From ec67dc569fd5e1de4b258ef2e8535a0ad103d1eb Mon Sep 17 00:00:00 2001
From: Michal Ruprich <mruprich@redhat.com>
Date: Mon, 13 Apr 2026 10:10:57 +0200
Subject: [PATCH] Resolves: RHEL-152527 - CVE-2025-10158 Out of bounds array
 access via negative index

---
 rsync-3.4.1-cve-2025-10158.patch | 27 +++++++++++++++++++++++++++
 rsync.spec                       |  7 ++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 rsync-3.4.1-cve-2025-10158.patch

diff --git a/rsync-3.4.1-cve-2025-10158.patch b/rsync-3.4.1-cve-2025-10158.patch
new file mode 100644
index 0000000..6527476
--- /dev/null
+++ b/rsync-3.4.1-cve-2025-10158.patch
@@ -0,0 +1,27 @@
+From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c39e..b1588b701 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+ 		if (ndx - cur_flist->ndx_start >= 0)
+ 			file = cur_flist->files[ndx - cur_flist->ndx_start];
++		else if (cur_flist->parent_ndx < 0)
++			exit_cleanup(RERR_PROTOCOL);
+ 		else
+ 			file = dir_flist->files[cur_flist->parent_ndx];
+ 		if (F_PATHNAME(file)) {
diff --git a/rsync.spec b/rsync.spec
index e99cc11..aefb8dc 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -9,7 +9,7 @@
 Summary: A program for synchronizing files over a network
 Name: rsync
 Version: 3.4.1
-Release: 3%{?prerelease}%{?dist}
+Release: 4%{?prerelease}%{?dist}
 URL: https://rsync.samba.org/
 
 Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
@@ -46,6 +46,7 @@ Patch1: rsync-3.2.2-runtests.patch
 # creating rrsync.1.md would require commonmark, we copy it instead
 Patch2: rsync-3.4.1-rrsync-man.patch
 Patch3: rsync-3.4.1-ssh-askpass.patch
+Patch4: rsync-3.4.1-cve-2025-10158.patch
 
 %description
 Rsync uses a reliable algorithm to bring remote and host files into
@@ -88,6 +89,7 @@ may be used to setup a restricted rsync users via ssh logins.
 %patch 1 -p1 -b .runtests
 %patch 2 -p1 -b .rrsync
 %patch 3 -p1 -b .ssh-askpass
+%patch 4 -p1 -b .cve-2025-10158
 
 %build
 %configure \
@@ -145,6 +147,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
 %systemd_postun_with_restart rsyncd.service
 
 %changelog
+* Mon Apr 13 2026 Michal Ruprich <mruprich@redhat.com> - 3.4.1-4
+- Resolves: RHEL-152527 - CVE-2025-10158 Out of bounds array access via negative index
+
 * Thu Oct 09 2025 Michal Ruprich <mruprich@redhat.com> - 3.4.1-3
 - Resolves: RHEL-118549 - Do not clear DISPLAY unconditionally