https://github.com/RsyncProject/rsync/blob/master/NEWS.md#news-for-rsync-340-15-jan-2025 ref: RsyncProject/rsync#702 ref: RsyncProject/rsync#704
- Loading branch information
Showing
3 changed files
with
88 additions
and
4 deletions.
There are no files selected for viewing
36 changes: 36 additions & 0 deletions
36
main/rsync/0001-Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| From efb85fd8db9e8f74eb3ab91ebf44f6ed35e3da5b Mon Sep 17 00:00:00 2001 | ||
| From: Natanael Copa <[email protected]> | ||
| Date: Wed, 15 Jan 2025 15:10:24 +0100 | ||
| Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED | ||
|
|
||
| fixes commit 688f5c379a43 (Refuse a duplicate dirlist.) | ||
|
|
||
| Fixes: https://github.com/RsyncProject/rsync/issues/702 | ||
| Fixes: https://github.com/RsyncProject/rsync/issues/697 | ||
| --- | ||
| rsync.h | 2 +- | ||
| 1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
|
||
| diff --git a/rsync.h b/rsync.h | ||
| index 9be1297b..479ac484 100644 | ||
| --- a/rsync.h | ||
| +++ b/rsync.h | ||
| @@ -84,7 +84,6 @@ | ||
| #define FLAG_DUPLICATE (1<<4) /* sender */ | ||
| #define FLAG_MISSING_DIR (1<<4) /* generator */ | ||
| #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ | ||
| -#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ | ||
| #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ | ||
| #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ | ||
| #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ | ||
| @@ -93,6 +92,7 @@ | ||
| #define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */ | ||
| #define FLAG_TIME_FAILED (1<<11)/* generator */ | ||
| #define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */ | ||
| +#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */ | ||
|
|
||
| /* These flags are passed to functions but not stored. */ | ||
|
|
||
| -- | ||
| 2.48.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,34 @@ | ||
| From f923b19fd85039a2b0e908391074872334646d51 Mon Sep 17 00:00:00 2001 | ||
| From: Natanael Copa <[email protected]> | ||
| Date: Wed, 15 Jan 2025 15:48:04 +0100 | ||
| Subject: [PATCH] Fix use-after-free in generator | ||
|
|
||
| full_fname() will free the return value in the next call so we need to | ||
| duplicate it before passing it to rsyserr. | ||
|
|
||
| Fixes: https://github.com/RsyncProject/rsync/issues/704 | ||
| --- | ||
| generator.c | 6 +++++- | ||
| 1 file changed, 5 insertions(+), 1 deletion(-) | ||
|
|
||
| diff --git a/generator.c b/generator.c | ||
| index 3f13bb95..b56fa569 100644 | ||
| --- a/generator.c | ||
| +++ b/generator.c | ||
| @@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const | ||
|
|
||
| if (!skip_atomic) { | ||
| if (do_rename(tmpname, fname) < 0) { | ||
| + char *full_tmpname = strdup(full_fname(tmpname)); | ||
| + if (full_tmpname == NULL) | ||
| + out_of_memory("atomic_create"); | ||
| rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed", | ||
| - full_fname(tmpname), full_fname(fname)); | ||
| + full_tmpname, full_fname(fname)); | ||
| + free(full_tmpname); | ||
| do_unlink(tmpname); | ||
| return 0; | ||
| } | ||
| -- | ||
| 2.48.0 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| # Maintainer: Natanael Copa <[email protected]> | ||
| pkgname=rsync | ||
| pkgver=3.3.0 | ||
| pkgver=3.4.0 | ||
| pkgrel=0 | ||
| pkgdesc="A file transfer program to keep remote files in sync" | ||
| url="https://rsync.samba.org/" | ||
|
|
@@ -18,13 +18,23 @@ makedepends=" | |
| " | ||
| subpackages="$pkgname-doc $pkgname-openrc rrsync::noarch" | ||
| source="https://download.samba.org/pub/rsync/rsync-$pkgver.tar.gz | ||
| https://dev.alpinelinux.org/archive/rsync-manpages-$pkgver.tar.gz | ||
| 0001-Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch | ||
| 0001-Fix-use-after-free-in-generator.patch | ||
| rsyncd.initd | ||
| rsyncd.confd | ||
| rsyncd.conf | ||
| rsyncd.logrotate | ||
| " | ||
|
|
||
| # secfixes: | ||
| # 3.4.0-r0: | ||
| # - CVE-2024-12084 | ||
| # - CVE-2024-12085 | ||
| # - CVE-2024-12086 | ||
| # - CVE-2024-12087 | ||
| # - CVE-2024-12088 | ||
| # - CVE-2024-12747 | ||
| # 3.2.4-r2: | ||
| # - CVE-2022-29154 | ||
| # 3.1.2-r7: | ||
|
|
@@ -46,6 +56,7 @@ prepare() { | |
| } | ||
|
|
||
| build() { | ||
| cp rrsync.1 support/rrsync.1 | ||
| CFLAGS="$CFLAGS -flto=auto" \ | ||
| ./configure \ | ||
| --build=$CBUILD \ | ||
|
|
@@ -57,8 +68,10 @@ build() { | |
| --enable-acl-support \ | ||
| --enable-xattr-support \ | ||
| --enable-xxhash \ | ||
| --with-rrsync \ | ||
| --without-included-popt \ | ||
| --without-included-zlib \ | ||
| --disable-md2man \ | ||
| --disable-openssl | ||
| # openssl is disabled since xxh checksums are faster anyway | ||
| make | ||
|
|
@@ -75,8 +88,6 @@ package() { | |
| install -Dm644 "$srcdir"/rsyncd.conf "$pkgdir"/etc/rsyncd.conf | ||
| install -Dm644 "$srcdir"/rsyncd.confd "$pkgdir"/etc/conf.d/rsyncd | ||
| install -Dm644 "$srcdir"/rsyncd.logrotate "$pkgdir"/etc/logrotate.d/rsyncd | ||
| install -Dm755 support/rrsync -t "$pkgdir"/usr/bin/ | ||
| install -Dm644 rrsync.1 -t "$pkgdir"/usr/share/man/man1/ | ||
| } | ||
|
|
||
| rrsync() { | ||
|
|
@@ -87,7 +98,10 @@ rrsync() { | |
| } | ||
|
|
||
| sha512sums=" | ||
| df5c53bc2f2b0e7e30f475903e5e4296dc2fbcf08e9ea6c3c61462d0e52b067c27e82deeb4be79102c86e9aa55a825182e126f22df44dabf5b7328acb2a01d10 rsync-3.3.0.tar.gz | ||
| 4a0e7817e6e71e0173713ddd6b6bc7ee86237d092bd0a8c830a69f9993b76b5712a13a3ca60c7bbf42162cdc837df8783e07f8cd65c32fcb12c35f751043c56b rsync-3.4.0.tar.gz | ||
| 5808533ffbddfb0a927c68d6f2c548650d0ce9ed698c74906eb5f6e997a40c540831a73e2ae546b6cd216de0593dfaa75810205e00022935f269b85134425ab7 rsync-manpages-3.4.0.tar.gz | ||
| 5d3fdb72df94f2512db15cb8759bc0fc6d3d7a889d6291ffef3327f715cf03f8950eaefbaa9ad528a0ddf97ab4bb011935441884a857e7dde50eb9e78287dd9d 0001-Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch | ||
| b8464659b18af0208cc44cb11dc8d7faf8b5c504aacc56b29191c470d04e40c42c79a4d7abe2af8b31fdb644c7b76075a4195257d8c25f5ce0c05e173997467d 0001-Fix-use-after-free-in-generator.patch | ||
| b9bf1aa02f96e4294642ead5751bd529ca1267c08e83a16342fba5736c3a8ec89568feb11fb737e974cb1bee7e00e7a8898d25844892366c6167b9ea8d1e647c rsyncd.initd | ||
| d91337cfb57e6e3b2a8ba1e24f7d851dd927bfc327da2212b9eb0acda0e1ca2f24987f6dcc4903eccc3bf170e0f115172b3cfa5a172700495296f26302c834d7 rsyncd.confd | ||
| 3db8a2b364fc89132af6143af90513deb6be3a78c8180d47c969e33cb5edde9db88aad27758a6911f93781e3c9846aeadc80fffc761c355d6a28358853156b62 rsyncd.conf | ||
|
|
||