From 205b34f3e79278687851d8a88df9a7491ca004ff Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Wed, 6 May 2026 12:35:11 +0200 Subject: [PATCH] Fix use-after-free in xattr qsort count The upstream fix corrects the count parameter passed to qsort when sorting the xattr list in receive_xattr(). The variable 'count' could diverge from temp_xattr.count, leading to incorrect sort bounds. [CVE: cve-2026-41035] Upstream patches: - https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Resolves: RHEL-169141 This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Ymir --- rsync-3.1.3-cve-2026-41035.patch | 15 +++++++++++++++ rsync.spec | 8 +++++++- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 rsync-3.1.3-cve-2026-41035.patch diff --git a/rsync-3.1.3-cve-2026-41035.patch b/rsync-3.1.3-cve-2026-41035.patch new file mode 100644 index 0000000..151bc6a --- /dev/null +++ b/rsync-3.1.3-cve-2026-41035.patch @@ -0,0 +1,15 @@ +diff --git a/xattrs.c b/xattrs.c +index f732fb15..b1b4217e 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -917,8 +917,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + diff --git a/rsync.spec b/rsync.spec index a5b9213..ad94c24 100644 --- a/rsync.spec +++ b/rsync.spec @@ -9,7 +9,7 @@ Summary: A program for synchronizing files over a network Name: rsync Version: 3.1.3 -Release: 24%{?dist} +Release: 25%{?dist} Group: Applications/Internet URL: http://rsync.samba.org/ @@ -50,6 +50,8 @@ Patch18: rsync-3.1.3-cve-2024-12747.patch Patch19: rsync-3.1.3-cve-2025-4638.patch Patch20: rsync-3.1.3-trust-sender.patch Patch21: rsync-3.1.3-cve-2025-10158.patch +# https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c +Patch22: rsync-3.1.3-cve-2026-41035.patch %description Rsync uses a reliable algorithm to bring remote and host files into @@ -109,6 +111,7 @@ patch -p1 -i patches/copy-devices.diff %patch19 -p1 -b .cve-2025-4638 %patch20 -p1 -b .trust-sender %patch21 -p1 -b .cve-2025-10158 +%patch22 -p1 -b .cve-2026-41035 %build %configure @@ -155,6 +158,9 @@ chmod -x support/* %systemd_postun_with_restart rsyncd.service %changelog +* Tue May 05 2026 Michal Ruprich - 3.1.3-25 +- Resolves: RHEL-169141 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling + * Wed Mar 11 2026 Michal Ruprich - 3.1.3-24 - Resolves: RHEL-152887 - CVE-2025-10158 - Out of bounds array access via negative index