import UBI rsync-3.4.4-1.el10_2
This commit is contained in:
AlmaLinux RelEng Bot
parent
68b92a7088
commit
c0c8fb33a8
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,2 +1 @@
|
||||
rsync-3.4.1.tar.gz
|
||||
rsync-patches-3.4.1.tar.gz
|
||||
rsync-3.4.4.tar.gz
|
||||
|
||||
@ -1,12 +0,0 @@
|
||||
diff --git a/runtests.sh.old b/runtests.sh
|
||||
index ecb383e..1cd1d1a 100755
|
||||
--- a/runtests.sh.old
|
||||
+++ b/runtests.sh
|
||||
@@ -276,6 +276,7 @@ do
|
||||
|
||||
case "$testscript" in
|
||||
*hardlinks*) TESTRUN_TIMEOUT=600 ;;
|
||||
+ *default-acls*) continue ;;
|
||||
*) TESTRUN_TIMEOUT=300 ;;
|
||||
esac
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Tridgell <andrew@tridgell.net>
|
||||
Date: Sat, 23 Aug 2025 17:26:53 +1000
|
||||
Subject: [PATCH] fixed an invalid access to files array
|
||||
|
||||
this was found by Calum Hutton from Rapid7. It is a real bug, but
|
||||
analysis shows it can't be leverged into an exploit. Worth fixing
|
||||
though.
|
||||
|
||||
Many thanks to Calum and Rapid7 for finding and reporting this
|
||||
---
|
||||
sender.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/sender.c b/sender.c
|
||||
index a4d46c39e..b1588b701 100644
|
||||
--- a/sender.c
|
||||
+++ b/sender.c
|
||||
@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
|
||||
|
||||
if (ndx - cur_flist->ndx_start >= 0)
|
||||
file = cur_flist->files[ndx - cur_flist->ndx_start];
|
||||
+ else if (cur_flist->parent_ndx < 0)
|
||||
+ exit_cleanup(RERR_PROTOCOL);
|
||||
else
|
||||
file = dir_flist->files[cur_flist->parent_ndx];
|
||||
if (F_PATHNAME(file)) {
|
||||
@ -1,32 +0,0 @@
|
||||
From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Tridgell <andrew@tridgell.net>
|
||||
Date: Wed, 22 Apr 2026 09:57:45 +1000
|
||||
Subject: [PATCH] xattrs: fixed count in qsort
|
||||
|
||||
this fixes the count passed to the sort of the xattr list. This issue
|
||||
was reported here:
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2026/04/16/2
|
||||
|
||||
the bug is not exploitable due to the fork-per-connection design of
|
||||
rsync, the attack is the equivalent of the user closing the socket
|
||||
themselves.
|
||||
---
|
||||
xattrs.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xattrs.c b/xattrs.c
|
||||
index 26e50a6f9..65166eed9 100644
|
||||
--- a/xattrs.c
|
||||
+++ b/xattrs.c
|
||||
@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
|
||||
rxa->num = num;
|
||||
}
|
||||
|
||||
- if (need_sort && count > 1)
|
||||
- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
+ if (need_sort && temp_xattr.count > 1)
|
||||
+ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
|
||||
ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
|
||||
|
||||
@ -1,15 +0,0 @@
|
||||
diff --git a/main.c b/main.c
|
||||
index 7222a83..630ca03 100644
|
||||
--- a/main.c
|
||||
+++ b/main.c
|
||||
@@ -1743,7 +1743,9 @@ int main(int argc,char *argv[])
|
||||
our_gid = MY_GID();
|
||||
am_root = our_uid == ROOT_UID;
|
||||
|
||||
- unset_env_var("DISPLAY");
|
||||
+ // DISPLAY should only be cleared if SSH_ASKPASS is empty
|
||||
+ if (!getenv("SSH_ASKPASS"))
|
||||
+ unset_env_var("DISPLAY");
|
||||
|
||||
#if defined USE_OPENSSL && defined SET_OPENSSL_CONF
|
||||
#define TO_STR2(x) #x
|
||||
@ -1,386 +0,0 @@
|
||||
From 4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Tridgell <andrew@tridgell.net>
|
||||
Date: Thu, 30 Apr 2026 08:39:22 +1000
|
||||
Subject: [PATCH] syscall: use openat2(RESOLVE_BENEATH) on Linux for
|
||||
secure_relative_open
|
||||
|
||||
The CVE fix in commit c35e283 made secure_relative_open() walk every
|
||||
component of relpath with O_NOFOLLOW. That blocks every symlink in the
|
||||
path, which is stricter than the threat model required: legitimate
|
||||
directory symlinks within the destination tree (e.g. when using -K /
|
||||
--copy-dirlinks) are also rejected, breaking delta transfers with
|
||||
"failed verification -- update discarded". See issue #715.
|
||||
|
||||
On Linux 5.6+, openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) gives
|
||||
us exactly what we want: the kernel rejects any resolution that would
|
||||
escape the starting directory (via "..", absolute paths, or symlinks
|
||||
pointing outside dirfd) while still following symlinks that resolve
|
||||
within it. /proc magic-links are blocked too.
|
||||
|
||||
Use openat2 first; fall back to the existing per-component O_NOFOLLOW
|
||||
walk on ENOSYS (kernel < 5.6). The lexical "../" checks at the head
|
||||
of the function are kept as defense in depth. The Linux gate is
|
||||
plain #ifdef __linux__: the runtime ENOSYS fallback covers the only
|
||||
case that actually matters (header present + old kernel), and any
|
||||
Linux build environment without linux/openat2.h will fail with a
|
||||
clear "no such file" error rather than silently disabling the
|
||||
protection.
|
||||
|
||||
Verified manually that openat2(RESOLVE_BENEATH) blocks all four
|
||||
escape patterns (absolute symlink, ../ symlink, lexical .., absolute
|
||||
path) while allowing direct and within-tree symlinks. The new
|
||||
testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel
|
||||
Henrique) exercises the issue #715 regression and passes; full
|
||||
make check passes 47/47.
|
||||
|
||||
Test: testsuite/symlink-dirlink-basis.test (8 scenarios)
|
||||
Fixes: https://github.com/RsyncProject/rsync/issues/715
|
||||
|
||||
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||||
---
|
||||
syscall.c | 62 ++++++-
|
||||
testsuite/symlink-dirlink-basis.test | 247 +++++++++++++++++++++++++++
|
||||
2 files changed, 304 insertions(+), 5 deletions(-)
|
||||
create mode 100755 testsuite/symlink-dirlink-basis.test
|
||||
|
||||
diff --git a/syscall.c b/syscall.c
|
||||
index ec0e0708a..66c6d29c7 100644
|
||||
--- a/syscall.c
|
||||
+++ b/syscall.c
|
||||
@@ -33,6 +33,11 @@
|
||||
#include <sys/syscall.h>
|
||||
#endif
|
||||
|
||||
+#ifdef __linux__
|
||||
+#include <sys/syscall.h>
|
||||
+#include <linux/openat2.h>
|
||||
+#endif
|
||||
+
|
||||
#include "ifuncs.h"
|
||||
|
||||
extern int dry_run;
|
||||
@@ -720,12 +725,49 @@ int do_open_nofollow(const char *pathname, int flags)
|
||||
/*
|
||||
open a file relative to a base directory. The basedir can be NULL,
|
||||
in which case the current working directory is used. The relpath
|
||||
- must be a relative path, and the relpath must not contain any
|
||||
- elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
|
||||
- applies to all path components, not just the last component)
|
||||
-
|
||||
- The relpath must also not contain any ../ elements in the path
|
||||
+ must be a relative path. The kernel must guarantee that resolution
|
||||
+ cannot escape basedir (or the cwd, when basedir is NULL): no ".."
|
||||
+ jumps above the start, no symlinks pointing outside, no absolute
|
||||
+ paths, no /proc magic-link tricks.
|
||||
+
|
||||
+ Symlinks *within* basedir are followed normally — earlier rsync
|
||||
+ versions rejected every symlink with O_NOFOLLOW on each component,
|
||||
+ which broke legitimate directory symlinks on the receiver side
|
||||
+ (https://github.com/RsyncProject/rsync/issues/715). The escape
|
||||
+ prevention is handled by the kernel via openat2(RESOLVE_BENEATH)
|
||||
+ on Linux 5.6+; older systems fall back to the per-component
|
||||
+ O_NOFOLLOW walk below.
|
||||
+
|
||||
+ The relpath must also not contain any ../ elements in the path.
|
||||
*/
|
||||
+
|
||||
+#ifdef __linux__
|
||||
+static int secure_relative_open_linux(const char *basedir, const char *relpath, int flags, mode_t mode)
|
||||
+{
|
||||
+ struct open_how how;
|
||||
+ int dirfd, retfd;
|
||||
+
|
||||
+ memset(&how, 0, sizeof how);
|
||||
+ how.flags = flags;
|
||||
+ how.mode = mode;
|
||||
+ how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
|
||||
+
|
||||
+ if (basedir == NULL) {
|
||||
+ dirfd = AT_FDCWD;
|
||||
+ } else {
|
||||
+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
|
||||
+ if (dirfd == -1)
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ retfd = syscall(SYS_openat2, dirfd, relpath, &how, sizeof how);
|
||||
+
|
||||
+ if (dirfd != AT_FDCWD)
|
||||
+ close(dirfd);
|
||||
+ return retfd;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
|
||||
{
|
||||
if (!relpath || relpath[0] == '/') {
|
||||
@@ -739,6 +781,16 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#ifdef __linux__
|
||||
+ {
|
||||
+ int fd = secure_relative_open_linux(basedir, relpath, flags, mode);
|
||||
+ /* ENOSYS = kernel < 5.6 doesn't have the syscall even though
|
||||
+ * glibc/kernel-headers do; fall through to the portable path. */
|
||||
+ if (fd != -1 || errno != ENOSYS)
|
||||
+ return fd;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) || !defined(AT_FDCWD)
|
||||
// really old system, all we can do is live with the risks
|
||||
if (!basedir) {
|
||||
diff --git a/testsuite/symlink-dirlink-basis.test b/testsuite/symlink-dirlink-basis.test
|
||||
new file mode 100755
|
||||
index 000000000..9065dd814
|
||||
--- /dev/null
|
||||
+++ b/testsuite/symlink-dirlink-basis.test
|
||||
@@ -0,0 +1,247 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+# Test that updating a file through a directory symlink works when using
|
||||
+# -K (--copy-dirlinks). This is a regression test for:
|
||||
+# https://github.com/RsyncProject/rsync/issues/715
|
||||
+#
|
||||
+# The CVE fix in commit c35e283 introduced secure_relative_open() which
|
||||
+# uses O_NOFOLLOW on all path components, breaking legitimate directory
|
||||
+# symlinks on the receiver side. The fix splits the path into basedir
|
||||
+# (dirname, symlinks followed) and basename (O_NOFOLLOW) so that
|
||||
+# directory symlinks are traversed while the final file component is
|
||||
+# still protected.
|
||||
+#
|
||||
+# The regression only manifests when delta matching is triggered (i.e.,
|
||||
+# the sender finds matching blocks in the old file). Small files with
|
||||
+# completely different content are transferred in full and don't trigger
|
||||
+# the bug. We use a large file with a small modification to ensure
|
||||
+# delta transfer is used.
|
||||
+#
|
||||
+# In addition to the original regression, this test covers edge cases
|
||||
+# in the fix itself:
|
||||
+# - --backup with directory symlinks (finish_transfer pointer identity)
|
||||
+# - --partial-dir with protocol < 29 (fnamecmp != partialptr guard)
|
||||
+# - --inplace with directory symlinks (updating_basis_or_equiv check)
|
||||
+# - Files without a dirname (top-level files, no split needed)
|
||||
+
|
||||
+. "$suitedir/rsync.fns"
|
||||
+
|
||||
+RSYNC_RSH="$scratchdir/src/support/lsh.sh"
|
||||
+export RSYNC_RSH
|
||||
+
|
||||
+# $HOME is set to $scratchdir by rsync.fns
|
||||
+# localhost: destination will cd to $HOME (i.e., $scratchdir)
|
||||
+
|
||||
+# Helper: create a large file suitable for delta transfers.
|
||||
+# ~32KB is large enough for rsync's block matching to find matches.
|
||||
+make_testfile() {
|
||||
+ dd if=/dev/urandom of="$1" bs=1024 count=32 2>/dev/null \
|
||||
+ || test_fail "failed to create test file $1"
|
||||
+}
|
||||
+
|
||||
+# Set up source tree
|
||||
+srcbase="$tmpdir/src"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 1: Basic directory symlink update (the original issue #715)
|
||||
+######################################################################
|
||||
+
|
||||
+mkdir -p "$HOME/real-dir"
|
||||
+ln -s real-dir "$HOME/dir"
|
||||
+
|
||||
+mkdir -p "$srcbase/dir"
|
||||
+make_testfile "$srcbase/dir/file"
|
||||
+
|
||||
+# First transfer (initial): should create the file through the symlink
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 1: initial transfer failed"
|
||||
+
|
||||
+if [ ! -f "$HOME/real-dir/file" ]; then
|
||||
+ test_fail "test 1: initial transfer did not create file through symlink"
|
||||
+fi
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 1: initial transfer content mismatch"
|
||||
+
|
||||
+# Small modification to trigger delta transfer
|
||||
+echo "appended update" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+# Second transfer (update): was failing with "failed verification"
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 1: update through directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 1: update transfer content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 2: Compression (-z) as in the original reproducer
|
||||
+######################################################################
|
||||
+
|
||||
+echo "another line" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptzv --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 2: compressed update through directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 2: compressed update content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 3: Nested directory symlinks (nested/sub/data.txt where
|
||||
+# "nested" is a symlink to "nested_real")
|
||||
+######################################################################
|
||||
+
|
||||
+mkdir -p "$HOME/nested_real/sub"
|
||||
+ln -s nested_real "$HOME/nested"
|
||||
+
|
||||
+mkdir -p "$srcbase/nested/sub"
|
||||
+make_testfile "$srcbase/nested/sub/data.txt"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \
|
||||
+ || test_fail "test 3: initial nested transfer failed"
|
||||
+
|
||||
+echo "appended nested" >> "$srcbase/nested/sub/data.txt"
|
||||
+sleep 1
|
||||
+touch "$srcbase/nested/sub/data.txt"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \
|
||||
+ || test_fail "test 3: update through nested directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/nested/sub/data.txt" "$HOME/nested_real/sub/data.txt" >/dev/null \
|
||||
+ || test_fail "test 3: nested update content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 4: --backup with directory symlinks
|
||||
+#
|
||||
+# Exercises the finish_transfer() "fnamecmp == fname" pointer
|
||||
+# comparison that determines whether to update fnamecmp to the
|
||||
+# backup name. If broken, --backup would reference a renamed file
|
||||
+# for xattr handling.
|
||||
+######################################################################
|
||||
+
|
||||
+# Reset destination
|
||||
+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~"
|
||||
+
|
||||
+make_testfile "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 4: initial transfer for backup test failed"
|
||||
+
|
||||
+echo "backup update" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --backup --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 4: update with --backup through directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 4: backup update content mismatch"
|
||||
+
|
||||
+if [ ! -f "$HOME/real-dir/file~" ]; then
|
||||
+ test_fail "test 4: backup file was not created"
|
||||
+fi
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 5: --inplace with directory symlinks
|
||||
+#
|
||||
+# Exercises the updating_basis_or_equiv check which uses
|
||||
+# "fnamecmp == fname". With --inplace, rsync writes directly to
|
||||
+# the destination file instead of a temp file.
|
||||
+######################################################################
|
||||
+
|
||||
+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~"
|
||||
+
|
||||
+make_testfile "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 5: initial inplace transfer failed"
|
||||
+
|
||||
+echo "inplace update" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 5: inplace update through directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 5: inplace update content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 6: Top-level file (no dirname, no split needed)
|
||||
+#
|
||||
+# Ensures the dirname/basename split is not attempted for files
|
||||
+# at the top level (file->dirname is NULL).
|
||||
+######################################################################
|
||||
+
|
||||
+make_testfile "$srcbase/topfile"
|
||||
+mkdir -p "$HOME"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \
|
||||
+ || test_fail "test 6: initial top-level transfer failed"
|
||||
+
|
||||
+echo "toplevel update" >> "$srcbase/topfile"
|
||||
+sleep 1
|
||||
+touch "$srcbase/topfile"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \
|
||||
+ || test_fail "test 6: top-level update failed"
|
||||
+
|
||||
+diff "$srcbase/topfile" "$HOME/topfile" >/dev/null \
|
||||
+ || test_fail "test 6: top-level update content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 7: --partial-dir with protocol < 29
|
||||
+#
|
||||
+# For protocol < 29, fnamecmp_type stays FNAMECMP_FNAME even when
|
||||
+# fnamecmp is set to partialptr. The dirname/basename split must
|
||||
+# NOT trigger in this case (guarded by "fnamecmp == fname").
|
||||
+######################################################################
|
||||
+
|
||||
+rm -f "$HOME/real-dir/file"
|
||||
+make_testfile "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \
|
||||
+ --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 7: initial proto28 partial-dir transfer failed"
|
||||
+
|
||||
+echo "partial-dir update" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \
|
||||
+ --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 7: proto28 partial-dir update through dirlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 7: proto28 partial-dir update content mismatch"
|
||||
+
|
||||
+######################################################################
|
||||
+# Test 8: Protocol < 29 basic directory symlink update
|
||||
+#
|
||||
+# Exercises the protocol < 29 code path and its fallback logic
|
||||
+# (clearing basedir on retry).
|
||||
+######################################################################
|
||||
+
|
||||
+rm -f "$HOME/real-dir/file"
|
||||
+make_testfile "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \
|
||||
+ --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 8: initial proto28 transfer failed"
|
||||
+
|
||||
+echo "proto28 update" >> "$srcbase/dir/file"
|
||||
+sleep 1
|
||||
+touch "$srcbase/dir/file"
|
||||
+
|
||||
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \
|
||||
+ --rsync-path="$RSYNC" dir/file localhost:) \
|
||||
+ || test_fail "test 8: proto28 update through directory symlink failed"
|
||||
+
|
||||
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
|
||||
+ || test_fail "test 8: proto28 update content mismatch"
|
||||
+
|
||||
+# The script would have aborted on error, so getting here means we've won.
|
||||
+exit 0
|
||||
52
rsync.spec
52
rsync.spec
@ -1,19 +1,12 @@
|
||||
%global _hardened_build 1
|
||||
|
||||
%define isprerelease 0
|
||||
|
||||
%if %isprerelease
|
||||
%define prerelease pre3
|
||||
%endif
|
||||
|
||||
Summary: A program for synchronizing files over a network
|
||||
Name: rsync
|
||||
Version: 3.4.1
|
||||
Release: 6%{?prerelease}%{?dist}
|
||||
Version: 3.4.4
|
||||
Release: 1%{?dist}
|
||||
URL: https://rsync.samba.org/
|
||||
|
||||
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
|
||||
Source1: https://download.samba.org/pub/rsync/src/rsync-patches-%{version}%{?prerelease}.tar.gz
|
||||
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}.tar.gz
|
||||
Source2: rsyncd.socket
|
||||
Source3: rsyncd.service
|
||||
Source4: rsyncd.conf
|
||||
@ -31,6 +24,8 @@ BuildRequires: systemd
|
||||
BuildRequires: lz4-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: libzstd-devel
|
||||
BuildRequires: git-core
|
||||
BuildRequires: %{__python3}
|
||||
%if ! 0%{?rhel} >= 10
|
||||
BuildRequires: xxhash-devel
|
||||
%endif
|
||||
@ -42,14 +37,8 @@ Provides: bundled(zlib) = 1.2.8
|
||||
#mentioned here as well.
|
||||
License: GPL-3.0-or-later
|
||||
|
||||
Patch1: rsync-3.2.2-runtests.patch
|
||||
# creating rrsync.1.md would require commonmark, we copy it instead
|
||||
Patch2: rsync-3.4.1-rrsync-man.patch
|
||||
Patch3: rsync-3.4.1-ssh-askpass.patch
|
||||
Patch4: rsync-3.4.1-cve-2025-10158.patch
|
||||
Patch5: rsync-3.4.1-cve-2026-41035.patch
|
||||
# https://github.com/RsyncProject/rsync/commit/4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1
|
||||
Patch6: rsync-3.4.1-use-openat2.patch
|
||||
Patch1: rsync-3.4.1-rrsync-man.patch
|
||||
|
||||
%description
|
||||
Rsync uses a reliable algorithm to bring remote and host files into
|
||||
@ -79,22 +68,7 @@ This subpackage provides rrsync script and its manpage. rrsync
|
||||
may be used to setup a restricted rsync users via ssh logins.
|
||||
|
||||
%prep
|
||||
# TAG: for pre versions use
|
||||
|
||||
%if %isprerelease
|
||||
%setup -q -n rsync-%{version}%{?prerelease}
|
||||
%setup -q -b 1 -n rsync-%{version}%{?prerelease}
|
||||
%else
|
||||
%setup -q
|
||||
%setup -q -b 1
|
||||
%endif
|
||||
|
||||
%patch 1 -p1 -b .runtests
|
||||
%patch 2 -p1 -b .rrsync
|
||||
%patch 3 -p1 -b .ssh-askpass
|
||||
%patch 4 -p1 -b .cve-2025-10158
|
||||
%patch 5 -p1 -b .cve-2026-41035
|
||||
%patch 6 -p1 -b .use-openat2
|
||||
%autosetup -S git
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -152,14 +126,10 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
|
||||
%systemd_postun_with_restart rsyncd.service
|
||||
|
||||
%changelog
|
||||
* Tue May 12 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-6
|
||||
- Resolves: RHEL-172276 - Fix regression introduced with CVE-2024-12086 fix
|
||||
|
||||
* Tue Apr 28 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-5
|
||||
- Resolves: RHEL-169137 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
|
||||
|
||||
* Mon Apr 13 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-4
|
||||
- Resolves: RHEL-152527 - CVE-2025-10158 Out of bounds array access via negative index
|
||||
* Fri Jun 12 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.4-1
|
||||
- Resolves: RHEL-181630 - Rebase rsync to version 3.4.4
|
||||
- Resolves: RHEL-174929 - TOCTOU symlink race condition (CVE-2026-29518)
|
||||
- Resolves: RHEL-174949 - Memory disclosure via int overflow (CVE-2026-43618)
|
||||
|
||||
* Thu Oct 09 2025 Michal Ruprich <mruprich@redhat.com> - 3.4.1-3
|
||||
- Resolves: RHEL-118549 - Do not clear DISPLAY unconditionally
|
||||
|
||||
3
sources
3
sources
@ -1,2 +1 @@
|
||||
SHA512 (rsync-3.4.1.tar.gz) = a3ecde4843ddb795308dca88581b868ac0221eb6f88a1477d7a9a2ecb4e4686042966bdddbab40866f90a4715d3104daa7b83222ddf0f3387b796a86bde8e5c2
|
||||
SHA512 (rsync-patches-3.4.1.tar.gz) = 0a2439f43e53cef028e5c0a25bd20fd308e6094af36e6d1109e9b5149035ce9c650d4cac7e7523671b4c3e8d6d6c68e40445dd0d8ae9adbc19771aba0831ed33
|
||||
SHA512 (rsync-3.4.4.tar.gz) = cf9a838b1f019b70fd67fa2c293f267be3f24e579c2ea33177ec7afc502c97ce0b613ff0854088c0eb28acd14ee0a75706ae8445115cef4669bd586c505d8453
|
||||
|
||||
Loading…
Reference in New Issue
Block a user