diff options
| author | CoprDistGit <infra@openeuler.org> | 2025-01-15 05:35:26 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2025-01-15 05:35:26 +0000 |
| commit | f11c15898301b307b5f632569b1946fc6f3d15d2 (patch) | |
| tree | 71a7783a3e100b5738f4612828b75f07527d347a | |
| parent | 91c281cabee2f40953d20ff0b4aa681d46c9e17b (diff) | |
automatic import of rsyncopeneuler24.03_LTS
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | backport-CVE-2024-12084-part1.patch | 151 | ||||
| -rw-r--r-- | backport-CVE-2024-12084-part2.patch | 39 | ||||
| -rw-r--r-- | backport-CVE-2024-12085.patch | 27 | ||||
| -rw-r--r-- | backport-CVE-2024-12086-part1.patch | 37 | ||||
| -rw-r--r-- | backport-CVE-2024-12086-part2.patch | 103 | ||||
| -rw-r--r-- | backport-CVE-2024-12086-part3.patch | 103 | ||||
| -rw-r--r-- | backport-CVE-2024-12086-part4.patch | 37 | ||||
| -rw-r--r-- | backport-CVE-2024-12087-part1.patch | 45 | ||||
| -rw-r--r-- | backport-CVE-2024-12087-part2.patch | 27 | ||||
| -rw-r--r-- | backport-CVE-2024-12088.patch | 136 | ||||
| -rw-r--r-- | backport-CVE-2024-12747.patch | 187 | ||||
| -rw-r--r-- | backport-Duplicate-argv-data-before-poptFreeContext.patch | 630 | ||||
| -rw-r--r-- | rsync.spec | 131 | ||||
| -rw-r--r-- | rsyncd.conf | 20 | ||||
| -rw-r--r-- | rsyncd.service | 10 | ||||
| -rw-r--r-- | rsyncd.socket | 10 | ||||
| -rw-r--r-- | rsyncd.sysconfig | 1 | ||||
| -rw-r--r-- | rsyncd@.service | 8 | ||||
| -rw-r--r-- | sources | 1 |
20 files changed, 1704 insertions, 0 deletions
@@ -0,0 +1 @@ +/rsync-3.2.5.tar.gz diff --git a/backport-CVE-2024-12084-part1.patch b/backport-CVE-2024-12084-part1.patch new file mode 100644 index 0000000..e5ba8dd --- /dev/null +++ b/backport-CVE-2024-12084-part1.patch @@ -0,0 +1,151 @@ +From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayne@opencoder.net> +Date: Tue, 29 Oct 2024 22:55:29 -0700 +Subject: [PATCH 1/2] Some checksum buffer fixes. + +- Put sum2_array into sum_struct to hold an array of sum2 checksums + that are each xfer_sum_len bytes. +- Remove sum2 buf from sum_buf. +- Add macro sum2_at() to access each sum2 array element. +- Throw an error if a sums header has an s2length larger than + xfer_sum_len. +--- + io.c | 3 ++- + match.c | 8 ++++---- + rsync.c | 5 ++++- + rsync.h | 4 +++- + sender.c | 4 +++- + 5 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/io.c b/io.c +index a99ac0ec..bb60eeca 100644 +--- a/io.c ++++ b/io.c +@@ -55,6 +55,7 @@ extern int read_batch; + extern int compat_flags; + extern int protect_args; + extern int checksum_seed; ++extern int xfer_sum_len; + extern int daemon_connection; + extern int protocol_version; + extern int remove_source_files; +@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum) + exit_cleanup(RERR_PROTOCOL); + } + sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f); +- if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) { ++ if (sum->s2length < 0 || sum->s2length > xfer_sum_len) { + rprintf(FERROR, "Invalid checksum length %d [%s]\n", + sum->s2length, who_am_i()); + exit_cleanup(RERR_PROTOCOL); +diff --git a/match.c b/match.c +index cdb30a15..36e78ed2 100644 +--- a/match.c ++++ b/match.c +@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s, + done_csum2 = 1; + } + +- if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) { ++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) { + false_alarms++; + continue; + } +@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s, + if (i != aligned_i) { + if (sum != s->sums[aligned_i].sum1 + || l != s->sums[aligned_i].len +- || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0) ++ || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0) + goto check_want_i; + i = aligned_i; + } +@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s, + if (sum != s->sums[i].sum1) + goto check_want_i; + get_checksum2((char *)map, l, sum2); +- if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0) ++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) + goto check_want_i; + /* OK, we have a re-alignment match. Bump the offset + * forward to the new match point. */ +@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s, + && (!updating_basis_file || s->sums[want_i].offset >= offset + || s->sums[want_i].flags & SUMFLG_SAME_OFFSET) + && sum == s->sums[want_i].sum1 +- && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) { ++ && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) { + /* we've found an adjacent match - the RLL coder + * will be happy */ + i = want_i; +diff --git a/rsync.c b/rsync.c +index cd288f57..b130aba5 100644 +--- a/rsync.c ++++ b/rsync.c +@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha + */ + void free_sums(struct sum_struct *s) + { +- if (s->sums) free(s->sums); ++ if (s->sums) { ++ free(s->sums); ++ free(s->sum2_array); ++ } + free(s); + } + +diff --git a/rsync.h b/rsync.h +index d3709fe0..8ddbe702 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -958,12 +958,12 @@ struct sum_buf { + uint32 sum1; /**< simple checksum */ + int32 chain; /**< next hash-table collision */ + short flags; /**< flag bits */ +- char sum2[SUM_LENGTH]; /**< checksum */ + }; + + struct sum_struct { + OFF_T flength; /**< total file length */ + struct sum_buf *sums; /**< points to info for each chunk */ ++ char *sum2_array; /**< checksums of length xfer_sum_len */ + int32 count; /**< how many chunks */ + int32 blength; /**< block_length */ + int32 remainder; /**< flength % block_length */ +@@ -982,6 +982,8 @@ struct map_struct { + int status; /* first errno from read errors */ + }; + ++#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) ++ + #define NAME_IS_FILE (0) /* filter name as a file */ + #define NAME_IS_DIR (1<<0) /* filter name as a dir */ + #define NAME_IS_XATTR (1<<2) /* filter name as an xattr */ +diff --git a/sender.c b/sender.c +index 3d4f052e..ab205341 100644 +--- a/sender.c ++++ b/sender.c +@@ -31,6 +31,7 @@ extern int log_before_transfer; + extern int stdout_format_has_i; + extern int logfile_format_has_i; + extern int want_xattr_optim; ++extern int xfer_sum_len; + extern int csum_length; + extern int append_mode; + extern int copy_links; +@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f) + return(s); + + s->sums = new_array(struct sum_buf, s->count); ++ s->sum2_array = new_array(char, s->count * xfer_sum_len); + + for (i = 0; i < s->count; i++) { + s->sums[i].sum1 = read_int(f); +- read_buf(f, s->sums[i].sum2, s->s2length); ++ read_buf(f, sum2_at(s, i), s->s2length); + + s->sums[i].offset = offset; + s->sums[i].flags = 0; +-- +2.34.1 + diff --git a/backport-CVE-2024-12084-part2.patch b/backport-CVE-2024-12084-part2.patch new file mode 100644 index 0000000..5a21d71 --- /dev/null +++ b/backport-CVE-2024-12084-part2.patch @@ -0,0 +1,39 @@ +From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayne@opencoder.net> +Date: Tue, 5 Nov 2024 11:01:03 -0800 +Subject: [PATCH 2/2] Another cast when multiplying integers. + +--- + rsync.h | 2 +- + sender.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rsync.h b/rsync.h +index 8ddbe702..0f9e277f 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -982,7 +982,7 @@ struct map_struct { + int status; /* first errno from read errors */ + }; + +-#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) ++#define sum2_at(s, i) ((s)->sum2_array + ((size_t)(i) * xfer_sum_len)) + + #define NAME_IS_FILE (0) /* filter name as a file */ + #define NAME_IS_DIR (1<<0) /* filter name as a dir */ +diff --git a/sender.c b/sender.c +index ab205341..2bbff2fa 100644 +--- a/sender.c ++++ b/sender.c +@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f) + return(s); + + s->sums = new_array(struct sum_buf, s->count); +- s->sum2_array = new_array(char, s->count * xfer_sum_len); ++ s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len); + + for (i = 0; i < s->count; i++) { + s->sums[i].sum1 = read_int(f); +-- +2.34.1 + diff --git a/backport-CVE-2024-12085.patch b/backport-CVE-2024-12085.patch new file mode 100644 index 0000000..7356fb6 --- /dev/null +++ b/backport-CVE-2024-12085.patch @@ -0,0 +1,27 @@ +From cf620065502f065d4ea44f5df4f81295a738aa21 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Thu, 14 Nov 2024 09:57:08 +1100 +Subject: [PATCH] prevent information leak off the stack + +prevent leak of uninitialised stack data in hash_search +--- + match.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/match.c b/match.c +index 36e78ed2..dfd6af2c 100644 +--- a/match.c ++++ b/match.c +@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s, + int more; + schar *map; + ++ // prevent possible memory leaks ++ memset(sum2, 0, sizeof sum2); ++ + /* want_i is used to encourage adjacent matches, allowing the RLL + * coding of the output to work more efficiently. */ + want_i = 0; +-- +2.34.1 + diff --git a/backport-CVE-2024-12086-part1.patch b/backport-CVE-2024-12086-part1.patch new file mode 100644 index 0000000..45505a6 --- /dev/null +++ b/backport-CVE-2024-12086-part1.patch @@ -0,0 +1,37 @@ +From 3feb8669d875d03c9ceb82e208ef40ddda8eb908 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Sat, 23 Nov 2024 11:08:03 +1100 +Subject: [PATCH 1/4] refuse fuzzy options when fuzzy not selected + +this prevents a malicious server providing a file to compare to when +the user has not given the fuzzy option +--- + receiver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/receiver.c b/receiver.c +index 6b4b369e..2d7f6033 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -67,6 +67,7 @@ + extern struct file_list *cur_flist, *first_flist, *dir_flist; + extern filter_rule_list daemon_filter_list; + extern OFF_T preallocated_len; ++extern int fuzzy_basis; + + static struct bitbag *delayed_bits = NULL; + static int phase = 0, redoing = 0; +@@ -716,6 +717,10 @@ + fnamecmp = get_backup_name(fname); + break; + case FNAMECMP_FUZZY: ++ if (fuzzy_basis == 0) { ++ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname); ++ exit_cleanup(RERR_PROTOCOL); ++ } + if (file->dirname) { + pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); + fnamecmp = fnamecmpbuf; +-- +2.34.1 + diff --git a/backport-CVE-2024-12086-part2.patch b/backport-CVE-2024-12086-part2.patch new file mode 100644 index 0000000..719c6f1 --- /dev/null +++ b/backport-CVE-2024-12086-part2.patch @@ -0,0 +1,103 @@ +From 33385aefe4773e7a3982d41995681eb079c92d12 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Sat, 23 Nov 2024 12:26:10 +1100 +Subject: [PATCH 2/4] added secure_relative_open() + +this is an open that enforces no symlink following for all path +components in a relative path +--- + syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/syscall.c b/syscall.c +index d92074aa..a4b7f542 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -33,6 +33,8 @@ + #include <sys/syscall.h> + #endif + ++#include "ifuncs.h" ++ + extern int dry_run; + extern int am_root; + extern int am_sender; +@@ -712,3 +714,75 @@ int do_open_nofollow(const char *pathname, int flags) + + return fd; + } ++ ++/* ++ open a file relative to a base directory. The basedir can be NULL, ++ in which case the current working directory is used. The relpath ++ must be a relative path, and the relpath must not contain any ++ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but ++ applies to all path components, not just the last component) ++*/ ++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) ++{ ++ if (!relpath || relpath[0] == '/') { ++ // must be a relative path ++ errno = EINVAL; ++ return -1; ++ } ++ ++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) ++ // really old system, all we can do is live with the risks ++ if (!basedir) { ++ return open(relpath, flags, mode); ++ } ++ char fullpath[MAXPATHLEN]; ++ pathjoin(fullpath, sizeof fullpath, basedir, relpath); ++ return open(fullpath, flags, mode); ++#else ++ int dirfd = AT_FDCWD; ++ if (basedir != NULL) { ++ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); ++ if (dirfd == -1) { ++ return -1; ++ } ++ } ++ int retfd = -1; ++ ++ char *path_copy = my_strdup(relpath, __FILE__, __LINE__); ++ if (!path_copy) { ++ return -1; ++ } ++ ++ for (const char *part = strtok(path_copy, "/"); ++ part != NULL; ++ part = strtok(NULL, "/")) ++ { ++ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW); ++ if (next_fd == -1 && errno == ENOTDIR) { ++ if (strtok(NULL, "/") != NULL) { ++ // this is not the last component of the path ++ errno = ELOOP; ++ goto cleanup; ++ } ++ // this could be the last component of the path, try as a file ++ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode); ++ goto cleanup; ++ } ++ if (next_fd == -1) { ++ goto cleanup; ++ } ++ if (dirfd != AT_FDCWD) close(dirfd); ++ dirfd = next_fd; ++ } ++ ++ // the path must be a directory ++ errno = EINVAL; ++ ++cleanup: ++ free(path_copy); ++ if (dirfd != AT_FDCWD) { ++ close(dirfd); ++ } ++ return retfd; ++#endif // O_NOFOLLOW, O_DIRECTORY ++} +-- +2.34.1 + diff --git a/backport-CVE-2024-12086-part3.patch b/backport-CVE-2024-12086-part3.patch new file mode 100644 index 0000000..4be6391 --- /dev/null +++ b/backport-CVE-2024-12086-part3.patch @@ -0,0 +1,103 @@ +From e59ef9939d3f0ccc8f9bab51442989a81be0c914 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Sat, 23 Nov 2024 12:28:13 +1100 +Subject: [PATCH 3/4] receiver: use secure_relative_open() for basis file + +this prevents attacks where the basis file is manipulated by a +malicious sender to gain information about files outside the +destination tree +--- + receiver.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/receiver.c b/receiver.c +index 2d7f6033..8031b8f4 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name) + progress_init(); + + while (1) { ++ const char *basedir = NULL; ++ + cleanup_disable(); + + /* This call also sets cur_flist. */ +@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name) + exit_cleanup(RERR_PROTOCOL); + } + if (file->dirname) { +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); +- fnamecmp = fnamecmpbuf; +- } else +- fnamecmp = xname; ++ basedir = file->dirname; ++ } ++ fnamecmp = xname; + break; + default: + if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) { + fnamecmp_type -= FNAMECMP_FUZZY + 1; + if (file->dirname) { +- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname); ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname); ++ basedir = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ } ++ fnamecmp = xname; + } else if (fnamecmp_type >= basis_dir_cnt) { + rprintf(FERROR, + "invalid basis_dir index: %d.\n", + fnamecmp_type); + exit_cleanup(RERR_PROTOCOL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname); +- fnamecmp = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ fnamecmp = fname; ++ } + break; + } + if (!fnamecmp || (daemon_filter_list.head +@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name) + } + + /* open the file */ +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + + if (fd1 == -1 && protocol_version < 29) { + if (fnamecmp != fname) { +@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name) + + if (fd1 == -1 && basis_dir[0]) { + /* pre-29 allowed only one alternate basis */ +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[0], fname); +- fnamecmp = fnamecmpbuf; ++ basedir = basis_dir[0]; ++ fnamecmp = fname; + fnamecmp_type = FNAMECMP_BASIS_DIR_LOW; +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + } + } + ++ if (basedir) { ++ // for the following code we need the full ++ // path name as a single string ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp); ++ fnamecmp = fnamecmpbuf; ++ } ++ + one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR; + updating_basis_or_equiv = one_inplace + || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP)); +-- +2.34.1 + diff --git a/backport-CVE-2024-12086-part4.patch b/backport-CVE-2024-12086-part4.patch new file mode 100644 index 0000000..74a16e7 --- /dev/null +++ b/backport-CVE-2024-12086-part4.patch @@ -0,0 +1,37 @@ +From c78e53edb802d04f7e4e070fe8314f2544749e7a Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Tue, 26 Nov 2024 09:16:31 +1100 +Subject: [PATCH 4/4] disallow ../ elements in relpath for secure_relative_open + +--- + syscall.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/syscall.c b/syscall.c +index a4b7f542..47c5ea57 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -721,6 +721,8 @@ int do_open_nofollow(const char *pathname, int flags) + must be a relative path, and the relpath must not contain any + elements in the path which follow symlinks (ie. like O_NOFOLLOW, but + applies to all path components, not just the last component) ++ ++ The relpath must also not contain any ../ elements in the path + */ + int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) + { +@@ -729,6 +731,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo + errno = EINVAL; + return -1; + } ++ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) { ++ // no ../ elements allowed in the relpath ++ errno = EINVAL; ++ return -1; ++ } + + #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) + // really old system, all we can do is live with the risks +-- +2.34.1 + diff --git a/backport-CVE-2024-12087-part1.patch b/backport-CVE-2024-12087-part1.patch new file mode 100644 index 0000000..99ebc15 --- /dev/null +++ b/backport-CVE-2024-12087-part1.patch @@ -0,0 +1,45 @@ +From 0ebc19ee486a8e928a68d8f98d07d40f176770aa Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayne@opencoder.net> +Date: Thu, 14 Nov 2024 15:46:50 -0800 +Subject: [PATCH 1/2] Refuse a duplicate dirlist. + +--- + flist.c | 9 +++++++++ + rsync.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/flist.c b/flist.c +index 464d556e..847b1054 100644 +--- a/flist.c ++++ b/flist.c +@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx) + init_hard_links(); + #endif + ++ if (inc_recurse && dir_ndx >= 0) { ++ struct file_struct *file = dir_flist->files[dir_ndx]; ++ if (file->flags & FLAG_GOT_DIR_FLIST) { ++ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); ++ exit_cleanup(RERR_PROTOCOL); ++ } ++ file->flags |= FLAG_GOT_DIR_FLIST; ++ } ++ + flist = flist_new(0, "recv_file_list"); + flist_expand(flist, FLIST_START_LARGE); + +diff --git a/rsync.h b/rsync.h +index 0f9e277f..b9a7101a 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -84,6 +84,7 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ ++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +-- +2.34.1 + diff --git a/backport-CVE-2024-12087-part2.patch b/backport-CVE-2024-12087-part2.patch new file mode 100644 index 0000000..b067809 --- /dev/null +++ b/backport-CVE-2024-12087-part2.patch @@ -0,0 +1,27 @@ +From b3e16be18d582dac1513c0a932d146b36e867b1b Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Tue, 26 Nov 2024 16:12:45 +1100 +Subject: [PATCH 2/2] range check dir_ndx before use + +--- + flist.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/flist.c b/flist.c +index 847b1054..087f9da6 100644 +--- a/flist.c ++++ b/flist.c +@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx) + #endif + + if (inc_recurse && dir_ndx >= 0) { ++ if (dir_ndx >= dir_flist->used) { ++ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used); ++ exit_cleanup(RERR_PROTOCOL); ++ } + struct file_struct *file = dir_flist->files[dir_ndx]; + if (file->flags & FLAG_GOT_DIR_FLIST) { + rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); +-- +2.34.1 + diff --git a/backport-CVE-2024-12088.patch b/backport-CVE-2024-12088.patch new file mode 100644 index 0000000..2ba5881 --- /dev/null +++ b/backport-CVE-2024-12088.patch @@ -0,0 +1,136 @@ +From 535f8f816539ba681ef0f12015d2cb587ae61b6d Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Sat, 23 Nov 2024 15:15:53 +1100 +Subject: [PATCH] make --safe-links stricter + +when --safe-links is used also reject links where a '../' component is +included in the destination as other than the leading part of the +filename +--- + testsuite/safe-links.test | 55 ++++++++++++++++++++++++++++++++++++ + testsuite/unsafe-byname.test | 2 +- + util1.c | 26 ++++++++++++++++- + 3 files changed, 81 insertions(+), 2 deletions(-) + create mode 100644 testsuite/safe-links.test + +diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test +new file mode 100644 +index 00000000..6e95a4b9 +--- /dev/null ++++ b/testsuite/safe-links.test +@@ -0,0 +1,55 @@ ++#!/bin/sh ++ ++. "$suitedir/rsync.fns" ++ ++test_symlink() { ++ is_a_link "$1" || test_fail "File $1 is not a symlink" ++} ++ ++test_regular() { ++ if [ ! -f "$1" ]; then ++ test_fail "File $1 is not regular file or not exists" ++ fi ++} ++ ++test_notexist() { ++ if [ -e "$1" ]; then ++ test_fail "File $1 exists" ++ fi ++ if [ -h "$1" ]; then ++ test_fail "File $1 exists as a symlink" ++ fi ++} ++ ++cd "$tmpdir" ++ ++mkdir from ++ ++mkdir "from/safe" ++mkdir "from/unsafe" ++ ++mkdir "from/safe/files" ++mkdir "from/safe/links" ++ ++touch "from/safe/files/file1" ++touch "from/safe/files/file2" ++touch "from/unsafe/unsafefile" ++ ++ln -s ../files/file1 "from/safe/links/" ++ln -s ../files/file2 "from/safe/links/" ++ln -s ../../unsafe/unsafefile "from/safe/links/" ++ln -s a/a/a/../../../unsafe2 "from/safe/links/" ++ ++#echo "LISTING FROM" ++#ls -lR from ++ ++echo "rsync with relative path and just -a" ++$RSYNC -avv --safe-links from/safe/ to ++ ++#echo "LISTING TO" ++#ls -lR to ++ ++test_symlink to/links/file1 ++test_symlink to/links/file2 ++test_notexist to/links/unsafefile ++test_notexist to/links/unsafe2 +diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test +index 75e72014..d2e318ef 100644 +--- a/testsuite/unsafe-byname.test ++++ b/testsuite/unsafe-byname.test +@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir unsafe + test_unsafe .. from/file safe + test_unsafe ../.. from/file unsafe + test_unsafe ..//.. from//file unsafe +-test_unsafe dir/.. from safe ++test_unsafe dir/.. from unsafe + test_unsafe dir/../.. from unsafe + test_unsafe dir/..//.. from unsafe + +diff --git a/util1.c b/util1.c +index da50ff1e..f260d398 100644 +--- a/util1.c ++++ b/util1.c +@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create) + * + * "src" is the top source directory currently applicable at the level + * of the referenced symlink. This is usually the symlink's full path +- * (including its name), as referenced from the root of the transfer. */ ++ * (including its name), as referenced from the root of the transfer. ++ * ++ * NOTE: this also rejects dest names with a .. component in other ++ * than the first component of the name ie. it rejects names such as ++ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or ++ * 'b' could later be replaced with symlinks such as a link to '.' ++ * resulting in the link being transferred now becoming unsafe ++ */ + int unsafe_symlink(const char *dest, const char *src) + { + const char *name, *slash; +@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src) + if (!dest || !*dest || *dest == '/') + return 1; + ++ // reject destinations with /../ in the name other than at the start of the name ++ const char *dest2 = dest; ++ while (strncmp(dest2, "../", 3) == 0) { ++ dest2 += 3; ++ while (*dest2 == '/') { ++ // allow for ..//..///../foo ++ dest2++; ++ } ++ } ++ if (strstr(dest2, "/../")) ++ return 1; ++ ++ // reject if the destination ends in /.. ++ const size_t dlen = strlen(dest); ++ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0) ++ return 1; ++ + /* find out what our safety margin is */ + for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) { + /* ".." segment starts the count over. "." segment is ignored. */ +-- +2.34.1 + diff --git a/backport-CVE-2024-12747.patch b/backport-CVE-2024-12747.patch new file mode 100644 index 0000000..61ecbe7 --- /dev/null +++ b/backport-CVE-2024-12747.patch @@ -0,0 +1,187 @@ +From f45f48055e548851bc7230f454dfeba139be6c04 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Wed, 18 Dec 2024 08:59:42 +1100 +Subject: [PATCH] fixed symlink race condition in sender + +when we open a file that we don't expect to be a symlink use +O_NOFOLLOW to prevent a race condition where an attacker could change +a file between being a normal file and a symlink +--- + checksum.c | 2 +- + flist.c | 2 +- + generator.c | 4 ++-- + receiver.c | 2 +- + sender.c | 2 +- + syscall.c | 20 ++++++++++++++++++++ + t_unsafe.c | 3 +++ + tls.c | 3 +++ + trimslash.c | 2 ++ + util1.c | 2 +- + 10 files changed, 35 insertions(+), 7 deletions(-) + +diff --git a/checksum.c b/checksum.c +index cb21882c..66e80896 100644 +--- a/checksum.c ++++ b/checksum.c +@@ -313,7 +313,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum) + + memset(sum, 0, MAX_DIGEST_LEN); + +- fd = do_open(fname, O_RDONLY, 0); ++ fd = do_open_checklinks(fname); + if (fd == -1) + return; + +diff --git a/flist.c b/flist.c +index 087f9da6..17832533 100644 +--- a/flist.c ++++ b/flist.c +@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist, + + if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) { + if (st.st_size == 0) { +- int fd = do_open(fname, O_RDONLY, 0); ++ int fd = do_open_checklinks(fname); + if (fd >= 0) { + st.st_size = get_device_size(fd, fname); + close(fd); +diff --git a/generator.c b/generator.c +index 110db28f..3f13bb95 100644 +--- a/generator.c ++++ b/generator.c +@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, + + if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) { + /* This early open into fd skips the regular open below. */ +- if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0) ++ if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0) + real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp); + } + +@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, + } + + /* open the file */ +- if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) { ++ if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) { + rsyserr(FERROR, errno, "failed to open %s, continuing", + full_fname(fnamecmp)); + pretend_missing: +diff --git a/receiver.c b/receiver.c +index 8031b8f4..edfbb210 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name) + if (fnamecmp != fname) { + fnamecmp = fname; + fnamecmp_type = FNAMECMP_FNAME; +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = do_open_nofollow(fnamecmp, O_RDONLY); + } + + if (fd1 == -1 && basis_dir[0]) { +diff --git a/sender.c b/sender.c +index 2bbff2fa..a4d46c39 100644 +--- a/sender.c ++++ b/sender.c +@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out) + exit_cleanup(RERR_PROTOCOL); + } + +- fd = do_open(fname, O_RDONLY, 0); ++ fd = do_open_checklinks(fname); + if (fd == -1) { + if (errno == ENOENT) { + enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING; +diff --git a/syscall.c b/syscall.c +index 081357bb..8cea2900 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -45,6 +45,8 @@ extern int preallocate_files; + extern int preserve_perms; + extern int preserve_executability; + extern int open_noatime; ++extern int copy_links; ++extern int copy_unsafe_links; + + #ifndef S_BLKSIZE + # if defined hpux || defined __hpux__ || defined __hpux +@@ -788,3 +790,21 @@ cleanup: + return retfd; + #endif // O_NOFOLLOW, O_DIRECTORY + } ++ ++/* ++ varient of do_open/do_open_nofollow which does do_open() if the ++ copy_links or copy_unsafe_links options are set and does ++ do_open_nofollow() otherwise ++ ++ This is used to prevent a race condition where an attacker could be ++ switching a file between being a symlink and being a normal file ++ ++ The open is always done with O_RDONLY flags ++ */ ++int do_open_checklinks(const char *pathname) ++{ ++ if (copy_links || copy_unsafe_links) { ++ return do_open(pathname, O_RDONLY, 0); ++ } ++ return do_open_nofollow(pathname, O_RDONLY); ++} +diff --git a/t_unsafe.c b/t_unsafe.c +index 010cac50..e10619a2 100644 +--- a/t_unsafe.c ++++ b/t_unsafe.c +@@ -28,6 +28,9 @@ int am_root = 0; + int am_sender = 1; + int read_only = 0; + int list_only = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; ++ + short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG]; + + int +diff --git a/tls.c b/tls.c +index e6b0708a..858f8f10 100644 +--- a/tls.c ++++ b/tls.c +@@ -49,6 +49,9 @@ int list_only = 0; + int link_times = 0; + int link_owner = 0; + int nsec_times = 0; ++int safe_symlinks = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; + + #ifdef SUPPORT_XATTRS + +diff --git a/trimslash.c b/trimslash.c +index 1ec928ca..f2774cd7 100644 +--- a/trimslash.c ++++ b/trimslash.c +@@ -26,6 +26,8 @@ int am_root = 0; + int am_sender = 1; + int read_only = 1; + int list_only = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; + + int + main(int argc, char **argv) +diff --git a/util1.c b/util1.c +index f260d398..d84bc414 100644 +--- a/util1.c ++++ b/util1.c +@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode) + int len; /* Number of bytes read into `buf'. */ + OFF_T prealloc_len = 0, offset = 0; + +- if ((ifd = do_open(source, O_RDONLY, 0)) < 0) { ++ if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) { + int save_errno = errno; + rsyserr(FERROR_XFER, errno, "open %s", full_fname(source)); + errno = save_errno; +-- +2.34.1 + diff --git a/backport-Duplicate-argv-data-before-poptFreeContext.patch b/backport-Duplicate-argv-data-before-poptFreeContext.patch new file mode 100644 index 0000000..fb80795 --- /dev/null +++ b/backport-Duplicate-argv-data-before-poptFreeContext.patch @@ -0,0 +1,630 @@ +From a2bd5eb03e299de04e63eb469ce3d3d3f092942f Mon Sep 17 00:00:00 2001 +From: Wayne Davison <wayne@opencoder.net> +Date: Tue, 22 Nov 2022 21:00:04 -0800 +Subject: [PATCH] Duplicate argv data before poptFreeContext(). + +Reference:https://github.com/RsyncProject/rsync/commit/8990ad96de881f7332d16d32485f9d8b841a87d2 +Conflict:NA +--- + main.c | 13 ----- + options.c | 160 ++++++++++++++++++++++++++++++------------------------ + 2 files changed, 90 insertions(+), 83 deletions(-) + +diff --git a/main.c b/main.c +index 9ebfbea..5f9a7a9 100644 +--- a/main.c ++++ b/main.c +@@ -1372,15 +1372,6 @@ int client_run(int f_in, int f_out, pid_t pid, int argc, char *argv[]) + return MAX(exit_code, exit_code2); + } + +-static void dup_argv(char *argv[]) +-{ +- int i; +- +- for (i = 0; argv[i]; i++) +- argv[i] = strdup(argv[i]); +-} +- +- + /* Start a client for either type of remote connection. Work out + * whether the arguments request a remote shell or rsyncd connection, + * and call the appropriate connection function, then run_client. +@@ -1396,10 +1387,6 @@ static int start_client(int argc, char *argv[]) + int ret; + pid_t pid; + +- /* Don't clobber argv[] so that ps(1) can still show the right +- * command line. */ +- dup_argv(argv); +- + if (!read_batch) { /* for read_batch, NO source is specified */ + char *path = check_for_hostspec(argv[0], &shell_machine, &rsync_port); + if (path) { /* source is remote */ +diff --git a/options.c b/options.c +index 4feeb7e..62558ef 100644 +--- a/options.c ++++ b/options.c +@@ -200,6 +200,7 @@ int remote_option_cnt = 0; + const char **remote_options = NULL; + const char *checksum_choice = NULL; + const char *compress_choice = NULL; ++static const char *empty_argv[1]; + + int quiet = 0; + int output_motd = 1; +@@ -1345,7 +1346,7 @@ char *alt_dest_opt(int type) + **/ + int parse_arguments(int *argc_p, const char ***argv_p) + { +- static poptContext pc; ++ poptContext pc; + const char *arg, **argv = *argv_p; + int argc = *argc_p; + int opt, want_dest_type; +@@ -1365,10 +1366,6 @@ int parse_arguments(int *argc_p, const char ***argv_p) + + /* TODO: Call poptReadDefaultConfig; handle errors. */ + +- /* The context leaks in case of an error, but if there's a +- * problem we always exit anyhow. */ +- if (pc) +- poptFreeContext(pc); + pc = poptGetContext(RSYNC_NAME, argc, argv, long_options, 0); + if (!am_server) { + poptReadDefaultConfig(pc, 0); +@@ -1411,7 +1408,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + strlcpy(err_buf, + "Attempt to hack rsync thwarted!\n", + sizeof err_buf); +- return 0; ++ goto cleanup; + } + #ifdef ICONV_OPTION + iconv_opt = NULL; +@@ -1457,7 +1454,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) { + snprintf(err_buf, sizeof err_buf, + "the --temp-dir path is WAY too long.\n"); +- return 0; ++ goto cleanup; + } + + if (!daemon_opt) { +@@ -1467,8 +1464,16 @@ int parse_arguments(int *argc_p, const char ***argv_p) + exit_cleanup(RERR_SYNTAX); + } + +- *argv_p = argv = poptGetArgs(pc); +- *argc_p = argc = count_args(argv); ++ argv = poptGetArgs(pc); ++ argc = count_args(argv); ++ if (!argc) { ++ *argv_p = empty_argv; ++ *argc_p = 0; ++ } else if (poptDupArgv(argc, argv, argc_p, argv_p) != 0) ++ out_of_memory("parse_arguments"); ++ argv = *argv_p; ++ poptFreeContext(pc); ++ + am_starting_up = 0; + daemon_opt = 0; + am_daemon = 1; +@@ -1523,7 +1528,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + case 'a': + if (refused_archive_part) { + create_refuse_error(refused_archive_part); +- return 0; ++ goto cleanup; + } + if (!recurse) /* preserve recurse == 2 */ + recurse = 1; +@@ -1593,7 +1598,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + case 'P': + if (refused_partial || refused_progress) { + create_refuse_error(refused_partial ? refused_partial : refused_progress); +- return 0; ++ goto cleanup; + } + do_progress = 1; + keep_partial = 1; +@@ -1628,7 +1633,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (*arg != '-') { + snprintf(err_buf, sizeof err_buf, + "Remote option must start with a dash: %s\n", arg); +- return 0; ++ goto cleanup; + } + if (remote_option_cnt+2 >= remote_option_alloc) { + remote_option_alloc += 16; +@@ -1670,27 +1675,27 @@ int parse_arguments(int *argc_p, const char ***argv_p) + ssize_t size; + arg = poptGetOptArg(pc); + if ((size = parse_size_arg(arg, 'b', "block-size", 0, max_blength, False)) < 0) +- return 0; ++ goto cleanup; + block_size = (int32)size; + break; + } + + case OPT_MAX_SIZE: + if ((max_size = parse_size_arg(max_size_arg, 'b', "max-size", 0, -1, False)) < 0) +- return 0; ++ goto cleanup; + max_size_arg = strdup(do_big_num(max_size, 0, NULL)); + break; + + case OPT_MIN_SIZE: + if ((min_size = parse_size_arg(min_size_arg, 'b', "min-size", 0, -1, False)) < 0) +- return 0; ++ goto cleanup; + min_size_arg = strdup(do_big_num(min_size, 0, NULL)); + break; + + case OPT_BWLIMIT: { + ssize_t size = parse_size_arg(bwlimit_arg, 'K', "bwlimit", 512, -1, True); + if (size < 0) +- return 0; ++ goto cleanup; + bwlimit_arg = strdup(do_big_num(size, 0, NULL)); + bwlimit = (size + 512) / 1024; + break; +@@ -1719,7 +1724,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "ERROR: the %s option conflicts with the %s option\n", + alt_dest_opt(want_dest_type), alt_dest_opt(0)); +- return 0; ++ goto cleanup; + } + alt_dest_type = want_dest_type; + +@@ -1727,7 +1732,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "ERROR: at most %d %s args may be specified\n", + MAX_BASIS_DIRS, alt_dest_opt(0)); +- return 0; ++ goto cleanup; + } + /* We defer sanitizing this arg until we know what + * our destination directory is going to be. */ +@@ -1740,7 +1745,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "Invalid argument passed to --chmod (%s)\n", + arg); +- return 0; ++ goto cleanup; + } + break; + +@@ -1759,11 +1764,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (usermap_via_chown) { + snprintf(err_buf, sizeof err_buf, + "--usermap conflicts with prior --chown.\n"); +- return 0; ++ goto cleanup; + } + snprintf(err_buf, sizeof err_buf, + "You can only specify --usermap once.\n"); +- return 0; ++ goto cleanup; + } + usermap = (char *)poptGetOptArg(pc); + usermap_via_chown = False; +@@ -1775,11 +1780,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (groupmap_via_chown) { + snprintf(err_buf, sizeof err_buf, + "--groupmap conflicts with prior --chown.\n"); +- return 0; ++ goto cleanup; + } + snprintf(err_buf, sizeof err_buf, + "You can only specify --groupmap once.\n"); +- return 0; ++ goto cleanup; + } + groupmap = (char *)poptGetOptArg(pc); + groupmap_via_chown = False; +@@ -1798,11 +1803,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (!usermap_via_chown) { + snprintf(err_buf, sizeof err_buf, + "--chown conflicts with prior --usermap.\n"); +- return 0; ++ goto cleanup; + } + snprintf(err_buf, sizeof err_buf, + "You can only specify a user-affecting --chown once.\n"); +- return 0; ++ goto cleanup; + } + if (asprintf(&usermap, "*:%.*s", len, chown) < 0) + out_of_memory("parse_arguments"); +@@ -1814,11 +1819,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (!groupmap_via_chown) { + snprintf(err_buf, sizeof err_buf, + "--chown conflicts with prior --groupmap.\n"); +- return 0; ++ goto cleanup; + } + snprintf(err_buf, sizeof err_buf, + "You can only specify a group-affecting --chown once.\n"); +- return 0; ++ goto cleanup; + } + if (asprintf(&groupmap, "*:%s", arg) < 0) + out_of_memory("parse_arguments"); +@@ -1846,7 +1851,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf,sizeof(err_buf), + "ACLs are not supported on this %s\n", + am_server ? "server" : "client"); +- return 0; ++ goto cleanup; + #endif + + case 'X': +@@ -1857,7 +1862,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf,sizeof(err_buf), + "extended attributes are not supported on this %s\n", + am_server ? "server" : "client"); +- return 0; ++ goto cleanup; + #endif + + case OPT_STOP_AFTER: { +@@ -1866,7 +1871,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + stop_at_utime = time(NULL); + if ((val = atol(arg) * 60) <= 0 || LONG_MAX - val < stop_at_utime || (long)(time_t)val != val) { + snprintf(err_buf, sizeof err_buf, "invalid --stop-after value: %s\n", arg); +- return 0; ++ goto cleanup; + } + stop_at_utime += val; + break; +@@ -1877,11 +1882,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + arg = poptGetOptArg(pc); + if ((stop_at_utime = parse_time(arg)) == (time_t)-1) { + snprintf(err_buf, sizeof err_buf, "invalid --stop-at format: %s\n", arg); +- return 0; ++ goto cleanup; + } + if (stop_at_utime <= time(NULL)) { + snprintf(err_buf, sizeof err_buf, "--stop-at time is not in the future: %s\n", arg); +- return 0; ++ goto cleanup; + } + break; + #endif +@@ -1899,7 +1904,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + else { + snprintf(err_buf, sizeof err_buf, + "--stderr mode \"%s\" is not one of errors, all, or client\n", arg); +- return 0; ++ goto cleanup; + } + saw_stderr_opt = 1; + break; +@@ -1910,13 +1915,13 @@ int parse_arguments(int *argc_p, const char ***argv_p) + * turned this option off. */ + if (opt >= OPT_REFUSED_BASE) { + create_refuse_error(opt); +- return 0; ++ goto cleanup; + } + snprintf(err_buf, sizeof err_buf, "%s%s: %s\n", + am_server ? "on remote machine: " : "", + poptBadOption(pc, POPT_BADOPTION_NOALIAS), + poptStrerror(opt)); +- return 0; ++ goto cleanup; + } + } + +@@ -1936,7 +1941,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (max_alloc_arg) { + ssize_t size = parse_size_arg(max_alloc_arg, 'B', "max-alloc", 1024*1024, -1, True); + if (size < 0) +- return 0; ++ goto cleanup; + max_alloc = size; + } + +@@ -1950,7 +1955,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (protect_args > 0) { + snprintf(err_buf, sizeof err_buf, + "--protect-args conflicts with --old-args.\n"); +- return 0; ++ goto cleanup; + } + protect_args = 0; + } +@@ -1995,7 +2000,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + do_compression = CPRES_AUTO; + if (do_compression && refused_compress) { + create_refuse_error(refused_compress); +- return 0; ++ goto cleanup; + } + } + +@@ -2020,7 +2025,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + default: + snprintf(err_buf, sizeof err_buf, + "Invalid --outbuf setting -- specify N, L, or B.\n"); +- return 0; ++ goto cleanup; + } + setvbuf(stdout, (char *)NULL, mode, 0); + } +@@ -2048,7 +2053,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + } + if (refused_no_iconv && !iconv_opt) { + create_refuse_error(refused_no_iconv); +- return 0; ++ goto cleanup; + } + #endif + +@@ -2059,18 +2064,30 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (orig_protect_args == 2 && am_server) + protect_args = orig_protect_args; + +- if (protect_args == 1 && am_server) ++ if (protect_args == 1 && am_server) { ++ poptFreeContext(pc); + return 1; ++ } + +- *argv_p = argv = poptGetArgs(pc); +- *argc_p = argc = count_args(argv); ++ /* Because popt 1.19 has started to free the returned args data, we now ++ * make a copy of the array and then do an immediate cleanup. */ ++ argv = poptGetArgs(pc); ++ argc = count_args(argv); ++ if (!argc) { ++ *argv_p = empty_argv; ++ *argc_p = 0; ++ } else if (poptDupArgv(argc, argv, argc_p, argv_p) != 0) ++ out_of_memory("parse_arguments"); ++ argv = *argv_p; ++ poptFreeContext(pc); ++ pc = NULL; + + #ifndef SUPPORT_LINKS + if (preserve_links && !am_sender) { + snprintf(err_buf, sizeof err_buf, + "symlinks are not supported on this %s\n", + am_server ? "server" : "client"); +- return 0; ++ goto cleanup; + } + #endif + +@@ -2079,7 +2096,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "hard links are not supported on this %s\n", + am_server ? "server" : "client"); +- return 0; ++ goto cleanup; + } + #endif + +@@ -2087,20 +2104,20 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (am_root < 0 && preserve_xattrs > 1) { + snprintf(err_buf, sizeof err_buf, + "--fake-super conflicts with -XX\n"); +- return 0; ++ goto cleanup; + } + #else + if (am_root < 0) { + snprintf(err_buf, sizeof err_buf, + "--fake-super requires an rsync with extended attributes enabled\n"); +- return 0; ++ goto cleanup; + } + #endif + + if (write_batch && read_batch) { + snprintf(err_buf, sizeof err_buf, + "--write-batch and --read-batch can not be used together\n"); +- return 0; ++ goto cleanup; + } + if (write_batch > 0 || read_batch) { + if (am_server) { +@@ -2119,25 +2136,25 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (read_batch && files_from) { + snprintf(err_buf, sizeof err_buf, + "--read-batch cannot be used with --files-from\n"); +- return 0; ++ goto cleanup; + } + if (read_batch && remove_source_files) { + snprintf(err_buf, sizeof err_buf, + "--read-batch cannot be used with --remove-%s-files\n", + remove_source_files == 1 ? "source" : "sent"); +- return 0; ++ goto cleanup; + } + if (batch_name && strlen(batch_name) > MAX_BATCH_NAME_LEN) { + snprintf(err_buf, sizeof err_buf, + "the batch-file name must be %d characters or less.\n", + MAX_BATCH_NAME_LEN); +- return 0; ++ goto cleanup; + } + + if (tmpdir && strlen(tmpdir) >= MAXPATHLEN - 10) { + snprintf(err_buf, sizeof err_buf, + "the --temp-dir path is WAY too long.\n"); +- return 0; ++ goto cleanup; + } + + if (max_delete < 0 && max_delete != INT_MIN) { +@@ -2171,7 +2188,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (delete_before + !!delete_during + delete_after > 1) { + snprintf(err_buf, sizeof err_buf, + "You may not combine multiple --delete-WHEN options.\n"); +- return 0; ++ goto cleanup; + } + if (delete_before || delete_during || delete_after) + delete_mode = 1; +@@ -2182,7 +2199,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + delete_during = 1; + else { + create_refuse_error(refused_delete_before); +- return 0; ++ goto cleanup; + } + } else if (refused_delete_during) + delete_before = 1; +@@ -2191,14 +2208,14 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (!xfer_dirs && delete_mode) { + snprintf(err_buf, sizeof err_buf, + "--delete does not work without --recursive (-r) or --dirs (-d).\n"); +- return 0; ++ goto cleanup; + } + + if (missing_args == 3) /* simplify if both options were specified */ + missing_args = 2; + if (refused_delete && (delete_mode || missing_args == 2)) { + create_refuse_error(refused_delete); +- return 0; ++ goto cleanup; + } + + if (remove_source_files) { +@@ -2207,7 +2224,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + * options. */ + if (refused_delete && am_sender) { + create_refuse_error(refused_delete); +- return 0; ++ goto cleanup; + } + need_messages_from_generator = 1; + } +@@ -2261,7 +2278,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "--suffix cannot contain slashes: %s\n", + backup_suffix); +- return 0; ++ goto cleanup; + } + if (backup_dir) { + size_t len; +@@ -2274,7 +2291,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (len > sizeof backup_dir_buf - 128) { + snprintf(err_buf, sizeof err_buf, + "the --backup-dir path is WAY too long.\n"); +- return 0; ++ goto cleanup; + } + backup_dir_len = (int)len; + if (!backup_dir_len) { +@@ -2293,7 +2310,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + "--suffix cannot be empty %s\n", backup_dir_len < 0 + ? "when --backup-dir is the same as the dest dir" + : "without a --backup-dir"); +- return 0; ++ goto cleanup; + } else if (make_backups && delete_mode && !delete_excluded && !am_server) { + snprintf(backup_dir_buf, sizeof backup_dir_buf, + "P *%s", backup_suffix); +@@ -2362,11 +2379,11 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (whole_file > 0) { + snprintf(err_buf, sizeof err_buf, + "--append cannot be used with --whole-file\n"); +- return 0; ++ goto cleanup; + } + if (refused_inplace) { + create_refuse_error(refused_inplace); +- return 0; ++ goto cleanup; + } + inplace = 1; + } +@@ -2374,7 +2391,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (write_devices) { + if (refused_inplace) { + create_refuse_error(refused_inplace); +- return 0; ++ goto cleanup; + } + inplace = 1; + } +@@ -2389,13 +2406,13 @@ int parse_arguments(int *argc_p, const char ***argv_p) + "--%s cannot be used with --%s\n", + append_mode ? "append" : "inplace", + delay_updates ? "delay-updates" : "partial-dir"); +- return 0; ++ goto cleanup; + } + /* --inplace implies --partial for refusal purposes, but we + * clear the keep_partial flag for internal logic purposes. */ + if (refused_partial) { + create_refuse_error(refused_partial); +- return 0; ++ goto cleanup; + } + keep_partial = 0; + #else +@@ -2403,7 +2420,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + "--%s is not supported on this %s\n", + append_mode ? "append" : "inplace", + am_server ? "server" : "client"); +- return 0; ++ goto cleanup; + #endif + } else { + if (keep_partial && !partial_dir && !am_server) { +@@ -2417,7 +2434,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + partial_dir = NULL; + if (!partial_dir && refused_partial) { + create_refuse_error(refused_partial); +- return 0; ++ goto cleanup; + } + keep_partial = 1; + } +@@ -2438,14 +2455,14 @@ int parse_arguments(int *argc_p, const char ***argv_p) + if (am_server) { + snprintf(err_buf, sizeof err_buf, + "The --files-from sent to the server cannot specify a host.\n"); +- return 0; ++ goto cleanup; + } + files_from = p; + filesfrom_host = h; + if (strcmp(files_from, "-") == 0) { + snprintf(err_buf, sizeof err_buf, + "Invalid --files-from remote filename\n"); +- return 0; ++ goto cleanup; + } + } else { + if (sanitize_paths) +@@ -2464,7 +2481,7 @@ int parse_arguments(int *argc_p, const char ***argv_p) + snprintf(err_buf, sizeof err_buf, + "failed to open files-from file %s: %s\n", + files_from, strerror(errno)); +- return 0; ++ goto cleanup; + } + } + } +@@ -2481,6 +2498,9 @@ int parse_arguments(int *argc_p, const char ***argv_p) + options_rejected: + snprintf(err_buf, sizeof err_buf, + "Your options have been rejected by the server.\n"); ++ cleanup: ++ if (pc) ++ poptFreeContext(pc); + return 0; + } + +-- +2.33.0 + diff --git a/rsync.spec b/rsync.spec new file mode 100644 index 0000000..5910a09 --- /dev/null +++ b/rsync.spec @@ -0,0 +1,131 @@ +Name: rsync +Version: 3.2.5 +Release: 4 +Summary: Fast incremental file transfer utility +License: GPLv3+ +URL: http://rsync.samba.org/ +Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}.tar.gz +Source1: rsyncd.socket +Source2: rsyncd.service +Source3: rsyncd.conf +Source4: rsyncd.sysconfig +Source5: rsyncd@.service + +Patch6000: backport-Duplicate-argv-data-before-poptFreeContext.patch +Patch6002: backport-CVE-2024-12084-part1.patch +Patch6003: backport-CVE-2024-12084-part2.patch +Patch6004: backport-CVE-2024-12085.patch +Patch6005: backport-CVE-2024-12086-part1.patch +Patch6006: backport-CVE-2024-12086-part2.patch +Patch6007: backport-CVE-2024-12086-part3.patch +Patch6008: backport-CVE-2024-12086-part4.patch +Patch6009: backport-CVE-2024-12087-part1.patch +Patch6010: backport-CVE-2024-12087-part2.patch +Patch6011: backport-CVE-2024-12088.patch +Patch6012: backport-CVE-2024-12747.patch + +BuildRequires: git gcc systemd libacl-devel libattr-devel autoconf popt-devel +BuildRequires: lz4-devel openssl-devel libzstd-devel +Provides: bundled(zlib) = 1.2.8 rsync-daemon +Obsoletes: rsync-daemon +%{?systemd_requires} + +%description +Rsync is an open source utility that provides fast incremental file transfer. +It uses the "rsync algorithm" which provides a very fast method for bringing +remote files into sync. It does this by sending just the differences in the +files across the link, without requiring that both sets of files are present +at one of the ends of the link beforehand. + +%package_help + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +%configure --disable-xxhash +%make_build + +%check +make check + +%install +%make_install + +install -D -m644 %{SOURCE1} %{buildroot}/%{_unitdir}/rsyncd.socket +install -D -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/rsyncd.service +install -D -m644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/rsyncd.conf +install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/rsyncd +install -D -m644 %{SOURCE5} %{buildroot}/%{_unitdir}/rsyncd@.service + +%pre + +%preun +%systemd_preun rsyncd.service + +%post +%systemd_post rsyncd.service + +%postun +%systemd_postun_with_restart rsyncd.service + +%files +%defattr(-,root,root) +%doc tech_report.tex +%attr(0644,root,root) %doc support/* +%license COPYING +%config(noreplace) %{_sysconfdir}/*.conf +%config(noreplace) %{_sysconfdir}/sysconfig/rsyncd +%{_unitdir}/rsyncd* +%{_bindir}/rsync* +%{_bindir}/rsync + +%files help +%{_mandir}/man1/%{name}.1* +%{_mandir}/man1/%{name}-ssl.1* +%{_mandir}/man5/rsyncd.conf.5* + +%changelog +* Wed Jan 15 2025 Funda Wang <fundawang@yeah.net> - 3.2.5-4 +- fix CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, + CVE-2024-12088, CVE-2024-12747 + +* Wed Oct 9 zhoupengcheng <zhoupengcheng11@huawei.com> - 3.2.5-3 +- backport patch from upstream + +* Thu Jun 15 2023 zhoupengcheng <zhoupengcheng11@huawei.com> - 3.2.5-2 +- Type:bugfix +- CVE: +- SUG:NA +- DESC:Restrict the doc permission in rsync to 644. + +* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.2.5-1 +- Update version to 3.2.5 +- Fix CVE-2022-29154,CVE-2022-37434 + +* Fri Jun 18 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 3.2.3-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Fix CVE-2020-14387 + +* Fri Jan 22 2021 yixiangzhike <zhangxingliang3@huawei.com> - 3.2.3-1 +- Type:requirement +- ID:NA +- SUG:NA +- DESC:update to 3.2.3 + +* Tue Jul 28 2020 Liquor <lirui130@huawei.com> - 3.2.1-1 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:update to 3.2.1 + +* Fri Sep 27 2019 chengquan<chengquan3@huawei.com> - 3.1.3-6 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:fix spec rule in openeuler + +* Mon Sep 09 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.1.3-5 +- Package init diff --git a/rsyncd.conf b/rsyncd.conf new file mode 100644 index 0000000..6e058aa --- /dev/null +++ b/rsyncd.conf @@ -0,0 +1,20 @@ +# /etc/rsyncd: configuration file for rsync daemon mode + +# See rsyncd.conf man page for more options. + +# configuration example: + +# uid = nobody +# gid = nobody +# use chroot = yes +# max connections = 4 +# pid file = /var/run/rsyncd.pid +# exclude = lost+found/ +# transfer logging = yes +# timeout = 900 +# ignore nonreadable = yes +# dont compress = *.gz *.tgz *.zip *.z *.Z *.rpm *.deb *.bz2 + +# [ftp] +# path = /home/ftp +# comment = ftp export area diff --git a/rsyncd.service b/rsyncd.service new file mode 100644 index 0000000..3ffecce --- /dev/null +++ b/rsyncd.service @@ -0,0 +1,10 @@ +[Unit] +Description=fast remote file copy program daemon +ConditionPathExists=/etc/rsyncd.conf + +[Service] +EnvironmentFile=/etc/sysconfig/rsyncd +ExecStart=/usr/bin/rsync --daemon --no-detach "$OPTIONS" + +[Install] +WantedBy=multi-user.target diff --git a/rsyncd.socket b/rsyncd.socket new file mode 100644 index 0000000..7306ad0 --- /dev/null +++ b/rsyncd.socket @@ -0,0 +1,10 @@ +[Unit] +Description=Rsync Server Socket +Conflicts=rsyncd.service + +[Socket] +ListenStream=873 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/rsyncd.sysconfig b/rsyncd.sysconfig new file mode 100644 index 0000000..90a5a43 --- /dev/null +++ b/rsyncd.sysconfig @@ -0,0 +1 @@ +OPTIONS="" diff --git a/rsyncd@.service b/rsyncd@.service new file mode 100644 index 0000000..89f9621 --- /dev/null +++ b/rsyncd@.service @@ -0,0 +1,8 @@ +[Unit] +Description=fast remote file copy program daemon +ConditionPathExists=/etc/rsyncd.conf + +[Service] +EnvironmentFile=/etc/sysconfig/rsyncd +ExecStart=/usr/bin/rsync --daemon --no-detach "$OPTIONS" +StandardInput=socket @@ -0,0 +1 @@ +2fd61dfd76d39098c3be6eb5d54bb633 rsync-3.2.5.tar.gz |