Resolves: RHEL-91519 - Improper Pointer Arithmetic in pcl

2025-05-26 14:31:54 +02:00 · 2025-05-26 14:31:54 +02:00 · 12b12b0194
commit 12b12b0194
parent 896893c93a
2 changed files with 61 additions and 1 deletions
--- a/rsync-3.1.3-cve-2025-4638.patch
+++ b/rsync-3.1.3-cve-2025-4638.patch
@ -0,0 +1,54 @@
+diff --git a/zlib/inftrees.c b/zlib/inftrees.c
+index 44d89cf2..571e8100 100644
+--- a/zlib/inftrees.c
+++ b/zlib/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
+    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
+        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
+        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
+        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         here.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
+        if (work[sym] + 1u < match) {
+             here.op = (unsigned char)0;
+             here.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            here.op = (unsigned char)(extra[work[sym]]);
+-            here.val = base[work[sym]];
+        else if (work[sym] >= match) {
+            here.op = (unsigned char)(extra[work[sym] - match]);
+            here.val = base[work[sym] - match];
+         }
+         else {
+             here.op = (unsigned char)(32 + 64);         /* end of block */
--- a/rsync.spec
+++ b/rsync.spec
@ -9,7 +9,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.1.3
-Release: 21%{?dist}
+Release: 22%{?dist}
 Group: Applications/Internet
 URL: http://rsync.samba.org/

@ -46,6 +46,8 @@ Patch15: rsync-3.1.3-cve-2024-12085.patch
 Patch16: rsync-3.1.3-cve-2024-12087.patch
 Patch17: rsync-3.1.3-cve-2024-12088.patch
 Patch18: rsync-3.1.3-cve-2024-12747.patch
+# a fix for CVE-2016-9840 in zlib but marked as CVE-2025-4638 for a different component
+Patch19: rsync-3.1.3-cve-2025-4638.patch

 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@ -102,6 +104,7 @@ patch -p1 -i patches/copy-devices.diff
 %patch16 -p1 -b .cve-2024-12087
 %patch17 -p1 -b .cve-2024-12088
 %patch18 -p1 -b .cve-2024-12747
+%patch19 -p1 -b .cve-2025-4638

 %build
 %configure
@ -148,6 +151,9 @@ chmod -x support/*
 %systemd_postun_with_restart rsyncd.service

 %changelog
+* Mon May 26 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-22
+- Resolves: RHEL-91519 - Improper Pointer Arithmetic in pcl
+
 * Tue Feb 04 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-21
 - Resolves: RHEL-70207 - Path traversal vulnerability in rsync