From fdc9f82f8eda764be21f63ac37f60b6d2d565d7c Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 20:51:23 -0400 Subject: [PATCH] import UBI rsync-3.2.5-7.el9_8 --- SOURCES/rsync-3.2.5-cve-2024-12086.patch | 593 ++++++++++++++++++ ...patch => rsync-3.2.5-cve-2025-10158.patch} | 0 SOURCES/rsync-3.2.5-cve-2026-41035.patch | 35 ++ SPECS/rsync.spec | 65 +- 4 files changed, 668 insertions(+), 25 deletions(-) create mode 100644 SOURCES/rsync-3.2.5-cve-2024-12086.patch rename SOURCES/{rsync-3.4.1-cve-2025-10158.patch => rsync-3.2.5-cve-2025-10158.patch} (100%) create mode 100644 SOURCES/rsync-3.2.5-cve-2026-41035.patch diff --git a/SOURCES/rsync-3.2.5-cve-2024-12086.patch b/SOURCES/rsync-3.2.5-cve-2024-12086.patch new file mode 100644 index 0000000..a50bb25 --- /dev/null +++ b/SOURCES/rsync-3.2.5-cve-2024-12086.patch @@ -0,0 +1,593 @@ +From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 12:26:10 +1100 +Subject: [PATCH] added secure_relative_open() + +this is an open that enforces no symlink following for all path +components in a relative path +--- + syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/syscall.c b/syscall.c +index b4b0f1f16..cffc814b7 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -33,6 +33,8 @@ + #include + #endif + ++#include "ifuncs.h" ++ + extern int dry_run; + extern int am_root; + extern int am_sender; +diff --git a/syscall.c b/syscall.c +index 1dafab7..c8391f4 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -734,3 +734,75 @@ int do_open_checklinks(const char *pathname) + } + return do_open_nofollow(pathname, O_RDONLY); + } ++ ++/* ++ open a file relative to a base directory. The basedir can be NULL, ++ in which case the current working directory is used. The relpath ++ must be a relative path, and the relpath must not contain any ++ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but ++ applies to all path components, not just the last component) ++*/ ++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) ++{ ++ if (!relpath || relpath[0] == '/') { ++ // must be a relative path ++ errno = EINVAL; ++ return -1; ++ } ++ ++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) ++ // really old system, all we can do is live with the risks ++ if (!basedir) { ++ return open(relpath, flags, mode); ++ } ++ char fullpath[MAXPATHLEN]; ++ pathjoin(fullpath, sizeof fullpath, basedir, relpath); ++ return open(fullpath, flags, mode); ++#else ++ int dirfd = AT_FDCWD; ++ if (basedir != NULL) { ++ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); ++ if (dirfd == -1) { ++ return -1; ++ } ++ } ++ int retfd = -1; ++ ++ char *path_copy = my_strdup(relpath, __FILE__, __LINE__); ++ if (!path_copy) { ++ return -1; ++ } ++ ++ for (const char *part = strtok(path_copy, "/"); ++ part != NULL; ++ part = strtok(NULL, "/")) ++ { ++ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW); ++ if (next_fd == -1 && errno == ENOTDIR) { ++ if (strtok(NULL, "/") != NULL) { ++ // this is not the last component of the path ++ errno = ELOOP; ++ goto cleanup; ++ } ++ // this could be the last component of the path, try as a file ++ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode); ++ goto cleanup; ++ } ++ if (next_fd == -1) { ++ goto cleanup; ++ } ++ if (dirfd != AT_FDCWD) close(dirfd); ++ dirfd = next_fd; ++ } ++ ++ // the path must be a directory ++ errno = EINVAL; ++ ++cleanup: ++ free(path_copy); ++ if (dirfd != AT_FDCWD) { ++ close(dirfd); ++ } ++ return retfd; ++#endif // O_NOFOLLOW, O_DIRECTORY ++} +From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 12:28:13 +1100 +Subject: [PATCH] receiver: use secure_relative_open() for basis file + +this prevents attacks where the basis file is manipulated by a +malicious sender to gain information about files outside the +destination tree +--- + receiver.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/receiver.c b/receiver.c +index 2d7f60330..8031b8f4b 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name) + progress_init(); + + while (1) { ++ const char *basedir = NULL; ++ + cleanup_disable(); + + /* This call also sets cur_flist. */ +@@ -719,27 +719,29 @@ int recv_files(int f_in, int f_out, char *local_name) + break; + case FNAMECMP_FUZZY: + if (file->dirname) { +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); +- fnamecmp = fnamecmpbuf; +- } else +- fnamecmp = xname; ++ basedir = file->dirname; ++ } ++ fnamecmp = xname; + break; + default: + if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) { + fnamecmp_type -= FNAMECMP_FUZZY + 1; + if (file->dirname) { +- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname); ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname); ++ basedir = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ } ++ fnamecmp = xname; + } else if (fnamecmp_type >= basis_dir_cnt) { + rprintf(FERROR, + "invalid basis_dir index: %d.\n", + fnamecmp_type); + exit_cleanup(RERR_PROTOCOL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname); +- fnamecmp = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ fnamecmp = fname; ++ } + break; + } + if (!fnamecmp || (daemon_filter_list.head +@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name) + } + + /* open the file */ +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + + if (fd1 == -1 && protocol_version < 29) { + if (fnamecmp != fname) { +@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name) + + if (fd1 == -1 && basis_dir[0]) { + /* pre-29 allowed only one alternate basis */ +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[0], fname); +- fnamecmp = fnamecmpbuf; ++ basedir = basis_dir[0]; ++ fnamecmp = fname; + fnamecmp_type = FNAMECMP_BASIS_DIR_LOW; +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + } + } + ++ if (basedir) { ++ // for the following code we need the full ++ // path name as a single string ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp); ++ fnamecmp = fnamecmpbuf; ++ } ++ + one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR; + updating_basis_or_equiv = one_inplace + || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP)); +From 4fa7156ccdb2ad34b034d18fe2fd6cd79adef8a1 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Thu, 30 Apr 2026 08:39:22 +1000 +Subject: [PATCH] syscall: use openat2(RESOLVE_BENEATH) on Linux for + secure_relative_open + +The CVE fix in commit c35e283 made secure_relative_open() walk every +component of relpath with O_NOFOLLOW. That blocks every symlink in the +path, which is stricter than the threat model required: legitimate +directory symlinks within the destination tree (e.g. when using -K / +--copy-dirlinks) are also rejected, breaking delta transfers with +"failed verification -- update discarded". See issue #715. + +On Linux 5.6+, openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) gives +us exactly what we want: the kernel rejects any resolution that would +escape the starting directory (via "..", absolute paths, or symlinks +pointing outside dirfd) while still following symlinks that resolve +within it. /proc magic-links are blocked too. + +Use openat2 first; fall back to the existing per-component O_NOFOLLOW +walk on ENOSYS (kernel < 5.6). The lexical "../" checks at the head +of the function are kept as defense in depth. The Linux gate is +plain #ifdef __linux__: the runtime ENOSYS fallback covers the only +case that actually matters (header present + old kernel), and any +Linux build environment without linux/openat2.h will fail with a +clear "no such file" error rather than silently disabling the +protection. + +Verified manually that openat2(RESOLVE_BENEATH) blocks all four +escape patterns (absolute symlink, ../ symlink, lexical .., absolute +path) while allowing direct and within-tree symlinks. The new +testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel +Henrique) exercises the issue #715 regression and passes; full +make check passes 47/47. + +Test: testsuite/symlink-dirlink-basis.test (8 scenarios) +Fixes: https://github.com/RsyncProject/rsync/issues/715 + +Co-Authored-By: Claude Opus 4.7 (1M context) +--- + syscall.c | 62 ++++++- + testsuite/symlink-dirlink-basis.test | 247 +++++++++++++++++++++++++++ + 2 files changed, 304 insertions(+), 5 deletions(-) + create mode 100755 testsuite/symlink-dirlink-basis.test + +diff --git a/syscall.c b/syscall.c +index ec0e0708a..66c6d29c7 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -33,6 +33,11 @@ + #include + #endif + ++#ifdef __linux__ ++#include ++#include ++#endif ++ + #include "ifuncs.h" + + extern int dry_run; +@@ -743,10 +743,49 @@ int do_open_checklinks(const char *pathname) + /* + open a file relative to a base directory. The basedir can be NULL, + in which case the current working directory is used. The relpath +- must be a relative path, and the relpath must not contain any +- elements in the path which follow symlinks (ie. like O_NOFOLLOW, but +- applies to all path components, not just the last component) ++ must be a relative path. The kernel must guarantee that resolution ++ cannot escape basedir (or the cwd, when basedir is NULL): no ".." ++ jumps above the start, no symlinks pointing outside, no absolute ++ paths, no /proc magic-link tricks. ++ ++ Symlinks *within* basedir are followed normally — earlier rsync ++ versions rejected every symlink with O_NOFOLLOW on each component, ++ which broke legitimate directory symlinks on the receiver side ++ (https://github.com/RsyncProject/rsync/issues/715). The escape ++ prevention is handled by the kernel via openat2(RESOLVE_BENEATH) ++ on Linux 5.6+; older systems fall back to the per-component ++ O_NOFOLLOW walk below. ++ ++ The relpath must also not contain any ../ elements in the path. + */ ++ ++#ifdef __linux__ ++static int secure_relative_open_linux(const char *basedir, const char *relpath, int flags, mode_t mode) ++{ ++ struct open_how how; ++ int dirfd, retfd; ++ ++ memset(&how, 0, sizeof how); ++ how.flags = flags; ++ how.mode = mode; ++ how.resolve = RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS; ++ ++ if (basedir == NULL) { ++ dirfd = AT_FDCWD; ++ } else { ++ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); ++ if (dirfd == -1) ++ return -1; ++ } ++ ++ retfd = syscall(SYS_openat2, dirfd, relpath, &how, sizeof how); ++ ++ if (dirfd != AT_FDCWD) ++ close(dirfd); ++ return retfd; ++} ++#endif ++ + int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) + { + if (!relpath || relpath[0] == '/') { +@@ -754,6 +793,21 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo + errno = EINVAL; + return -1; + } ++ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) { ++ // no ../ elements allowed in the relpath ++ errno = EINVAL; ++ return -1; ++ } ++ ++#ifdef __linux__ ++ { ++ int fd = secure_relative_open_linux(basedir, relpath, flags, mode); ++ /* ENOSYS = kernel < 5.6 doesn't have the syscall even though ++ * glibc/kernel-headers do; fall through to the portable path. */ ++ if (fd != -1 || errno != ENOSYS) ++ return fd; ++ } ++#endif + + #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) + // really old system, all we can do is live with the risks +diff --git a/testsuite/symlink-dirlink-basis.test b/testsuite/symlink-dirlink-basis.test +new file mode 100755 +index 000000000..9065dd814 +--- /dev/null ++++ b/testsuite/symlink-dirlink-basis.test +@@ -0,0 +1,247 @@ ++#!/bin/sh ++ ++# Test that updating a file through a directory symlink works when using ++# -K (--copy-dirlinks). This is a regression test for: ++# https://github.com/RsyncProject/rsync/issues/715 ++# ++# The CVE fix in commit c35e283 introduced secure_relative_open() which ++# uses O_NOFOLLOW on all path components, breaking legitimate directory ++# symlinks on the receiver side. The fix splits the path into basedir ++# (dirname, symlinks followed) and basename (O_NOFOLLOW) so that ++# directory symlinks are traversed while the final file component is ++# still protected. ++# ++# The regression only manifests when delta matching is triggered (i.e., ++# the sender finds matching blocks in the old file). Small files with ++# completely different content are transferred in full and don't trigger ++# the bug. We use a large file with a small modification to ensure ++# delta transfer is used. ++# ++# In addition to the original regression, this test covers edge cases ++# in the fix itself: ++# - --backup with directory symlinks (finish_transfer pointer identity) ++# - --partial-dir with protocol < 29 (fnamecmp != partialptr guard) ++# - --inplace with directory symlinks (updating_basis_or_equiv check) ++# - Files without a dirname (top-level files, no split needed) ++ ++. "$suitedir/rsync.fns" ++ ++RSYNC_RSH="$scratchdir/src/support/lsh.sh" ++export RSYNC_RSH ++ ++# $HOME is set to $scratchdir by rsync.fns ++# localhost: destination will cd to $HOME (i.e., $scratchdir) ++ ++# Helper: create a large file suitable for delta transfers. ++# ~32KB is large enough for rsync's block matching to find matches. ++make_testfile() { ++ dd if=/dev/urandom of="$1" bs=1024 count=32 2>/dev/null \ ++ || test_fail "failed to create test file $1" ++} ++ ++# Set up source tree ++srcbase="$tmpdir/src" ++ ++###################################################################### ++# Test 1: Basic directory symlink update (the original issue #715) ++###################################################################### ++ ++mkdir -p "$HOME/real-dir" ++ln -s real-dir "$HOME/dir" ++ ++mkdir -p "$srcbase/dir" ++make_testfile "$srcbase/dir/file" ++ ++# First transfer (initial): should create the file through the symlink ++(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 1: initial transfer failed" ++ ++if [ ! -f "$HOME/real-dir/file" ]; then ++ test_fail "test 1: initial transfer did not create file through symlink" ++fi ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 1: initial transfer content mismatch" ++ ++# Small modification to trigger delta transfer ++echo "appended update" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++# Second transfer (update): was failing with "failed verification" ++(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 1: update through directory symlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 1: update transfer content mismatch" ++ ++###################################################################### ++# Test 2: Compression (-z) as in the original reproducer ++###################################################################### ++ ++echo "another line" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptzv --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 2: compressed update through directory symlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 2: compressed update content mismatch" ++ ++###################################################################### ++# Test 3: Nested directory symlinks (nested/sub/data.txt where ++# "nested" is a symlink to "nested_real") ++###################################################################### ++ ++mkdir -p "$HOME/nested_real/sub" ++ln -s nested_real "$HOME/nested" ++ ++mkdir -p "$srcbase/nested/sub" ++make_testfile "$srcbase/nested/sub/data.txt" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \ ++ || test_fail "test 3: initial nested transfer failed" ++ ++echo "appended nested" >> "$srcbase/nested/sub/data.txt" ++sleep 1 ++touch "$srcbase/nested/sub/data.txt" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" nested/sub/data.txt localhost:) \ ++ || test_fail "test 3: update through nested directory symlink failed" ++ ++diff "$srcbase/nested/sub/data.txt" "$HOME/nested_real/sub/data.txt" >/dev/null \ ++ || test_fail "test 3: nested update content mismatch" ++ ++###################################################################### ++# Test 4: --backup with directory symlinks ++# ++# Exercises the finish_transfer() "fnamecmp == fname" pointer ++# comparison that determines whether to update fnamecmp to the ++# backup name. If broken, --backup would reference a renamed file ++# for xattr handling. ++###################################################################### ++ ++# Reset destination ++rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~" ++ ++make_testfile "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 4: initial transfer for backup test failed" ++ ++echo "backup update" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --backup --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 4: update with --backup through directory symlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 4: backup update content mismatch" ++ ++if [ ! -f "$HOME/real-dir/file~" ]; then ++ test_fail "test 4: backup file was not created" ++fi ++ ++###################################################################### ++# Test 5: --inplace with directory symlinks ++# ++# Exercises the updating_basis_or_equiv check which uses ++# "fnamecmp == fname". With --inplace, rsync writes directly to ++# the destination file instead of a temp file. ++###################################################################### ++ ++rm -f "$HOME/real-dir/file" "$HOME/real-dir/file~" ++ ++make_testfile "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 5: initial inplace transfer failed" ++ ++echo "inplace update" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --inplace --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 5: inplace update through directory symlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 5: inplace update content mismatch" ++ ++###################################################################### ++# Test 6: Top-level file (no dirname, no split needed) ++# ++# Ensures the dirname/basename split is not attempted for files ++# at the top level (file->dirname is NULL). ++###################################################################### ++ ++make_testfile "$srcbase/topfile" ++mkdir -p "$HOME" ++ ++(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \ ++ || test_fail "test 6: initial top-level transfer failed" ++ ++echo "toplevel update" >> "$srcbase/topfile" ++sleep 1 ++touch "$srcbase/topfile" ++ ++(cd "$srcbase" && $RSYNC -Rlptv --rsync-path="$RSYNC" topfile localhost:) \ ++ || test_fail "test 6: top-level update failed" ++ ++diff "$srcbase/topfile" "$HOME/topfile" >/dev/null \ ++ || test_fail "test 6: top-level update content mismatch" ++ ++###################################################################### ++# Test 7: --partial-dir with protocol < 29 ++# ++# For protocol < 29, fnamecmp_type stays FNAMECMP_FNAME even when ++# fnamecmp is set to partialptr. The dirname/basename split must ++# NOT trigger in this case (guarded by "fnamecmp == fname"). ++###################################################################### ++ ++rm -f "$HOME/real-dir/file" ++make_testfile "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \ ++ --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 7: initial proto28 partial-dir transfer failed" ++ ++echo "partial-dir update" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 --partial-dir=.rsync-partial \ ++ --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 7: proto28 partial-dir update through dirlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 7: proto28 partial-dir update content mismatch" ++ ++###################################################################### ++# Test 8: Protocol < 29 basic directory symlink update ++# ++# Exercises the protocol < 29 code path and its fallback logic ++# (clearing basedir on retry). ++###################################################################### ++ ++rm -f "$HOME/real-dir/file" ++make_testfile "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \ ++ --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 8: initial proto28 transfer failed" ++ ++echo "proto28 update" >> "$srcbase/dir/file" ++sleep 1 ++touch "$srcbase/dir/file" ++ ++(cd "$srcbase" && $RSYNC -KRlptv --protocol=28 \ ++ --rsync-path="$RSYNC" dir/file localhost:) \ ++ || test_fail "test 8: proto28 update through directory symlink failed" ++ ++diff "$srcbase/dir/file" "$HOME/real-dir/file" >/dev/null \ ++ || test_fail "test 8: proto28 update content mismatch" ++ ++# The script would have aborted on error, so getting here means we've won. ++exit 0 diff --git a/SOURCES/rsync-3.4.1-cve-2025-10158.patch b/SOURCES/rsync-3.2.5-cve-2025-10158.patch similarity index 100% rename from SOURCES/rsync-3.4.1-cve-2025-10158.patch rename to SOURCES/rsync-3.2.5-cve-2025-10158.patch diff --git a/SOURCES/rsync-3.2.5-cve-2026-41035.patch b/SOURCES/rsync-3.2.5-cve-2026-41035.patch new file mode 100644 index 0000000..c855a6a --- /dev/null +++ b/SOURCES/rsync-3.2.5-cve-2026-41035.patch @@ -0,0 +1,35 @@ +From 07de42ef075f8f27d45d5e2818f44f120aa08012 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 1f2bfacd..aee69622 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -864,8 +864,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.53.0 + diff --git a/SPECS/rsync.spec b/SPECS/rsync.spec index feb7153..e14bb68 100644 --- a/SPECS/rsync.spec +++ b/SPECS/rsync.spec @@ -10,7 +10,7 @@ Summary: A program for synchronizing files over a network Name: rsync Version: 3.2.5 -Release: 3%{?dist}.2 +Release: 7%{?dist} URL: https://rsync.samba.org/ Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz @@ -37,21 +37,28 @@ Provides: bundled(zlib) = 1.2.8 License: GPLv3+ #Added due to rhbz#1873975 - default-acls test fail on s390x due to libacl -Patch1: rsync-3.2.2-runtests.patch +Patch1: rsync-3.2.2-runtests.patch #commonmark would be needed to generate manpage, so we simply copy it -Patch2: rsync-3.2.5-rrsync-man.patch +Patch2: rsync-3.2.5-rrsync-man.patch #A couple of fixes for the new filtering code -Patch3: rsync-3.2.3-filtering-rules.patch -Patch4: rsync-3.2.5-cve-2024-12085.patch -Patch5: rsync-3.2.5-cve-2024-12087.patch -Patch6: rsync-3.2.5-cve-2024-12088.patch -Patch7: rsync-3.2.5-cve-2024-12747.patch +Patch3: rsync-3.2.3-filtering-rules.patch +Patch4: rsync-3.2.5-cve-2024-12085.patch +Patch5: rsync-3.2.5-cve-2024-12087.patch +Patch6: rsync-3.2.5-cve-2024-12088.patch +Patch7: rsync-3.2.5-cve-2024-12747.patch # This is here for RHEL9 lifetime to avoid changes in defaults. # From RHEL10 this will have to be documented as a different # behaviour for compression. -Patch8: rsync-3.2.5-default-compression.patch -Patch9: rsync-3.2.5-ssh-askpass.patch -Patch10: rsync-3.4.1-cve-2025-10158.patch +Patch8: rsync-3.2.5-default-compression.patch +Patch9: rsync-3.2.5-ssh-askpass.patch +Patch10: rsync-3.2.5-cve-2025-10158.patch +# https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c +Patch11: rsync-3.2.5-cve-2026-41035.patch +# Fix for CVE-2024-12086 has three parts: +# https://github.com/RsyncProject/rsync/commit/b4a27ca and +# https://github.com/RsyncProject/rsync/commit/c35e283 +# These need to be followed by https://github.com/RsyncProject/rsync/commit/4fa7156 +Patch12: rsync-3.2.5-cve-2024-12086.patch %description Rsync uses a reliable algorithm to bring remote and host files into @@ -91,16 +98,18 @@ may be used to setup a restricted rsync users via ssh logins. %setup -q -b 1 %endif -%patch1 -p1 -b .runtests -%patch2 -p1 -b .rrsync-man -%patch3 -p1 -b .filtering-rules -%patch4 -p1 -b .cve-2024-12085 -%patch5 -p1 -b .cve-2024-12087 -%patch6 -p1 -b .cve-2024-12088 -%patch7 -p1 -b .cve-2024-12747 -%patch8 -p1 -b .default-compression -%patch9 -p1 -b .ssh-askpass -%patch10 -p1 -b .cve-2025-10158 +%patch 1 -p1 -b .runtests +%patch 2 -p1 -b .rrsync-man +%patch 3 -p1 -b .filtering-rules +%patch 4 -p1 -b .cve-2024-12085 +%patch 5 -p1 -b .cve-2024-12087 +%patch 6 -p1 -b .cve-2024-12088 +%patch 7 -p1 -b .cve-2024-12747 +%patch 8 -p1 -b .default-compression +%patch 9 -p1 -b .ssh-askpass +%patch 10 -p1 -b .cve-2025-10158 +%patch 11 -p1 -b .cve-2026-41035 +%patch 12 -p1 -b .cve-2024-12086 %build %configure --disable-xxhash --with-rrsync @@ -151,11 +160,17 @@ install -D -m644 %{SOURCE6} $RPM_BUILD_ROOT/%{_unitdir}/rsyncd@.service %systemd_postun_with_restart rsyncd.service %changelog -* Thu Mar 12 2026 Michal Ruprich - 3.2.5-3.2 -- Resolves: RHEL-152888 - CVE-2025-10158 Out of bounds array access via negative index +* Mon May 11 2026 Michal Ruprich - 3.2.5-7 +- Resolves: RHEL-173468 - CVE-2024-12086 rsync server leaks arbitrary client files -* Thu Mar 12 2026 Michal Ruprich - 3.2.5-3.1 -- Resolves: RHEL-152879 - clearing DISPLAY breaks SSH_ASKPASS expectations +* Mon May 04 2026 Michal Ruprich - 3.2.5-6 +- Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling + +* Tue Apr 07 2026 Michal Ruprich - 3.2.5-5 +- Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index + +* Thu Oct 09 2025 Michal Ruprich - 3.2.5-4 +- Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally * Wed Feb 05 2025 Michal Ruprich - 3.2.5-3 - Resolves: RHEL-70265 - Rebase rsync to 3.2.5