rpms/rsync
7
0
Fork 1
Code Issues Pull Requests Releases Activity

import UBI rsync-3.2.5-7.el9_8

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-05-19 20:51:23 -04:00
parent 49d646c23c
commit fdc9f82f8e
4 changed files with 668 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

593
SOURCES/rsync-3.2.5-cve-2024-12086.patch Normal file
View File

@ -0,0 +1,593 @@
From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Sat, 23 Nov 2024 12:26:10 +1100
Subject: [PATCH] added secure_relative_open()
this is an open that enforces no symlink following for all path
components in a relative path
---
syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 74 insertions(+)
diff --git a/syscall.c b/syscall.c
index b4b0f1f16..cffc814b7 100644
--- a/syscall.c
+++ b/syscall.c
@@ -33,6 +33,8 @@
#include <sys/syscall.h>
#endif
+#include "ifuncs.h"
+
extern int dry_run;
extern int am_root;
extern int am_sender;
diff --git a/syscall.c b/syscall.c
index 1dafab7..c8391f4 100644
--- a/syscall.c
+++ b/syscall.c
@@ -734,3 +734,75 @@ int do_open_checklinks(const char *pathname)
}
return do_open_nofollow(pathname, O_RDONLY);
}
+
+/*
+ open a file relative to a base directory. The basedir can be NULL,
+ in which case the current working directory is used. The relpath
+ must be a relative path, and the relpath must not contain any
+ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
+ applies to all path components, not just the last component)
+*/
+int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+{
+ if (!relpath || relpath[0] == '/') {
+ // must be a relative path
+ errno = EINVAL;
+ return -1;
+ }
+
+#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
+ // really old system, all we can do is live with the risks
+ if (!basedir) {
+ return open(relpath, flags, mode);
+ }
+ char fullpath[MAXPATHLEN];
+ pathjoin(fullpath, sizeof fullpath, basedir, relpath);
+ return open(fullpath, flags, mode);
+#else
+ int dirfd = AT_FDCWD;
+ if (basedir != NULL) {
+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
+ if (dirfd == -1) {
+ return -1;
+ }
+ }
+ int retfd = -1;
+
+ char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
+ if (!path_copy) {
+ return -1;
+ }
+
+ for (const char *part = strtok(path_copy, "/");
+ part != NULL;
+ part = strtok(NULL, "/"))
+ {
+ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+ if (next_fd == -1 && errno == ENOTDIR) {
+ if (strtok(NULL, "/") != NULL) {
+ // this is not the last component of the path
+ errno = ELOOP;
+ goto cleanup;
+ }
+ // this could be the last component of the path, try as a file
+ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
+ goto cleanup;
+ }
+ if (next_fd == -1) {
+ goto cleanup;
+ }
+ if (dirfd != AT_FDCWD) close(dirfd);
+ dirfd = next_fd;
+ }
+
+ // the path must be a directory
+ errno = EINVAL;
+
+cleanup:
+ free(path_copy);
+ if (dirfd != AT_FDCWD) {
+ close(dirfd);
+ }
+ return retfd;
+#endif // O_NOFOLLOW, O_DIRECTORY
+}
From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Sat, 23 Nov 2024 12:28:13 +1100
Subject: [PATCH] receiver: use secure_relative_open() for basis file
this prevents attacks where the basis file is manipulated by a
malicious sender to gain information about files outside the
destination tree
---
receiver.c | 42 ++++++++++++++++++++++++++----------------
1 file changed, 26 insertions(+), 16 deletions(-)
diff --git a/receiver.c b/receiver.c
index 2d7f60330..8031b8f4b 100644
--- a/receiver.c
+++ b/receiver.c
@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
progress_init();
while (1) {
+ const char *basedir = NULL;
+
cleanup_disable();
/* This call also sets cur_flist. */
@@ -719,27 +719,29 @@ int recv_files(int f_in, int f_out, char *local_name)
break;
case FNAMECMP_FUZZY:
if (file->dirname) {
- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
- fnamecmp = fnamecmpbuf;
- } else
- fnamecmp = xname;
+ basedir = file->dirname;
+ }
+ fnamecmp = xname;
break;
default:
if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
fnamecmp_type -= FNAMECMP_FUZZY + 1;
if (file->dirname) {
- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
- } else
- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
+ basedir = fnamecmpbuf;
+ } else {
+ basedir = basis_dir[fnamecmp_type];
+ }
+ fnamecmp = xname;
} else if (fnamecmp_type >= basis_dir_cnt) {
rprintf(FERROR,
"invalid basis_dir index: %d.\n",
fnamecmp_type);
exit_cleanup(RERR_PROTOCOL);
- } else
- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
- fnamecmp = fnamecmpbuf;
+ } else {
+ basedir = basis_dir[fnamecmp_type];
+ fnamecmp = fname;
+ }
break;
}
if (!fnamecmp || (daemon_filter_list.head
@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
}
/* open the file */
- fd1 = do_open(fnamecmp, O_RDONLY, 0);
+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
if (fd1 == -1 && protocol_version < 29) {
if (fnamecmp != fname) {
@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
if (fd1 == -1 && basis_dir[0]) {
/* pre-29 allowed only one alternate basis */
- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
- basis_dir[0], fname);
- fnamecmp = fnamecmpbuf;
+ basedir = basis_dir[0];
+ fnamecmp = fname;
fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
- fd1 = do_open(fnamecmp, O_RDONLY, 0);
+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
}
}
+ if (basedir) {
+ // for the following code we need the full
+ // path name as a single string
+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
+ fnamecmp = fnamecmpbuf;
+ }
+
one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
updating_basis_or_equiv = one_inplace
|| (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
From 4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Thu, 30 Apr 2026 08:39:22 +1000
Subject: [PATCH] syscall: use openat2(RESOLVE_BENEATH) on Linux for
secure_relative_open
The CVE fix in commit c35e283 made secure_relative_open() walk every
component of relpath with O_NOFOLLOW. That blocks every symlink in the
path, which is stricter than the threat model required: legitimate
directory symlinks within the destination tree (e.g. when using -K /
--copy-dirlinks) are also rejected, breaking delta transfers with
"failed verification -- update discarded". See issue #715.
On Linux 5.6+, openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) gives
us exactly what we want: the kernel rejects any resolution that would
escape the starting directory (via "..", absolute paths, or symlinks
pointing outside dirfd) while still following symlinks that resolve
within it. /proc magic-links are blocked too.
Use openat2 first; fall back to the existing per-component O_NOFOLLOW
walk on ENOSYS (kernel < 5.6). The lexical "../" checks at the head
of the function are kept as defense in depth. The Linux gate is
plain #ifdef __linux__: the runtime ENOSYS fallback covers the only
case that actually matters (header present + old kernel), and any
Linux build environment without linux/openat2.h will fail with a
clear "no such file" error rather than silently disabling the
protection.
Verified manually that openat2(RESOLVE_BENEATH) blocks all four
escape patterns (absolute symlink, ../ symlink, lexical .., absolute
path) while allowing direct and within-tree symlinks. The new
testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel
Henrique) exercises the issue #715 regression and passes; full
make check passes 47/47.
Test: testsuite/symlink-dirlink-basis.test (8 scenarios)
Fixes: https://github.com/RsyncProject/rsync/issues/715
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
syscall.c | 62 ++++++-
testsuite/symlink-dirlink-basis.test | 247 +++++++++++++++++++++++++++
2 files changed, 304 insertions(+), 5 deletions(-)
create mode 100755 testsuite/symlink-dirlink-basis.test
diff --git a/syscall.c b/syscall.c
index ec0e0708a..66c6d29c7 100644
--- a/syscall.c
+++ b/syscall.c
@@ -33,6 +33,11 @@
#include <sys/syscall.h>
#endif
+#ifdef __linux__
+#include <sys/syscall.h>
+#include <linux/openat2.h>
+#endif
+
#include "ifuncs.h"
extern int dry_run;
@@ -743,10 +743,49 @@ int do_open_checklinks(const char *pathname)
/*
open a file relative to a base directory. The basedir can be NULL,
in which case the current working directory is used. The relpath
- must be a relative path, and the relpath must not contain any
- elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
- applies to all path components, not just the last component)
+ must be a relative path. The kernel must guarantee that resolution
+ cannot escape basedir (or the cwd, when basedir is NULL): no ".."
+ jumps above the start, no symlinks pointing outside, no absolute
+ paths, no /proc magic-link tricks.
+
+ Symlinks *within* basedir are followed normally — earlier rsync
+ versions rejected every symlink with O_NOFOLLOW on each component,
+ which broke legitimate directory symlinks on the receiver side
+ (https://github.com/RsyncProject/rsync/issues/715). The escape
+ prevention is handled by the kernel via openat2(RESOLVE_BENEATH)
+ on Linux 5.6+; older systems fall back to the per-component
+ O_NOFOLLOW walk below.
+
+ The relpath must also not contain any ../ elements in the path.
*/
+
+#ifdef __linux__
+static int secure_relative_open_linux(const char *basedir, const char *relpath, int flags, mode_t mode)
+{
+ struct open_how how;
+ int dirfd, retfd;
+
+ memset(&how, 0, sizeof how);
+ how.flags = flags;
+ how.mode = mode;
+ how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS;
+
+ if (basedir == NULL) {
+ dirfd = AT_FDCWD;
+ } else {
+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
+ if (dirfd == -1)
+ return -1;
+ }
+
+ retfd = syscall(SYS_openat2, dirfd, relpath, &how, sizeof how);
+
+ if (dirfd != AT_FDCWD)
+ close(dirfd);
+ return retfd;
+}
+#endif
+
int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
{
if (!relpath || relpath[0] == '/') {
@@ -754,6 +793,21 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
errno = EINVAL;
return -1;
}
+ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+ // no ../ elements allowed in the relpath
+ errno = EINVAL;
+ return -1;
+ }
+
+#ifdef __linux__
+ {
+ int fd = secure_relative_open_linux(basedir, relpath, flags, mode);
+ /* ENOSYS = kernel < 5.6 doesn't have the syscall even though
+ * glibc/kernel-headers do; fall through to the portable path. */
+ if (fd != -1 || errno != ENOSYS)
+ return fd;
+ }
+#endif
#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
// really old system, all we can do is live with the risks
diff --git a/testsuite/symlink-dirlink-basis.test b/testsuite/symlink-dirlink-basis.test
new file mode 100755
index 000000000..9065dd814
--- /dev/null
+++ b/testsuite/symlink-dirlink-basis.test
@@ -0,0 +1,247 @@
+#!/bin/sh
+
+# Test that updating a file through a directory symlink works when using
+# -K (--copy-dirlinks). This is a regression test for:
+# https://github.com/RsyncProject/rsync/issues/715
+#
+# The CVE fix in commit c35e283 introduced secure_relative_open() which
+# uses O_NOFOLLOW on all path components, breaking legitimate directory
+# symlinks on the receiver side. The fix splits the path into basedir
+# (dirname, symlinks followed) and basename (O_NOFOLLOW) so that
+# directory symlinks are traversed while the final file component is
+# still protected.
+#
+# The regression only manifests when delta matching is triggered (i.e.,
+# the sender finds matching blocks in the old file). Small files with
+# completely different content are transferred in full and don't trigger
+# the bug. We use a large file with a small modification to ensure
+# delta transfer is used.
+#
+# In addition to the original regression, this test covers edge cases
+# in the fix itself:
+# - --backup with directory symlinks (finish_transfer pointer identity)
+# - --partial-dir with protocol < 29 (fnamecmp != partialptr guard)
+# - --inplace with directory symlinks (updating_basis_or_equiv check)
+# - Files without a dirname (top-level files, no split needed)
+
+. "$suitedir/rsync.fns"
+
+RSYNC_RSH="$scratchdir/src/support/lsh.sh"
+export RSYNC_RSH
+
+# $HOME is set to $scratchdir by rsync.fns
+# localhost: destination will cd to $HOME (i.e., $scratchdir)
+
+# Helper: create a large file suitable for delta transfers.
+# ~32KB is large enough for rsync's block matching to find matches.
+make_testfile() {
+ dd if=/dev/urandom of="$1" bs=1024 count=32 2>/dev/null \
+ || test_fail "failed to create test file $1"
+}
+
+# Set up source tree
+srcbase="$tmpdir/src"
+
+######################################################################
+# Test 1: Basic directory symlink update (the original issue #715)
+######################################################################
+
+mkdir -p "$HOME/real-dir"
+ln -s real-dir "$HOME/dir"
+
+mkdir -p "$srcbase/dir"
+make_testfile "$srcbase/dir/file"
+
+# First transfer (initial): should create the file through the symlink
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 1: initial transfer failed"
+
+if [ ! -f "$HOME/real-dir/file" ]; then
+ test_fail "test 1: initial transfer did not create file through symlink"
+fi
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 1: initial transfer content mismatch"
+
+# Small modification to trigger delta transfer
+echo "appended update" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+# Second transfer (update): was failing with "failed verification"
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 1: update through directory symlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 1: update transfer content mismatch"
+
+######################################################################
+# Test 2: Compression (-z) as in the original reproducer
+######################################################################
+
+echo "another line" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptzv --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 2: compressed update through directory symlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 2: compressed update content mismatch"
+
+######################################################################
+# Test 3: Nested directory symlinks (nested/sub/data.txt where
+# "nested" is a symlink to "nested_real")
+######################################################################
+
+mkdir -p "$HOME/nested_real/sub"
+ln -s nested_real "$HOME/nested"
+
+mkdir -p "$srcbase/nested/sub"
+make_testfile "$srcbase/nested/sub/data.txt"
+
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \
+ || test_fail "test 3: initial nested transfer failed"
+
+echo "appended nested" >> "$srcbase/nested/sub/data.txt"
+sleep 1
+touch "$srcbase/nested/sub/data.txt"
+
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \
+ || test_fail "test 3: update through nested directory symlink failed"
+
+diff "$srcbase/nested/sub/data.txt" "$HOME/nested_real/sub/data.txt" >/dev/null \
+ || test_fail "test 3: nested update content mismatch"
+
+######################################################################
+# Test 4: --backup with directory symlinks
+#
+# Exercises the finish_transfer() "fnamecmp == fname" pointer
+# comparison that determines whether to update fnamecmp to the
+# backup name. If broken, --backup would reference a renamed file
+# for xattr handling.
+######################################################################
+
+# Reset destination
+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~"
+
+make_testfile "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 4: initial transfer for backup test failed"
+
+echo "backup update" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --backup --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 4: update with --backup through directory symlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 4: backup update content mismatch"
+
+if [ ! -f "$HOME/real-dir/file~" ]; then
+ test_fail "test 4: backup file was not created"
+fi
+
+######################################################################
+# Test 5: --inplace with directory symlinks
+#
+# Exercises the updating_basis_or_equiv check which uses
+# "fnamecmp == fname". With --inplace, rsync writes directly to
+# the destination file instead of a temp file.
+######################################################################
+
+rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~"
+
+make_testfile "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 5: initial inplace transfer failed"
+
+echo "inplace update" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 5: inplace update through directory symlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 5: inplace update content mismatch"
+
+######################################################################
+# Test 6: Top-level file (no dirname, no split needed)
+#
+# Ensures the dirname/basename split is not attempted for files
+# at the top level (file->dirname is NULL).
+######################################################################
+
+make_testfile "$srcbase/topfile"
+mkdir -p "$HOME"
+
+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \
+ || test_fail "test 6: initial top-level transfer failed"
+
+echo "toplevel update" >> "$srcbase/topfile"
+sleep 1
+touch "$srcbase/topfile"
+
+(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \
+ || test_fail "test 6: top-level update failed"
+
+diff "$srcbase/topfile" "$HOME/topfile" >/dev/null \
+ || test_fail "test 6: top-level update content mismatch"
+
+######################################################################
+# Test 7: --partial-dir with protocol < 29
+#
+# For protocol < 29, fnamecmp_type stays FNAMECMP_FNAME even when
+# fnamecmp is set to partialptr. The dirname/basename split must
+# NOT trigger in this case (guarded by "fnamecmp == fname").
+######################################################################
+
+rm -f "$HOME/real-dir/file"
+make_testfile "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \
+ --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 7: initial proto28 partial-dir transfer failed"
+
+echo "partial-dir update" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \
+ --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 7: proto28 partial-dir update through dirlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 7: proto28 partial-dir update content mismatch"
+
+######################################################################
+# Test 8: Protocol < 29 basic directory symlink update
+#
+# Exercises the protocol < 29 code path and its fallback logic
+# (clearing basedir on retry).
+######################################################################
+
+rm -f "$HOME/real-dir/file"
+make_testfile "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \
+ --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 8: initial proto28 transfer failed"
+
+echo "proto28 update" >> "$srcbase/dir/file"
+sleep 1
+touch "$srcbase/dir/file"
+
+(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \
+ --rsync-path="$RSYNC" dir/file localhost:) \
+ || test_fail "test 8: proto28 update through directory symlink failed"
+
+diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \
+ || test_fail "test 8: proto28 update content mismatch"
+
+# The script would have aborted on error, so getting here means we've won.
+exit 0

0
SOURCES/rsync-3.4.1-cve-2025-10158.patch → SOURCES/rsync-3.2.5-cve-2025-10158.patch
View File

35
SOURCES/rsync-3.2.5-cve-2026-41035.patch Normal file
View File

@ -0,0 +1,35 @@
From 07de42ef075f8f27d45d5e2818f44f120aa08012 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Wed, 22 Apr 2026 09:57:45 +1000
Subject: [PATCH] xattrs: fixed count in qsort
this fixes the count passed to the sort of the xattr list. This issue
was reported here:
https://www.openwall.com/lists/oss-security/2026/04/16/2
the bug is not exploitable due to the fork-per-connection design of
rsync, the attack is the equivalent of the user closing the socket
themselves.
---
xattrs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/xattrs.c b/xattrs.c
index 1f2bfacd..aee69622 100644
--- a/xattrs.c
+++ b/xattrs.c
@@ -864,8 +864,8 @@ void receive_xattr(int f, struct file_struct *file)
rxa->num = num;
}
- if (need_sort && count > 1)
- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
+ if (need_sort && temp_xattr.count > 1)
+ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
--
2.53.0

65
SPECS/rsync.spec
View File

@ -10,7 +10,7 @@
Summary: A program for synchronizing files over a network
Name: rsync
Version: 3.2.5
Release: 3%{?dist}.2
Release: 7%{?dist}
URL: https://rsync.samba.org/
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
@ -37,21 +37,28 @@ Provides: bundled(zlib) = 1.2.8
License: GPLv3+
#Added due to rhbz#1873975 - default-acls test fail on s390x due to libacl
Patch1: rsync-3.2.2-runtests.patch
Patch1: rsync-3.2.2-runtests.patch
#commonmark would be needed to generate manpage, so we simply copy it
Patch2: rsync-3.2.5-rrsync-man.patch
Patch2: rsync-3.2.5-rrsync-man.patch
#A couple of fixes for the new filtering code
Patch3: rsync-3.2.3-filtering-rules.patch
Patch4: rsync-3.2.5-cve-2024-12085.patch
Patch5: rsync-3.2.5-cve-2024-12087.patch
Patch6: rsync-3.2.5-cve-2024-12088.patch
Patch7: rsync-3.2.5-cve-2024-12747.patch
Patch3: rsync-3.2.3-filtering-rules.patch
Patch4: rsync-3.2.5-cve-2024-12085.patch
Patch5: rsync-3.2.5-cve-2024-12087.patch
Patch6: rsync-3.2.5-cve-2024-12088.patch
Patch7: rsync-3.2.5-cve-2024-12747.patch
# This is here for RHEL9 lifetime to avoid changes in defaults.
# From RHEL10 this will have to be documented as a different
# behaviour for compression.
Patch8: rsync-3.2.5-default-compression.patch
Patch9: rsync-3.2.5-ssh-askpass.patch
Patch10: rsync-3.4.1-cve-2025-10158.patch
Patch8: rsync-3.2.5-default-compression.patch
Patch9: rsync-3.2.5-ssh-askpass.patch
Patch10: rsync-3.2.5-cve-2025-10158.patch
# https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c
Patch11: rsync-3.2.5-cve-2026-41035.patch
# Fix for CVE-2024-12086 has three parts:
# https://github.com/RsyncProject/rsync/commit/b4a27ca and
# https://github.com/RsyncProject/rsync/commit/c35e283
# These need to be followed by https://github.com/RsyncProject/rsync/commit/4fa7156
Patch12: rsync-3.2.5-cve-2024-12086.patch
%description
Rsync uses a reliable algorithm to bring remote and host files into
@ -91,16 +98,18 @@ may be used to setup a restricted rsync users via ssh logins.
%setup -q -b 1
%endif
%patch1 -p1 -b .runtests
%patch2 -p1 -b .rrsync-man
%patch3 -p1 -b .filtering-rules
%patch4 -p1 -b .cve-2024-12085
%patch5 -p1 -b .cve-2024-12087
%patch6 -p1 -b .cve-2024-12088
%patch7 -p1 -b .cve-2024-12747
%patch8 -p1 -b .default-compression
%patch9 -p1 -b .ssh-askpass
%patch10 -p1 -b .cve-2025-10158
%patch 1 -p1 -b .runtests
%patch 2 -p1 -b .rrsync-man
%patch 3 -p1 -b .filtering-rules
%patch 4 -p1 -b .cve-2024-12085
%patch 5 -p1 -b .cve-2024-12087
%patch 6 -p1 -b .cve-2024-12088
%patch 7 -p1 -b .cve-2024-12747
%patch 8 -p1 -b .default-compression
%patch 9 -p1 -b .ssh-askpass
%patch 10 -p1 -b .cve-2025-10158
%patch 11 -p1 -b .cve-2026-41035
%patch 12 -p1 -b .cve-2024-12086
%build
%configure --disable-xxhash --with-rrsync
@ -151,11 +160,17 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service
%systemd_postun_with_restart rsyncd.service
%changelog
* Thu Mar 12 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-3.2
- Resolves: RHEL-152888 - CVE-2025-10158 Out of bounds array access via negative index
* Mon May 11 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-7
- Resolves: RHEL-173468 - CVE-2024-12086 rsync server leaks arbitrary client files
* Thu Mar 12 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-3.1
- Resolves: RHEL-152879 - clearing DISPLAY breaks SSH_ASKPASS expectations
* Mon May 04 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-6
- Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling
* Tue Apr 07 2026 Michal Ruprich <mruprich@redhat.com> - 3.2.5-5
- Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index
* Thu Oct 09 2025 Michal Ruprich <mruprich@redhat.com> - 3.2.5-4
- Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally
* Wed Feb 05 2025 Michal Ruprich <mruprich@redhat.com> - 3.2.5-3
- Resolves: RHEL-70265 - Rebase rsync to 3.2.5