From db9fcfeac4e5d1b17fe725e62a23c56e89059cbc Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Tue, 28 Apr 2026 13:16:36 +0200
Subject: [PATCH] Resolves: RHEL-169137 - CVE-2026-41035 - Use-after-free
 vulnerability in extended attribute handling

---
 rsync-3.4.1-cve-2026-41035.patch | 32 ++++++++++++++++++++++++++++++++
 rsync.spec                       |  7 ++++++-
 2 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 rsync-3.4.1-cve-2026-41035.patch

diff --git a/rsync-3.4.1-cve-2026-41035.patch b/rsync-3.4.1-cve-2026-41035.patch
new file mode 100644
index 0000000..9133658
--- /dev/null
+++ b/rsync-3.4.1-cve-2026-41035.patch
@@ -0,0 +1,32 @@
+From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Wed, 22 Apr 2026 09:57:45 +1000
+Subject: [PATCH] xattrs: fixed count in qsort
+
+this fixes the count passed to the sort of the xattr list. This issue
+was reported here:
+
+https://www.openwall.com/lists/oss-security/2026/04/16/2
+
+the bug is not exploitable due to the fork-per-connection design of
+rsync, the attack is the equivalent of the user closing the socket
+themselves.
+---
+ xattrs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xattrs.c b/xattrs.c
+index 26e50a6f9..65166eed9 100644
+--- a/xattrs.c
++++ b/xattrs.c
+@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
+ 		rxa->num = num;
+ 	}
+ 
+-	if (need_sort && count > 1)
+-		qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
++	if (need_sort && temp_xattr.count > 1)
++		qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
+ 
+ 	ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
+ 
diff --git a/rsync.spec b/rsync.spec
index aefb8dc..53efcba 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -9,7 +9,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.4.1
-Release: 4%{?prerelease}%{?dist}
+Release: 5%{?prerelease}%{?dist}
 URL: https://rsync.samba.org/
 
 Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
@@ -47,6 +47,7 @@ Patch1: rsync-3.2.2-runtests.patch
 Patch2: rsync-3.4.1-rrsync-man.patch
 Patch3: rsync-3.4.1-ssh-askpass.patch
 Patch4: rsync-3.4.1-cve-2025-10158.patch
+Patch5: rsync-3.4.1-cve-2026-41035.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -90,6 +91,7 @@ may be used to setup a restricted rsync users via ssh logins.
 %patch 2 -p1 -b .rrsync
 %patch 3 -p1 -b .ssh-askpass
 %patch 4 -p1 -b .cve-2025-10158
+%patch 5 -p1 -b .cve-2026-41035
 
 %build
 %configure \
@@ -147,6 +149,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
+* Tue Apr 28 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-5
+- Resolves: RHEL-169137 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
+
 * Mon Apr 13 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-4
 - Resolves: RHEL-152527 - CVE-2025-10158 Out of bounds array access via negative index