Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index

rsync-3.2.5-cve-2025-10158.patch

@@ -0,0 +1,27 @@
+From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c39e..b1588b701 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+ 		if (ndx - cur_flist->ndx_start >= 0)
+ 			file = cur_flist->files[ndx - cur_flist->ndx_start];
++		else if (cur_flist->parent_ndx < 0)
++			exit_cleanup(RERR_PROTOCOL);
+ 		else
+ 			file = dir_flist->files[cur_flist->parent_ndx];
+ 		if (F_PATHNAME(file)) {

rsync.spec

@@ -10,7 +10,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.2.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 URL: https://rsync.samba.org/
 
 Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
@@ -37,20 +37,21 @@ Provides: bundled(zlib) = 1.2.8
 License: GPLv3+
 
 #Added due to rhbz#1873975 - default-acls test fail on s390x due to libacl
-Patch1: rsync-3.2.2-runtests.patch
+Patch1:  rsync-3.2.2-runtests.patch
 #commonmark would be needed to generate manpage, so we simply copy it
-Patch2: rsync-3.2.5-rrsync-man.patch
+Patch2:  rsync-3.2.5-rrsync-man.patch
 #A couple of fixes for the new filtering code
-Patch3: rsync-3.2.3-filtering-rules.patch
-Patch4: rsync-3.2.5-cve-2024-12085.patch
-Patch5: rsync-3.2.5-cve-2024-12087.patch
-Patch6: rsync-3.2.5-cve-2024-12088.patch
-Patch7: rsync-3.2.5-cve-2024-12747.patch
+Patch3:  rsync-3.2.3-filtering-rules.patch
+Patch4:  rsync-3.2.5-cve-2024-12085.patch
+Patch5:  rsync-3.2.5-cve-2024-12087.patch
+Patch6:  rsync-3.2.5-cve-2024-12088.patch
+Patch7:  rsync-3.2.5-cve-2024-12747.patch
 # This is here for RHEL9 lifetime to avoid changes in defaults.
 # From RHEL10 this will have to be documented as a different
 # behaviour for compression.
-Patch8: rsync-3.2.5-default-compression.patch
-Patch9: rsync-3.2.5-ssh-askpass.patch
+Patch8:  rsync-3.2.5-default-compression.patch
+Patch9:  rsync-3.2.5-ssh-askpass.patch
+Patch10: rsync-3.2.5-cve-2025-10158.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -90,15 +91,16 @@ may be used to setup a restricted rsync users via ssh logins.
 %setup -q -b 1
 %endif
 
-%patch 1 -p1 -b .runtests
-%patch 2 -p1 -b .rrsync-man
-%patch 3 -p1 -b .filtering-rules
-%patch 4 -p1 -b .cve-2024-12085
-%patch 5 -p1 -b .cve-2024-12087
-%patch 6 -p1 -b .cve-2024-12088
-%patch 7 -p1 -b .cve-2024-12747
-%patch 8 -p1 -b .default-compression
-%patch 9 -p1 -b .ssh-askpass
+%patch 1  -p1 -b .runtests
+%patch 2  -p1 -b .rrsync-man
+%patch 3  -p1 -b .filtering-rules
+%patch 4  -p1 -b .cve-2024-12085
+%patch 5  -p1 -b .cve-2024-12087
+%patch 6  -p1 -b .cve-2024-12088
+%patch 7  -p1 -b .cve-2024-12747
+%patch 8  -p1 -b .default-compression
+%patch 9  -p1 -b .ssh-askpass
+%patch 10 -p1 -b .cve-2025-10158
 
 %build
 %configure --disable-xxhash --with-rrsync
@@ -149,6 +151,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
+* Tue Apr 07 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-5
+- Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index
+
 * Thu Oct 09 2025 Michal Ruprich <mruprich@redhat.com> - 3.2.5-4
 - Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally