Resolves: RHEL-169137 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
This commit is contained in:
Michal Ruprich
parent
ec67dc569f
commit
db9fcfeac4
32
rsync-3.4.1-cve-2026-41035.patch
Normal file
32
rsync-3.4.1-cve-2026-41035.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Tridgell <andrew@tridgell.net>
|
||||
Date: Wed, 22 Apr 2026 09:57:45 +1000
|
||||
Subject: [PATCH] xattrs: fixed count in qsort
|
||||
|
||||
this fixes the count passed to the sort of the xattr list. This issue
|
||||
was reported here:
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2026/04/16/2
|
||||
|
||||
the bug is not exploitable due to the fork-per-connection design of
|
||||
rsync, the attack is the equivalent of the user closing the socket
|
||||
themselves.
|
||||
---
|
||||
xattrs.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xattrs.c b/xattrs.c
|
||||
index 26e50a6f9..65166eed9 100644
|
||||
--- a/xattrs.c
|
||||
+++ b/xattrs.c
|
||||
@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
|
||||
rxa->num = num;
|
||||
}
|
||||
|
||||
- if (need_sort && count > 1)
|
||||
- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
+ if (need_sort && temp_xattr.count > 1)
|
||||
+ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
|
||||
ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
Summary: A program for synchronizing files over a network
|
||||
Name: rsync
|
||||
Version: 3.4.1
|
||||
Release: 4%{?prerelease}%{?dist}
|
||||
Release: 5%{?prerelease}%{?dist}
|
||||
URL: https://rsync.samba.org/
|
||||
|
||||
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
|
||||
@ -47,6 +47,7 @@ Patch1: rsync-3.2.2-runtests.patch
|
||||
Patch2: rsync-3.4.1-rrsync-man.patch
|
||||
Patch3: rsync-3.4.1-ssh-askpass.patch
|
||||
Patch4: rsync-3.4.1-cve-2025-10158.patch
|
||||
Patch5: rsync-3.4.1-cve-2026-41035.patch
|
||||
|
||||
%description
|
||||
Rsync uses a reliable algorithm to bring remote and host files into
|
||||
@ -90,6 +91,7 @@ may be used to setup a restricted rsync users via ssh logins.
|
||||
%patch 2 -p1 -b .rrsync
|
||||
%patch 3 -p1 -b .ssh-askpass
|
||||
%patch 4 -p1 -b .cve-2025-10158
|
||||
%patch 5 -p1 -b .cve-2026-41035
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -147,6 +149,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
|
||||
%systemd_postun_with_restart rsyncd.service
|
||||
|
||||
%changelog
|
||||
* Tue Apr 28 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-5
|
||||
- Resolves: RHEL-169137 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
|
||||
|
||||
* Mon Apr 13 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-4
|
||||
- Resolves: RHEL-152527 - CVE-2025-10158 Out of bounds array access via negative index
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user