Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
Backport fix for CVE-2026-41035 which corrects the count passed to qsort
of the xattr list in receive_xattr(). The bug uses a stale 'count'
variable instead of temp_xattr.count after extended attributes have been
added or removed during receive.
[CVE: cve-2026-41035]
Upstream patches:
- bb0a8118c2
Resolves: RHEL-169151
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
This commit is contained in:
Michal Ruprich
Michal Ruprich
parent
d83ef899fe
commit
fce1547fc5
35
rsync-3.2.5-cve-2026-41035.patch
Normal file
35
rsync-3.2.5-cve-2026-41035.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 07de42ef075f8f27d45d5e2818f44f120aa08012 Mon Sep 17 00:00:00 2001
|
||||
From: Andrew Tridgell <andrew@tridgell.net>
|
||||
Date: Wed, 22 Apr 2026 09:57:45 +1000
|
||||
Subject: [PATCH] xattrs: fixed count in qsort
|
||||
|
||||
this fixes the count passed to the sort of the xattr list. This issue
|
||||
was reported here:
|
||||
|
||||
https://www.openwall.com/lists/oss-security/2026/04/16/2
|
||||
|
||||
the bug is not exploitable due to the fork-per-connection design of
|
||||
rsync, the attack is the equivalent of the user closing the socket
|
||||
themselves.
|
||||
---
|
||||
xattrs.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/xattrs.c b/xattrs.c
|
||||
index 1f2bfacd..aee69622 100644
|
||||
--- a/xattrs.c
|
||||
+++ b/xattrs.c
|
||||
@@ -864,8 +864,8 @@ void receive_xattr(int f, struct file_struct *file)
|
||||
rxa->num = num;
|
||||
}
|
||||
|
||||
- if (need_sort && count > 1)
|
||||
- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
+ if (need_sort && temp_xattr.count > 1)
|
||||
+ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
|
||||
|
||||
ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
|
||||
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -10,7 +10,7 @@
|
||||
Summary: A program for synchronizing files over a network
|
||||
Name: rsync
|
||||
Version: 3.2.5
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
URL: https://rsync.samba.org/
|
||||
|
||||
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
|
||||
@ -52,6 +52,8 @@ Patch7: rsync-3.2.5-cve-2024-12747.patch
|
||||
Patch8: rsync-3.2.5-default-compression.patch
|
||||
Patch9: rsync-3.2.5-ssh-askpass.patch
|
||||
Patch10: rsync-3.2.5-cve-2025-10158.patch
|
||||
# https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c
|
||||
Patch11: rsync-3.2.5-cve-2026-41035.patch
|
||||
|
||||
%description
|
||||
Rsync uses a reliable algorithm to bring remote and host files into
|
||||
@ -101,6 +103,7 @@ may be used to setup a restricted rsync users via ssh logins.
|
||||
%patch 8 -p1 -b .default-compression
|
||||
%patch 9 -p1 -b .ssh-askpass
|
||||
%patch 10 -p1 -b .cve-2025-10158
|
||||
%patch 11 -p1 -b .cve-2026-41035
|
||||
|
||||
%build
|
||||
%configure --disable-xxhash --with-rrsync
|
||||
@ -151,6 +154,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
|
||||
%systemd_postun_with_restart rsyncd.service
|
||||
|
||||
%changelog
|
||||
* Mon May 04 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-6
|
||||
- Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
|
||||
|
||||
* Tue Apr 07 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-5
|
||||
- Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user