diff --git a/rsync-3.2.5-cve-2025-10158.patch b/rsync-3.2.5-cve-2025-10158.patch new file mode 100644 index 0000000..6527476 --- /dev/null +++ b/rsync-3.2.5-cve-2025-10158.patch @@ -0,0 +1,27 @@ +From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Aug 2025 17:26:53 +1000 +Subject: [PATCH] fixed an invalid access to files array + +this was found by Calum Hutton from Rapid7. It is a real bug, but +analysis shows it can't be leverged into an exploit. Worth fixing +though. + +Many thanks to Calum and Rapid7 for finding and reporting this +--- + sender.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sender.c b/sender.c +index a4d46c39e..b1588b701 100644 +--- a/sender.c ++++ b/sender.c +@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out) + + if (ndx - cur_flist->ndx_start >= 0) + file = cur_flist->files[ndx - cur_flist->ndx_start]; ++ else if (cur_flist->parent_ndx < 0) ++ exit_cleanup(RERR_PROTOCOL); + else + file = dir_flist->files[cur_flist->parent_ndx]; + if (F_PATHNAME(file)) { diff --git a/rsync.spec b/rsync.spec index 1a52c8a..108bc7b 100644 --- a/rsync.spec +++ b/rsync.spec @@ -10,7 +10,7 @@ Summary: A program for synchronizing files over a network Name: rsync Version: 3.2.5 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://rsync.samba.org/ Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz @@ -37,20 +37,21 @@ Provides: bundled(zlib) = 1.2.8 License: GPLv3+ #Added due to rhbz#1873975 - default-acls test fail on s390x due to libacl -Patch1: rsync-3.2.2-runtests.patch +Patch1: rsync-3.2.2-runtests.patch #commonmark would be needed to generate manpage, so we simply copy it -Patch2: rsync-3.2.5-rrsync-man.patch +Patch2: rsync-3.2.5-rrsync-man.patch #A couple of fixes for the new filtering code -Patch3: rsync-3.2.3-filtering-rules.patch -Patch4: rsync-3.2.5-cve-2024-12085.patch -Patch5: rsync-3.2.5-cve-2024-12087.patch -Patch6: rsync-3.2.5-cve-2024-12088.patch -Patch7: rsync-3.2.5-cve-2024-12747.patch +Patch3: rsync-3.2.3-filtering-rules.patch +Patch4: rsync-3.2.5-cve-2024-12085.patch +Patch5: rsync-3.2.5-cve-2024-12087.patch +Patch6: rsync-3.2.5-cve-2024-12088.patch +Patch7: rsync-3.2.5-cve-2024-12747.patch # This is here for RHEL9 lifetime to avoid changes in defaults. # From RHEL10 this will have to be documented as a different # behaviour for compression. -Patch8: rsync-3.2.5-default-compression.patch -Patch9: rsync-3.2.5-ssh-askpass.patch +Patch8: rsync-3.2.5-default-compression.patch +Patch9: rsync-3.2.5-ssh-askpass.patch +Patch10: rsync-3.2.5-cve-2025-10158.patch %description Rsync uses a reliable algorithm to bring remote and host files into @@ -90,15 +91,16 @@ may be used to setup a restricted rsync users via ssh logins. %setup -q -b 1 %endif -%patch 1 -p1 -b .runtests -%patch 2 -p1 -b .rrsync-man -%patch 3 -p1 -b .filtering-rules -%patch 4 -p1 -b .cve-2024-12085 -%patch 5 -p1 -b .cve-2024-12087 -%patch 6 -p1 -b .cve-2024-12088 -%patch 7 -p1 -b .cve-2024-12747 -%patch 8 -p1 -b .default-compression -%patch 9 -p1 -b .ssh-askpass +%patch 1 -p1 -b .runtests +%patch 2 -p1 -b .rrsync-man +%patch 3 -p1 -b .filtering-rules +%patch 4 -p1 -b .cve-2024-12085 +%patch 5 -p1 -b .cve-2024-12087 +%patch 6 -p1 -b .cve-2024-12088 +%patch 7 -p1 -b .cve-2024-12747 +%patch 8 -p1 -b .default-compression +%patch 9 -p1 -b .ssh-askpass +%patch 10 -p1 -b .cve-2025-10158 %build %configure --disable-xxhash --with-rrsync @@ -149,6 +151,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service %systemd_postun_with_restart rsyncd.service %changelog +* Tue Apr 07 2026 Michal Ruprich - 3.2.5-5 +- Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index + * Thu Oct 09 2025 Michal Ruprich - 3.2.5-4 - Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally