From 12b12b0194e714297d034cb4121624758dd0783f Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Mon, 26 May 2025 14:31:54 +0200
Subject: [PATCH] Resolves: RHEL-91519 - Improper Pointer Arithmetic in pcl

---
 rsync-3.1.3-cve-2025-4638.patch | 54 +++++++++++++++++++++++++++++++++
 rsync.spec                      |  8 ++++-
 2 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 rsync-3.1.3-cve-2025-4638.patch

diff --git a/rsync-3.1.3-cve-2025-4638.patch b/rsync-3.1.3-cve-2025-4638.patch
new file mode 100644
index 0000000..3c4220f
--- /dev/null
+++ b/rsync-3.1.3-cve-2025-4638.patch
@@ -0,0 +1,54 @@
+diff --git a/zlib/inftrees.c b/zlib/inftrees.c
+index 44d89cf2..571e8100 100644
+--- a/zlib/inftrees.c
++++ b/zlib/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+     code FAR *next;             /* next available space in table */
+     const unsigned short FAR *base;     /* base value table to use */
+     const unsigned short FAR *extra;    /* extra bits table to use */
+-    int end;                    /* use base and extra for symbol > end */
++    unsigned match;             /* use base and extra for symbol >= match */
+     unsigned short count[MAXBITS+1];    /* number of codes of each length */
+     unsigned short offs[MAXBITS+1];     /* offsets in table for each length */
+     static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+     switch (type) {
+     case CODES:
+         base = extra = work;    /* dummy value--not used */
+-        end = 19;
++        match = 20;
+         break;
+     case LENS:
+         base = lbase;
+-        base -= 257;
+         extra = lext;
+-        extra -= 257;
+-        end = 256;
++        match = 257;
+         break;
+     default:            /* DISTS */
+         base = dbase;
+         extra = dext;
+-        end = -1;
++        match = 0;
+     }
+ 
+     /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+     for (;;) {
+         /* create table entry */
+         here.bits = (unsigned char)(len - drop);
+-        if ((int)(work[sym]) < end) {
++        if (work[sym] + 1u < match) {
+             here.op = (unsigned char)0;
+             here.val = work[sym];
+         }
+-        else if ((int)(work[sym]) > end) {
+-            here.op = (unsigned char)(extra[work[sym]]);
+-            here.val = base[work[sym]];
++        else if (work[sym] >= match) {
++            here.op = (unsigned char)(extra[work[sym] - match]);
++            here.val = base[work[sym] - match];
+         }
+         else {
+             here.op = (unsigned char)(32 + 64);         /* end of block */
diff --git a/rsync.spec b/rsync.spec
index d493056..8664733 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -9,7 +9,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.1.3
-Release: 21%{?dist}
+Release: 22%{?dist}
 Group: Applications/Internet
 URL: http://rsync.samba.org/
 
@@ -46,6 +46,8 @@ Patch15: rsync-3.1.3-cve-2024-12085.patch
 Patch16: rsync-3.1.3-cve-2024-12087.patch
 Patch17: rsync-3.1.3-cve-2024-12088.patch
 Patch18: rsync-3.1.3-cve-2024-12747.patch
+# a fix for CVE-2016-9840 in zlib but marked as CVE-2025-4638 for a different component
+Patch19: rsync-3.1.3-cve-2025-4638.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -102,6 +104,7 @@ patch -p1 -i patches/copy-devices.diff
 %patch16 -p1 -b .cve-2024-12087
 %patch17 -p1 -b .cve-2024-12088
 %patch18 -p1 -b .cve-2024-12747
+%patch19 -p1 -b .cve-2025-4638
 
 %build
 %configure
@@ -148,6 +151,9 @@ chmod -x support/*
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
+* Mon May 26 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-22
+- Resolves: RHEL-91519 - Improper Pointer Arithmetic in pcl
+
 * Tue Feb 04 2025 Michal Ruprich <mruprich@redhat.com> - 3.1.3-21
 - Resolves: RHEL-70207 - Path traversal vulnerability in rsync