Add patch for CVE-2026-29518, a TOCTOU race condition where a
local attacker with write access to a non-chrooted rsync daemon
module can replace a parent directory component with a symlink
between path validation and file open, enabling reads/writes
outside the module boundary.
The patch adds secure_relative_open() which walks parent path
components under RESOLVE_BENEATH (or per-component O_NOFOLLOW
on older kernels), anchored at a trusted dirfd. It is enabled
automatically for daemon modules configured with
"use chroot = no".
The patch was adapted for rsync 3.1.3 by removing references
to APIs introduced in rsync 3.2+ (open_noatime, my_strdup),
adding stub definitions for standalone test utilities, and
adjusting test helpers for the 3.1.3 shell-based test
framework.
CVE: CVE-2026-29518
Upstream patches:
- 1a5ad81add.patch
- 99b36291d0.patch
- 72d1cf1c28.patch
- 61d987c54a.patch
- 24852cda3d.patch
- d22b6bc7d1.patch
- 39b3074a1a.patch
- a277a06b10.patch
Resolves: RHEL-174950
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
The upstream fix corrects the count parameter passed to qsort when sorting
the xattr list in receive_xattr(). The variable 'count' could diverge from
temp_xattr.count, leading to incorrect sort bounds.
[CVE: cve-2026-41035]
Upstream patches:
- bb0a8118c2
Resolves: RHEL-169141
This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent.
Assisted-by: Ymir
