From 2c6e551b2ea16a223785d799d201d1d98541a8e3 Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Fri, 17 Jan 2025 13:46:49 +0100
Subject: [PATCH] New version 3.4.1

Resolves: RHEL-70151 - Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
Resolves: RHEL-70159 - Info Leak via Uninitialized Stack Contents
Resolves: RHEL-70203 - rsync server leaks arbitrary client files
Resolves: RHEL-72500 - Path traversal vulnerability in rsync
Resolves: RHEL-72501 - --safe-links option bypass leads to path traversal
Resolves: RHEL-71658 - Race Condition in rsync Handling Symbolic Links
Resolves: RHEL-71293 - Build rsync with --with-rrsync
---
 .gitignore                   |  2 ++
 rsync-3.4.1-rrsync-man.patch | 23 +++++++++++++++++++++++
 rsync.spec                   | 22 +++++++++++++++++++---
 sources                      |  4 ++--
 4 files changed, 46 insertions(+), 5 deletions(-)
 create mode 100644 rsync-3.4.1-rrsync-man.patch

diff --git a/.gitignore b/.gitignore
index e6c8d7e..19e23cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,5 @@ rsync-patches-3.0.8.tar.gz
 /rsync-patches-3.2.7.tar.gz
 /rsync-3.3.0.tar.gz
 /rsync-patches-3.3.0.tar.gz
+/rsync-3.4.1.tar.gz
+/rsync-patches-3.4.1.tar.gz
diff --git a/rsync-3.4.1-rrsync-man.patch b/rsync-3.4.1-rrsync-man.patch
new file mode 100644
index 0000000..56a4fee
--- /dev/null
+++ b/rsync-3.4.1-rrsync-man.patch
@@ -0,0 +1,23 @@
+diff --git a/Makefile.in b/Makefile.in
+index 3cde955..06232f1 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -106,6 +106,9 @@ rsync$(EXEEXT): $(OBJS)
+ rrsync: support/rrsync
+ 	cp -p $(srcdir)/support/rrsync rrsync
+ 
++rrsync.1.md: support/rrsync.1.md
++	cp -p $(srcdir)/support/rrsync.1.md rrsync.1.md
++
+ $(OBJS): $(HEADERS)
+ $(CHECK_OBJS): $(HEADERS)
+ tls.o xattrs.o: lib/sysxattrs.h
+@@ -269,7 +269,7 @@ rsyncd.conf.5: rsyncd.conf.5.md md-convert version.h Makefile
+ 	@$(srcdir)/maybe-make-man rsyncd.conf.5.md
+ 
+ rrsync.1: support/rrsync.1.md md-convert Makefile
+-	@$(srcdir)/maybe-make-man support/rrsync.1.md
++	@$(srcdir)/maybe-make-man rrsync.1.md
+ 
+ .PHONY: clean
+ clean: cleantests
diff --git a/rsync.spec b/rsync.spec
index 30ba7ed..6aa1bb0 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -8,8 +8,8 @@
 
 Summary: A program for synchronizing files over a network
 Name: rsync
-Version: 3.3.0
-Release: 6%{?prerelease}%{?dist}
+Version: 3.4.1
+Release: 1%{?prerelease}%{?dist}
 URL: https://rsync.samba.org/
 
 Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
@@ -43,6 +43,8 @@ Provides: bundled(zlib) = 1.2.8
 License: GPL-3.0-or-later
 
 Patch1: rsync-3.2.2-runtests.patch
+# creating rrsync.1.md would require commonmark, we copy it instead
+Patch2: rsync-3.4.1-rrsync-man.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -75,6 +77,7 @@ package provides the anonymous rsync service.
 
 #%patch0 -p1 -b .verify-hostname
 %patch 1 -p1 -b .runtests
+%patch 2 -p1 -b .rrsync
 
 %build
 %configure \
@@ -84,7 +87,8 @@ package provides the anonymous rsync service.
 %endif
   --enable-zstd \
   --enable-lz4 \
-  --enable-ipv6
+  --enable-ipv6 \
+  --with-rrsync
 
 %{make_build}
 
@@ -105,8 +109,10 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
 %license COPYING
 %doc support/ tech_report.tex
 %{_bindir}/%{name}
+%{_bindir}/r%{name}
 %{_bindir}/%{name}-ssl
 %{_mandir}/man1/%{name}.1*
+%{_mandir}/man1/r%{name}.1*
 %{_mandir}/man1/%{name}-ssl.1*
 %{_mandir}/man5/rsyncd.conf.5*
 %config(noreplace) %{_sysconfdir}/rsyncd.conf
@@ -127,6 +133,16 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
+* Wed Jan 15 2025 Michal Ruprich <mruprich@redhat.com> - 3.4.1-1
+- New version 3.4.1
+- Resolves: RHEL-70151 - Heap Buffer Overflow in Rsync due to Improper Checksum Length Handling
+- Resolves: RHEL-70159 - Info Leak via Uninitialized Stack Contents
+- Resolves: RHEL-70203 - rsync server leaks arbitrary client files
+- Resolves: RHEL-72500 - Path traversal vulnerability in rsync
+- Resolves: RHEL-72501 - --safe-links option bypass leads to path traversal
+- Resolves: RHEL-71658 - Race Condition in rsync Handling Symbolic Links
+- Resolves: RHEL-71293 - Build rsync with --with-rrsync
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.3.0-6
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018
diff --git a/sources b/sources
index 89d992f..818375d 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (rsync-3.3.0.tar.gz) = df5c53bc2f2b0e7e30f475903e5e4296dc2fbcf08e9ea6c3c61462d0e52b067c27e82deeb4be79102c86e9aa55a825182e126f22df44dabf5b7328acb2a01d10
-SHA512 (rsync-patches-3.3.0.tar.gz) = f82aac81865fca1bf9dbc5964cc18a084029d8bca232d56f07a598a67eaa9cb01c3293c3a491d2147b9b14a51a4008c85ce0091bcae42e5776a5ffeebb84da11
+SHA512 (rsync-3.4.1.tar.gz) = a3ecde4843ddb795308dca88581b868ac0221eb6f88a1477d7a9a2ecb4e4686042966bdddbab40866f90a4715d3104daa7b83222ddf0f3387b796a86bde8e5c2
+SHA512 (rsync-patches-3.4.1.tar.gz) = 0a2439f43e53cef028e5c0a25bd20fd308e6094af36e6d1109e9b5149035ce9c650d4cac7e7523671b4c3e8d6d6c68e40445dd0d8ae9adbc19771aba0831ed33