From 4fe8d5f3ff1849ad594b311fbd0b32e80333471f Mon Sep 17 00:00:00 2001 From: Michal Ruprich Date: Mon, 22 Jun 2026 15:08:43 +0200 Subject: [PATCH] Rebase of rsync to 3.4.4 This rebase picks up fixes for multiple CVEs: CVE-2026-29518 CVE-2026-43617 CVE-2026-43618 CVE-2026-43619 CVE-2026-43620 CVE-2026-45232 I am also using this opportunity to clean the repository of patches that are no longer used. I decided to remove the prerelease tag since I never really used it in RHEL and I also removed it in Fedora recently as well. I am adding git-core as a BuildRequires to make maintenance of the package a little bit easier. python3 is also newly added because testsuite is now written in Python. None of these add new packages to our composes. I removed rsync-patches. The Upstream decided to stop the support for these and they stopped shipping it. In RHEL10 we never used any of the patches from rsync-patches anyway. Resolves: RHEL-186589 Resolves: RHEL-174931 - CVE-2026-29518 Resolves: RHEL-174947 - CVE-2026-43618 --- .gitignore | 1 + rsync-3.0.6-iconv-logging.patch | 22 - rsync-3.2.2-runtests.patch | 12 - rsync-3.4.1-cve-2025-10158.patch | 27 -- rsync-3.4.1-cve-2026-41035.patch | 32 -- rsync-3.4.1-ssh-askpass.patch | 15 - rsync-3.4.1-use-openat2.patch | 386 ------------------ ...-3.4.4-fix-cve-2026-49618-regression.patch | 23 ++ rsync-man.patch | 10 - rsync-noatime.patch | 147 ------- rsync.spec | 47 +-- sources | 3 +- 12 files changed, 39 insertions(+), 686 deletions(-) delete mode 100644 rsync-3.0.6-iconv-logging.patch delete mode 100644 rsync-3.2.2-runtests.patch delete mode 100644 rsync-3.4.1-cve-2025-10158.patch delete mode 100644 rsync-3.4.1-cve-2026-41035.patch delete mode 100644 rsync-3.4.1-ssh-askpass.patch delete mode 100644 rsync-3.4.1-use-openat2.patch create mode 100644 rsync-3.4.4-fix-cve-2026-49618-regression.patch delete mode 100644 rsync-man.patch delete mode 100644 rsync-noatime.patch diff --git a/.gitignore b/.gitignore index 19e23cd..e4aeaec 100644 --- a/.gitignore +++ b/.gitignore @@ -28,3 +28,4 @@ rsync-patches-3.0.8.tar.gz /rsync-patches-3.3.0.tar.gz /rsync-3.4.1.tar.gz /rsync-patches-3.4.1.tar.gz +/rsync-3.4.4.tar.gz diff --git a/rsync-3.0.6-iconv-logging.patch b/rsync-3.0.6-iconv-logging.patch deleted file mode 100644 index bf7d943..0000000 --- a/rsync-3.0.6-iconv-logging.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/log.c b/log.c -index 34a013b..1aca728 100644 ---- a/log.c -+++ b/log.c -@@ -377,10 +377,13 @@ output_msg: - filtered_fwrite(f, convbuf, outbuf.len, 0); - outbuf.len = 0; - } -- if (!ierrno || ierrno == E2BIG) -- continue; -- fprintf(f, "\\#%03o", CVAL(inbuf.buf, inbuf.pos++)); -- inbuf.len--; -+ /* Log one byte of illegal/incomplete sequence and continue with -+ * the next character. Check that the buffer is non-empty for the -+ * sake of robustness. */ -+ if ((ierrno == EILSEQ || ierrno == EINVAL) && inbuf.len) { -+ fprintf(f, "\\#%03o", CVAL(inbuf.buf, inbuf.pos++)); -+ inbuf.len--; -+ } - } - } else - #endif diff --git a/rsync-3.2.2-runtests.patch b/rsync-3.2.2-runtests.patch deleted file mode 100644 index 0f682e5..0000000 --- a/rsync-3.2.2-runtests.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/runtests.sh.old b/runtests.sh -index ecb383e..1cd1d1a 100755 ---- a/runtests.sh.old -+++ b/runtests.sh -@@ -276,6 +276,7 @@ do - - case "$testscript" in - *hardlinks*) TESTRUN_TIMEOUT=600 ;; -+ *default-acls*) continue ;; - *) TESTRUN_TIMEOUT=300 ;; - esac - diff --git a/rsync-3.4.1-cve-2025-10158.patch b/rsync-3.4.1-cve-2025-10158.patch deleted file mode 100644 index 6527476..0000000 --- a/rsync-3.4.1-cve-2025-10158.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Sat, 23 Aug 2025 17:26:53 +1000 -Subject: [PATCH] fixed an invalid access to files array - -this was found by Calum Hutton from Rapid7. It is a real bug, but -analysis shows it can't be leverged into an exploit. Worth fixing -though. - -Many thanks to Calum and Rapid7 for finding and reporting this ---- - sender.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sender.c b/sender.c -index a4d46c39e..b1588b701 100644 ---- a/sender.c -+++ b/sender.c -@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out) - - if (ndx - cur_flist->ndx_start >= 0) - file = cur_flist->files[ndx - cur_flist->ndx_start]; -+ else if (cur_flist->parent_ndx < 0) -+ exit_cleanup(RERR_PROTOCOL); - else - file = dir_flist->files[cur_flist->parent_ndx]; - if (F_PATHNAME(file)) { diff --git a/rsync-3.4.1-cve-2026-41035.patch b/rsync-3.4.1-cve-2026-41035.patch deleted file mode 100644 index 9133658..0000000 --- a/rsync-3.4.1-cve-2026-41035.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Wed, 22 Apr 2026 09:57:45 +1000 -Subject: [PATCH] xattrs: fixed count in qsort - -this fixes the count passed to the sort of the xattr list. This issue -was reported here: - -https://www.openwall.com/lists/oss-security/2026/04/16/2 - -the bug is not exploitable due to the fork-per-connection design of -rsync, the attack is the equivalent of the user closing the socket -themselves. ---- - xattrs.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/xattrs.c b/xattrs.c -index 26e50a6f9..65166eed9 100644 ---- a/xattrs.c -+++ b/xattrs.c -@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) - rxa->num = num; - } - -- if (need_sort && count > 1) -- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); -+ if (need_sort && temp_xattr.count > 1) -+ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); - - ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ - diff --git a/rsync-3.4.1-ssh-askpass.patch b/rsync-3.4.1-ssh-askpass.patch deleted file mode 100644 index 8941495..0000000 --- a/rsync-3.4.1-ssh-askpass.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/main.c b/main.c -index 7222a83..630ca03 100644 ---- a/main.c -+++ b/main.c -@@ -1743,7 +1743,9 @@ int main(int argc,char *argv[]) - our_gid = MY_GID(); - am_root = our_uid == ROOT_UID; - -- unset_env_var("DISPLAY"); -+ // DISPLAY should only be cleared if SSH_ASKPASS is empty -+ if (!getenv("SSH_ASKPASS")) -+ unset_env_var("DISPLAY"); - - #if defined USE_OPENSSL && defined SET_OPENSSL_CONF - #define TO_STR2(x) #x diff --git a/rsync-3.4.1-use-openat2.patch b/rsync-3.4.1-use-openat2.patch deleted file mode 100644 index e514ba3..0000000 --- a/rsync-3.4.1-use-openat2.patch +++ /dev/null @@ -1,386 +0,0 @@ -From 4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell -Date: Thu, 30 Apr 2026 08:39:22 +1000 -Subject: [PATCH] syscall: use openat2(RESOLVE_BENEATH) on Linux for - secure_relative_open - -The CVE fix in commit c35e283 made secure_relative_open() walk every -component of relpath with O_NOFOLLOW. That blocks every symlink in the -path, which is stricter than the threat model required: legitimate -directory symlinks within the destination tree (e.g. when using -K / ---copy-dirlinks) are also rejected, breaking delta transfers with -"failed verification -- update discarded". See issue #715. - -On Linux 5.6+, openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) gives -us exactly what we want: the kernel rejects any resolution that would -escape the starting directory (via "..", absolute paths, or symlinks -pointing outside dirfd) while still following symlinks that resolve -within it. /proc magic-links are blocked too. - -Use openat2 first; fall back to the existing per-component O_NOFOLLOW -walk on ENOSYS (kernel < 5.6). The lexical "../" checks at the head -of the function are kept as defense in depth. The Linux gate is -plain #ifdef __linux__: the runtime ENOSYS fallback covers the only -case that actually matters (header present + old kernel), and any -Linux build environment without linux/openat2.h will fail with a -clear "no such file" error rather than silently disabling the -protection. - -Verified manually that openat2(RESOLVE_BENEATH) blocks all four -escape patterns (absolute symlink, ../ symlink, lexical .., absolute -path) while allowing direct and within-tree symlinks. The new -testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel -Henrique) exercises the issue #715 regression and passes; full -make check passes 47/47. - -Test: testsuite/symlink-dirlink-basis.test (8 scenarios) -Fixes: https://github.com/RsyncProject/rsync/issues/715 - -Co-Authored-By: Claude Opus 4.7 (1M context) ---- - syscall.c | 62 ++++++- - testsuite/symlink-dirlink-basis.test | 247 +++++++++++++++++++++++++++ - 2 files changed, 304 insertions(+), 5 deletions(-) - create mode 100755 testsuite/symlink-dirlink-basis.test - -diff --git a/syscall.c b/syscall.c -index ec0e0708a..66c6d29c7 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -33,6 +33,11 @@ - #include - #endif - -+#ifdef __linux__ -+#include -+#include -+#endif -+ - #include "ifuncs.h" - - extern int dry_run; -@@ -720,12 +725,49 @@ int do_open_nofollow(const char *pathname, int flags) - /* - open a file relative to a base directory. The basedir can be NULL, - in which case the current working directory is used. The relpath -- must be a relative path, and the relpath must not contain any -- elements in the path which follow symlinks (ie. like O_NOFOLLOW, but -- applies to all path components, not just the last component) -- -- The relpath must also not contain any ../ elements in the path -+ must be a relative path. The kernel must guarantee that resolution -+ cannot escape basedir (or the cwd, when basedir is NULL): no ".." -+ jumps above the start, no symlinks pointing outside, no absolute -+ paths, no /proc magic-link tricks. -+ -+ Symlinks *within* basedir are followed normally — earlier rsync -+ versions rejected every symlink with O_NOFOLLOW on each component, -+ which broke legitimate directory symlinks on the receiver side -+ (https://github.com/RsyncProject/rsync/issues/715). The escape -+ prevention is handled by the kernel via openat2(RESOLVE_BENEATH) -+ on Linux 5.6+; older systems fall back to the per-component -+ O_NOFOLLOW walk below. -+ -+ The relpath must also not contain any ../ elements in the path. - */ -+ -+#ifdef __linux__ -+static int secure_relative_open_linux(const char *basedir, const char *relpath, int flags, mode_t mode) -+{ -+ struct open_how how; -+ int dirfd, retfd; -+ -+ memset(&how, 0, sizeof how); -+ how.flags = flags; -+ how.mode = mode; -+ how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS; -+ -+ if (basedir == NULL) { -+ dirfd = AT_FDCWD; -+ } else { -+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); -+ if (dirfd == -1) -+ return -1; -+ } -+ -+ retfd = syscall(SYS_openat2, dirfd, relpath, &how, sizeof how); -+ -+ if (dirfd != AT_FDCWD) -+ close(dirfd); -+ return retfd; -+} -+#endif -+ - int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) - { - if (!relpath || relpath[0] == '/') { -@@ -739,6 +781,16 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo - return -1; - } - -+#ifdef __linux__ -+ { -+ int fd = secure_relative_open_linux(basedir, relpath, flags, mode); -+ /* ENOSYS = kernel < 5.6 doesn't have the syscall even though -+ * glibc/kernel-headers do; fall through to the portable path. */ -+ if (fd != -1 || errno != ENOSYS) -+ return fd; -+ } -+#endif -+ - #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) || !defined(AT_FDCWD) - // really old system, all we can do is live with the risks - if (!basedir) { -diff --git a/testsuite/symlink-dirlink-basis.test b/testsuite/symlink-dirlink-basis.test -new file mode 100755 -index 000000000..9065dd814 ---- /dev/null -+++ b/testsuite/symlink-dirlink-basis.test -@@ -0,0 +1,247 @@ -+#!/bin/sh -+ -+# Test that updating a file through a directory symlink works when using -+# -K (--copy-dirlinks). This is a regression test for: -+# https://github.com/RsyncProject/rsync/issues/715 -+# -+# The CVE fix in commit c35e283 introduced secure_relative_open() which -+# uses O_NOFOLLOW on all path components, breaking legitimate directory -+# symlinks on the receiver side. The fix splits the path into basedir -+# (dirname, symlinks followed) and basename (O_NOFOLLOW) so that -+# directory symlinks are traversed while the final file component is -+# still protected. -+# -+# The regression only manifests when delta matching is triggered (i.e., -+# the sender finds matching blocks in the old file). Small files with -+# completely different content are transferred in full and don't trigger -+# the bug. We use a large file with a small modification to ensure -+# delta transfer is used. -+# -+# In addition to the original regression, this test covers edge cases -+# in the fix itself: -+# - --backup with directory symlinks (finish_transfer pointer identity) -+# - --partial-dir with protocol < 29 (fnamecmp != partialptr guard) -+# - --inplace with directory symlinks (updating_basis_or_equiv check) -+# - Files without a dirname (top-level files, no split needed) -+ -+. "$suitedir/rsync.fns" -+ -+RSYNC_RSH="$scratchdir/src/support/lsh.sh" -+export RSYNC_RSH -+ -+# $HOME is set to $scratchdir by rsync.fns -+# localhost: destination will cd to $HOME (i.e., $scratchdir) -+ -+# Helper: create a large file suitable for delta transfers. -+# ~32KB is large enough for rsync's block matching to find matches. -+make_testfile() { -+ dd if=/dev/urandom of="$1" bs=1024 count=32 2>/dev/null \ -+ || test_fail "failed to create test file $1" -+} -+ -+# Set up source tree -+srcbase="$tmpdir/src" -+ -+###################################################################### -+# Test 1: Basic directory symlink update (the original issue #715) -+###################################################################### -+ -+mkdir -p "$HOME/real-dir" -+ln -s real-dir "$HOME/dir" -+ -+mkdir -p "$srcbase/dir" -+make_testfile "$srcbase/dir/file" -+ -+# First transfer (initial): should create the file through the symlink -+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 1: initial transfer failed" -+ -+if [ ! -f "$HOME/real-dir/file" ]; then -+ test_fail "test 1: initial transfer did not create file through symlink" -+fi -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 1: initial transfer content mismatch" -+ -+# Small modification to trigger delta transfer -+echo "appended update" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+# Second transfer (update): was failing with "failed verification" -+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 1: update through directory symlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 1: update transfer content mismatch" -+ -+###################################################################### -+# Test 2: Compression (-z) as in the original reproducer -+###################################################################### -+ -+echo "another line" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptzv --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 2: compressed update through directory symlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 2: compressed update content mismatch" -+ -+###################################################################### -+# Test 3: Nested directory symlinks (nested/sub/data.txt where -+# "nested" is a symlink to "nested_real") -+###################################################################### -+ -+mkdir -p "$HOME/nested_real/sub" -+ln -s nested_real "$HOME/nested" -+ -+mkdir -p "$srcbase/nested/sub" -+make_testfile "$srcbase/nested/sub/data.txt" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \ -+ || test_fail "test 3: initial nested transfer failed" -+ -+echo "appended nested" >> "$srcbase/nested/sub/data.txt" -+sleep 1 -+touch "$srcbase/nested/sub/data.txt" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \ -+ || test_fail "test 3: update through nested directory symlink failed" -+ -+diff "$srcbase/nested/sub/data.txt" "$HOME/nested_real/sub/data.txt" >/dev/null \ -+ || test_fail "test 3: nested update content mismatch" -+ -+###################################################################### -+# Test 4: --backup with directory symlinks -+# -+# Exercises the finish_transfer() "fnamecmp == fname" pointer -+# comparison that determines whether to update fnamecmp to the -+# backup name. If broken, --backup would reference a renamed file -+# for xattr handling. -+###################################################################### -+ -+# Reset destination -+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~" -+ -+make_testfile "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 4: initial transfer for backup test failed" -+ -+echo "backup update" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --backup --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 4: update with --backup through directory symlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 4: backup update content mismatch" -+ -+if [ ! -f "$HOME/real-dir/file~" ]; then -+ test_fail "test 4: backup file was not created" -+fi -+ -+###################################################################### -+# Test 5: --inplace with directory symlinks -+# -+# Exercises the updating_basis_or_equiv check which uses -+# "fnamecmp == fname". With --inplace, rsync writes directly to -+# the destination file instead of a temp file. -+###################################################################### -+ -+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~" -+ -+make_testfile "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 5: initial inplace transfer failed" -+ -+echo "inplace update" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 5: inplace update through directory symlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 5: inplace update content mismatch" -+ -+###################################################################### -+# Test 6: Top-level file (no dirname, no split needed) -+# -+# Ensures the dirname/basename split is not attempted for files -+# at the top level (file->dirname is NULL). -+###################################################################### -+ -+make_testfile "$srcbase/topfile" -+mkdir -p "$HOME" -+ -+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \ -+ || test_fail "test 6: initial top-level transfer failed" -+ -+echo "toplevel update" >> "$srcbase/topfile" -+sleep 1 -+touch "$srcbase/topfile" -+ -+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \ -+ || test_fail "test 6: top-level update failed" -+ -+diff "$srcbase/topfile" "$HOME/topfile" >/dev/null \ -+ || test_fail "test 6: top-level update content mismatch" -+ -+###################################################################### -+# Test 7: --partial-dir with protocol < 29 -+# -+# For protocol < 29, fnamecmp_type stays FNAMECMP_FNAME even when -+# fnamecmp is set to partialptr. The dirname/basename split must -+# NOT trigger in this case (guarded by "fnamecmp == fname"). -+###################################################################### -+ -+rm -f "$HOME/real-dir/file" -+make_testfile "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \ -+ --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 7: initial proto28 partial-dir transfer failed" -+ -+echo "partial-dir update" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \ -+ --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 7: proto28 partial-dir update through dirlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 7: proto28 partial-dir update content mismatch" -+ -+###################################################################### -+# Test 8: Protocol < 29 basic directory symlink update -+# -+# Exercises the protocol < 29 code path and its fallback logic -+# (clearing basedir on retry). -+###################################################################### -+ -+rm -f "$HOME/real-dir/file" -+make_testfile "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \ -+ --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 8: initial proto28 transfer failed" -+ -+echo "proto28 update" >> "$srcbase/dir/file" -+sleep 1 -+touch "$srcbase/dir/file" -+ -+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \ -+ --rsync-path="$RSYNC" dir/file localhost:) \ -+ || test_fail "test 8: proto28 update through directory symlink failed" -+ -+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ -+ || test_fail "test 8: proto28 update content mismatch" -+ -+# The script would have aborted on error, so getting here means we've won. -+exit 0 diff --git a/rsync-3.4.4-fix-cve-2026-49618-regression.patch b/rsync-3.4.4-fix-cve-2026-49618-regression.patch new file mode 100644 index 0000000..2c314f9 --- /dev/null +++ b/rsync-3.4.4-fix-cve-2026-49618-regression.patch @@ -0,0 +1,23 @@ +diff --git a/token.c b/token.c +index f910f74..cafc379 100644 +--- a/token.c ++++ b/token.c +@@ -292,14 +292,10 @@ static int32 simple_recv_token(int f, char **data) + int32 i = read_int(f); + if (i <= 0) + return i; +- /* simple_send_token caps each literal chunk at CHUNK_SIZE; +- * reject anything larger so a hostile peer cannot drive the +- * read_buf below past our static CHUNK_SIZE buffer. */ +- if (i > CHUNK_SIZE) { +- rprintf(FERROR, "invalid uncompressed token length %ld [%s]\n", +- (long)i, who_am_i()); +- exit_cleanup(RERR_PROTOCOL); +- } ++ /* A literal run may exceed CHUNK_SIZE: some peers (e.g. the ++ * acrosync library) use a 64k block size. The loop below reads ++ * the run CHUNK_SIZE bytes at a time, so read_buf never writes ++ * past the static CHUNK_SIZE buffer regardless of i. */ + residue = i; + } + diff --git a/rsync-man.patch b/rsync-man.patch deleted file mode 100644 index 36ddc53..0000000 --- a/rsync-man.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- rsync-3.0.9/rsync.1 2011-09-23 18:42:26.000000000 +0200 -+++ rsync-3.0.9/rsync.1 2012-09-19 10:40:19.698802861 +0200 -@@ -445,6 +445,7 @@ - \-o, \-\-owner preserve owner (super\-user only) - \-g, \-\-group preserve group - \-\-devices preserve device files (super\-user only) -+ \-\-copy-devices copy device contents as regular file - \-\-specials preserve special files - \-D same as \-\-devices \-\-specials - \-t, \-\-times preserve modification times diff --git a/rsync-noatime.patch b/rsync-noatime.patch deleted file mode 100644 index 85626ef..0000000 --- a/rsync-noatime.patch +++ /dev/null @@ -1,147 +0,0 @@ -Optionally preserve atimes. - -Based on https://bugzilla.samba.org/show_bug.cgi?id=7249#c1 by Nicolas George. - -Index: rsync-3.1.0/options.c -=================================================================== ---- rsync-3.1.0.orig/options.c -+++ rsync-3.1.0/options.c -@@ -125,6 +125,7 @@ int delay_updates = 0; - long block_size = 0; /* "long" because popt can't set an int32. */ - char *skip_compress = NULL; - item_list dparam_list = EMPTY_ITEM_LIST; -+int noatime = 0; - - /** Network address family. **/ - int default_af_hint -@@ -802,6 +803,7 @@ void usage(enum logcode F) - rprintf(F," --iconv=CONVERT_SPEC request charset conversion of filenames\n"); - #endif - rprintf(F," --checksum-seed=NUM set block/file checksum seed (advanced)\n"); -+ rprintf(F," --noatime do not alter atime when opening source files\n"); - rprintf(F," -4, --ipv4 prefer IPv4\n"); - rprintf(F," -6, --ipv6 prefer IPv6\n"); - rprintf(F," --version print version number\n"); -@@ -1019,6 +1021,7 @@ static struct poptOption long_options[] - {"iconv", 0, POPT_ARG_STRING, &iconv_opt, 0, 0, 0 }, - {"no-iconv", 0, POPT_ARG_NONE, 0, OPT_NO_ICONV, 0, 0 }, - #endif -+ {"noatime", 0, POPT_ARG_VAL, &noatime, 1, 0, 0 }, - {"ipv4", '4', POPT_ARG_VAL, &default_af_hint, AF_INET, 0, 0 }, - {"ipv6", '6', POPT_ARG_VAL, &default_af_hint, AF_INET6, 0, 0 }, - {"8-bit-output", '8', POPT_ARG_VAL, &allow_8bit_chars, 1, 0, 0 }, -@@ -2739,6 +2742,12 @@ void server_options(char **args, int *ar - if (preallocate_files && am_sender) - args[ac++] = "--preallocate"; - -+ /* -+ * Do we want remote atime preservation when we preserve local ones? -+ if (noatime) -+ args[ac++] = "--noatime"; -+ */ -+ - if (ac > MAX_SERVER_ARGS) { /* Not possible... */ - rprintf(FERROR, "argc overflow in server_options().\n"); - exit_cleanup(RERR_MALLOC); -Index: rsync-3.1.0/rsync.yo -=================================================================== ---- rsync-3.1.0.orig/rsync.yo -+++ rsync-3.1.0/rsync.yo -@@ -454,6 +454,7 @@ to the detailed description below for a - --protocol=NUM force an older protocol version to be used - --iconv=CONVERT_SPEC request charset conversion of filenames - --checksum-seed=NUM set block/file checksum seed (advanced) -+ --noatime do not alter atime when opening source files - -4, --ipv4 prefer IPv4 - -6, --ipv6 prefer IPv6 - --version print version number -@@ -2543,6 +2544,13 @@ daemon uses the charset specified in its - regardless of the remote charset you actually pass. Thus, you may feel free to - specify just the local charset for a daemon transfer (e.g. bf(--iconv=utf8)). - -+dit(bf(--noatime)) Use the O_NOATIME open flag on systems that support it. -+The effect of this flag is to avoid altering the access time (atime) of the -+opened files. -+If the system does not support the O_NOATIME flag, this option does nothing. -+Currently, systems known to support O_NOATIME are Linux >= 2.6.8 with glibc -+>= 2.3.4. -+ - dit(bf(-4, --ipv4) or bf(-6, --ipv6)) Tells rsync to prefer IPv4/IPv6 - when creating sockets. This only affects sockets that rsync has direct - control over, such as the outgoing socket when directly contacting an -diff --git a/syscall.c b/syscall.c -index c46a8b4..6620563 100644 ---- a/syscall.c -+++ b/syscall.c -@@ -42,6 +42,7 @@ extern int inplace; - extern int preallocate_files; - extern int preserve_perms; - extern int preserve_executability; -+extern int noatime; - - #ifndef S_BLKSIZE - # if defined hpux || defined __hpux__ || defined __hpux -@@ -189,6 +190,10 @@ int do_open(const char *pathname, int fl - RETURN_ERROR_IF(dry_run, 0); - RETURN_ERROR_IF_RO_OR_LO; - } -+#ifdef O_NOATIME -+ if (noatime) -+ flags |= O_NOATIME; -+#endif - - return open(pathname, flags | O_BINARY, mode); - } -Index: rsync/tls.c -=================================================================== ---- rsync.orig/tls.c -+++ rsync/tls.c -@@ -53,6 +53,7 @@ int preserve_perms = 0; - int preserve_executability = 0; - int preallocate_files = 0; - int inplace = 0; -+int noatime = 0; - - #ifdef SUPPORT_XATTRS - -Index: rsync/t_unsafe.c -=================================================================== ---- rsync.orig/t_unsafe.c -+++ rsync/t_unsafe.c -@@ -33,6 +33,10 @@ int preserve_perms = 0; - int preserve_executability = 0; - short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG]; - -+/* This is to make syscall.o shut up. */ -+int noatime = 0; -+ -+ - int - main(int argc, char **argv) - { -Index: rsync/wildtest.c -=================================================================== ---- rsync.orig/wildtest.c -+++ rsync/wildtest.c -@@ -32,6 +32,9 @@ int fnmatch_errors = 0; - - int wildmatch_errors = 0; - -+/* This is to make syscall.o shut up. */ -+int noatime = 0; -+ - typedef char bool; - - int output_iterations = 0; -Index: rsync/trimslash.c -=================================================================== ---- rsync.orig/trimslash.c -+++ rsync/trimslash.c -@@ -30,6 +30,7 @@ int preserve_perms = 0; - int preserve_executability = 0; - int preallocate_files = 0; - int inplace = 0; -+int noatime = 0; - - int - main(int argc, char **argv) diff --git a/rsync.spec b/rsync.spec index 1ff19ad..f20cdc2 100644 --- a/rsync.spec +++ b/rsync.spec @@ -1,19 +1,12 @@ %global _hardened_build 1 -%define isprerelease 0 - -%if %isprerelease -%define prerelease pre3 -%endif - Summary: A program for synchronizing files over a network Name: rsync -Version: 3.4.1 -Release: 6%{?prerelease}%{?dist} +Version: 3.4.4 +Release: 1%{?dist} URL: https://rsync.samba.org/ -Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz -Source1: https://download.samba.org/pub/rsync/src/rsync-patches-%{version}%{?prerelease}.tar.gz +Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}.tar.gz Source2: rsyncd.socket Source3: rsyncd.service Source4: rsyncd.conf @@ -31,6 +24,8 @@ BuildRequires: systemd BuildRequires: lz4-devel BuildRequires: openssl-devel BuildRequires: libzstd-devel +BuildRequires: git-core +BuildRequires: %{__python3} %if ! 0%{?rhel} >= 10 BuildRequires: xxhash-devel %endif @@ -42,14 +37,10 @@ Provides: bundled(zlib) = 1.2.8 #mentioned here as well. License: GPL-3.0-or-later -Patch1: rsync-3.2.2-runtests.patch # creating rrsync.1.md would require commonmark, we copy it instead -Patch2: rsync-3.4.1-rrsync-man.patch -Patch3: rsync-3.4.1-ssh-askpass.patch -Patch4: rsync-3.4.1-cve-2025-10158.patch -Patch5: rsync-3.4.1-cve-2026-41035.patch -# https://github.com/RsyncProject/rsync/commit/4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1 -Patch6: rsync-3.4.1-use-openat2.patch +Patch1: rsync-3.4.1-rrsync-man.patch +# https://github.com/RsyncProject/rsync/commit/11e3e239 +Patch2: rsync-3.4.4-fix-cve-2026-49618-regression.patch %description Rsync uses a reliable algorithm to bring remote and host files into @@ -79,22 +70,7 @@ This subpackage provides rrsync script and its manpage. rrsync may be used to setup a restricted rsync users via ssh logins. %prep -# TAG: for pre versions use - -%if %isprerelease -%setup -q -n rsync-%{version}%{?prerelease} -%setup -q -b 1 -n rsync-%{version}%{?prerelease} -%else -%setup -q -%setup -q -b 1 -%endif - -%patch 1 -p1 -b .runtests -%patch 2 -p1 -b .rrsync -%patch 3 -p1 -b .ssh-askpass -%patch 4 -p1 -b .cve-2025-10158 -%patch 5 -p1 -b .cve-2026-41035 -%patch 6 -p1 -b .use-openat2 +%autosetup -S git %build %configure \ @@ -152,6 +128,11 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service %systemd_postun_with_restart rsyncd.service %changelog +* Mon Jun 22 2026 Michal Ruprich - 3.4.4-1 +- Resolves: RHEL-186589 - Rebase rsync to version 3.4.4 +- Resolves: RHEL-174931 - TOCTOU symlink race condition (CVE-2026-29518) +- Resolves: RHEL-174947 - Memory disclosure via int overflow (CVE-2026-43618) + * Tue May 12 2026 Michal Ruprich - 3.4.1-6 - Resolves: RHEL-172276 - Fix regression introduced with CVE-2024-12086 fix diff --git a/sources b/sources index 818375d..ecd3772 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (rsync-3.4.1.tar.gz) = a3ecde4843ddb795308dca88581b868ac0221eb6f88a1477d7a9a2ecb4e4686042966bdddbab40866f90a4715d3104daa7b83222ddf0f3387b796a86bde8e5c2 -SHA512 (rsync-patches-3.4.1.tar.gz) = 0a2439f43e53cef028e5c0a25bd20fd308e6094af36e6d1109e9b5149035ce9c650d4cac7e7523671b4c3e8d6d6c68e40445dd0d8ae9adbc19771aba0831ed33 +SHA512 (rsync-3.4.4.tar.gz) = cf9a838b1f019b70fd67fa2c293f267be3f24e579c2ea33177ec7afc502c97ce0b613ff0854088c0eb28acd14ee0a75706ae8445115cef4669bd586c505d8453