diff --git a/rsync-3.2.5-cve-2026-41035.patch b/rsync-3.2.5-cve-2026-41035.patch new file mode 100644 index 0000000..c855a6a --- /dev/null +++ b/rsync-3.2.5-cve-2026-41035.patch @@ -0,0 +1,35 @@ +From 07de42ef075f8f27d45d5e2818f44f120aa08012 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 1f2bfacd..aee69622 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -864,8 +864,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.53.0 + diff --git a/rsync.spec b/rsync.spec index 108bc7b..1862614 100644 --- a/rsync.spec +++ b/rsync.spec @@ -10,7 +10,7 @@ Summary: A program for synchronizing files over a network Name: rsync Version: 3.2.5 -Release: 5%{?dist} +Release: 6%{?dist} URL: https://rsync.samba.org/ Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz @@ -52,6 +52,8 @@ Patch7: rsync-3.2.5-cve-2024-12747.patch Patch8: rsync-3.2.5-default-compression.patch Patch9: rsync-3.2.5-ssh-askpass.patch Patch10: rsync-3.2.5-cve-2025-10158.patch +# https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c +Patch11: rsync-3.2.5-cve-2026-41035.patch %description Rsync uses a reliable algorithm to bring remote and host files into @@ -101,6 +103,7 @@ may be used to setup a restricted rsync users via ssh logins. %patch 8 -p1 -b .default-compression %patch 9 -p1 -b .ssh-askpass %patch 10 -p1 -b .cve-2025-10158 +%patch 11 -p1 -b .cve-2026-41035 %build %configure --disable-xxhash --with-rrsync @@ -151,6 +154,9 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service %systemd_postun_with_restart rsyncd.service %changelog +* Mon May 04 2026 Michal Ruprich - 3.2.5-6 +- Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling + * Tue Apr 07 2026 Michal Ruprich - 3.2.5-5 - Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index