rpms/rsync
7
0
Fork 1
Code Issues Pull Requests Releases Activity
A program for synchronizing files over a network
31 Commits 14 Branches 72 Tags 886 KiB
Diff 100%
cc69bbdd82
Go to file
Michal Ruprich cc69bbdd82 Fix CVE-2026-29518: TOCTOU symlink race in rsync daemon no-chroot mode 
Backport upstream patches to fix CVE-2026-29518, a TOCTOU race
condition in rsync daemon configured with "use chroot = no". A
local attacker with write access to a module could replace a
parent directory component with a symlink between the receiver's
path validation and file open, allowing reads and writes outside
the module boundary. The fix adds secure_relative_open() which
walks parent components under RESOLVE_BENEATH (Linux 5.6+) or
equivalent, anchored at a trusted directory fd. Includes a build
fix adding missing includes for openat2 and syscall headers.

CVE: CVE-2026-29518
Upstream patches:
 - https://github.com/RsyncProject/rsync/commit/1a5ad81a.patch
 - https://github.com/RsyncProject/rsync/commit/99b36291.patch
 - https://github.com/RsyncProject/rsync/commit/24852cda.patch
 - https://github.com/RsyncProject/rsync/commit/d22b6bc7.patch
 - https://github.com/RsyncProject/rsync/commit/39b3074a.patch
 - https://github.com/RsyncProject/rsync/commit/a277a06b.patch
 - https://github.com/RsyncProject/rsync/commit/7c8a647c.patch

Adding a couple of patches commited after the fix for the CVE.
The CVE fixes introduced a couple of regressions:
 - https://github.com/RsyncProject/rsync/commit/f6b39cca
 - https://github.com/RsyncProject/rsync/commit/5ce33659
 - https://github.com/RsyncProject/rsync/commit/3526884f
 - https://github.com/RsyncProject/rsync/commit/7192db98
Resolves: RHEL-174953
2026-06-23 10:35:50 +02:00
.fmf Resolves: #2081296 - Enable fmf tests in centos stream 2022-05-03 15:04:47 +02:00
.gitignore Resolves: RHEL-70265 - Rebase rsync to 3.2.5 2024-12-09 19:04:42 +01:00
ci.fmf Related: #2081296 - Adding ci.fmf for separation of testing results 2022-05-18 16:24:01 +02:00
gating.yaml Update plans 2025-10-09 10:18:08 +00:00
Makefile RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
plans.fmf Update plans 2025-10-09 10:18:08 +00:00
rpminspect.yaml Resolves: #2053198 - rsync segmentation fault 2022-04-26 08:31:05 +02:00
rsync-3.0.6-iconv-logging.patch RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsync-3.2.2-runtests.patch RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsync-3.2.3-filtering-rules.patch Resolves: RHEL-70265 - Rebase rsync to 3.2.5 2024-12-09 19:04:42 +01:00
rsync-3.2.5-cve-2024-12085.patch Resolves: RHEL-70158 - Info Leak via Uninitialized Stack Contents 2025-01-30 10:01:16 +01:00
rsync-3.2.5-cve-2024-12086.patch Fix CVE-2026-29518: TOCTOU symlink race in rsync daemon no-chroot mode 2026-06-23 10:35:50 +02:00
rsync-3.2.5-cve-2024-12087.patch Resolves: RHEL-70158 - Info Leak via Uninitialized Stack Contents 2025-01-30 10:01:16 +01:00
rsync-3.2.5-cve-2024-12088.patch Resolves: RHEL-70158 - Info Leak via Uninitialized Stack Contents 2025-01-30 10:01:16 +01:00
rsync-3.2.5-cve-2024-12747.patch Resolves: RHEL-70158 - Info Leak via Uninitialized Stack Contents 2025-01-30 10:01:16 +01:00
rsync-3.2.5-cve-2025-10158.patch Resolves: RHEL-152536 - CVE-2025-10158 Out of bounds array access via negative index 2026-04-13 15:15:44 +02:00
rsync-3.2.5-cve-2026-41035.patch Resolves: RHEL-169151 - CVE-2026-41035 - Use-after-free vulnerability in extended attribute handling 2026-05-07 12:23:07 +02:00
rsync-3.2.5-default-compression.patch Resolves: RHEL-70265 - Rebase rsync to 3.2.5 2025-02-05 10:33:59 +01:00
rsync-3.2.5-fix-cve-2026-29518-regressions.patch Fix CVE-2026-29518: TOCTOU symlink race in rsync daemon no-chroot mode 2026-06-23 10:35:50 +02:00
rsync-3.2.5-fix-cve-2026-29518.patch Fix CVE-2026-29518: TOCTOU symlink race in rsync daemon no-chroot mode 2026-06-23 10:35:50 +02:00
rsync-3.2.5-rrsync-man.patch Resolves: RHEL-70265 - Rebase rsync to 3.2.5 2024-12-09 19:04:42 +01:00
rsync-3.2.5-ssh-askpass.patch Resolves: RHEL-104404 - Do not clear DISPLAY unconditionally 2025-10-09 13:26:24 +02:00
rsync-man.patch RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsync-noatime.patch RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsync.spec Fix CVE-2026-29518: TOCTOU symlink race in rsync daemon no-chroot mode 2026-06-23 10:35:50 +02:00
rsyncd.conf RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsyncd.service RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsyncd.socket RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsyncd.sysconfig RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
rsyncd@.service RHEL 9.0.0 Alpha bootstrap 2020-10-14 21:54:13 -07:00
sources Resolves: RHEL-70265 - Rebase rsync to 3.2.5 2024-12-09 19:04:42 +01:00