packages/rsync
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update version to 3.2.5

Browse Source
This commit is contained in:
ZhouPengcheng 2022-11-07 18:50:34 +08:00
parent e4eff5d75a
commit 79d4257526
9 changed files with 19 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
backport-A-fix-for-the-zlib-fix.patch
View File

@ -1,26 +0,0 @@
From 9e2921fce8c518e370c324407d35bc83ba12f2d5 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Mon, 8 Aug 2022 20:05:10 -0700
Subject: [PATCH] A fix for the zlib fix.
---
zlib/inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/zlib/inflate.c b/zlib/inflate.c
index d15132ea..e9840b67 100644
--- a/zlib/inflate.c
+++ b/zlib/inflate.c
@@ -739,10 +739,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);

23
backport-CVE-2020-14387-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
View File

@ -1,23 +0,0 @@
From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
From: Matt McCutchen <matt@mattmccutchen.net>
Date: Wed, 26 Aug 2020 12:16:08 -0400
Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
openssl.
---
rsync-ssl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rsync-ssl b/rsync-ssl
index 8101975a..46701af1 100755
--- a/rsync-ssl
+++ b/rsync-ssl
@@ -129,7 +129,7 @@ function rsync_ssl_helper {
fi
if [[ $RSYNC_SSL_TYPE == openssl ]]; then
- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
else

116
backport-CVE-2022-29154.patch
View File

@ -1,116 +0,0 @@
From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Sun, 31 Jul 2022 16:55:34 -0700
Subject: [PATCH] Some extra file-list safety checks.
Conflict:don't apply add_implied_include(),adapt context in flist.c,delete rsync.1.md
Reference:https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871
---
exclude.c | 4 +++-
flist.c | 10 ++++++++++
main.c | 2 ++
receiver.c | 11 +++++++----
4 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/exclude.c b/exclude.c
index e095744..ab91999 100644
--- a/exclude.c
+++ b/exclude.c
@@ -46,6 +46,7 @@ filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
int saw_xattr_filter = 0;
+int trust_sender_filter = 0;
/* Need room enough for ":MODS " prefix plus some room to grow. */
#define MAX_RULE_PREFIX (16)
@@ -714,7 +715,7 @@ static void report_filter_result(enum logcode code, char const *name,
: name_flags & NAME_IS_DIR ? "directory"
: "file";
rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
- w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
+ w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
t, name, ent->pattern,
ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
}
@@ -886,6 +887,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
}
switch (ch) {
case ':':
+ trust_sender_filter = 1;
rule->rflags |= FILTRULE_PERDIR_MERGE
| FILTRULE_FINISH_SETUP;
/* FALL THROUGH */
diff --git a/flist.c b/flist.c
index 5a1e424..5d5c7a2 100644
--- a/flist.c
+++ b/flist.c
@@ -72,6 +72,7 @@ extern int need_unsorted_flist;
extern int sender_symlink_iconv;
extern int output_needs_newline;
extern int sender_keeps_checksum;
+extern int trust_sender_filter;
extern int unsort_ndx;
extern uid_t our_uid;
extern struct stats stats;
@@ -971,6 +972,15 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
exit_cleanup(RERR_UNSUPPORTED);
}
+ if (*thisname != '.' || thisname[1] != '\0') {
+ int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
+ if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
+ && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
+ rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ }
+
if (inc_recurse && S_ISDIR(mode)) {
if (one_file_system) {
/* Room to save the dir's device for -x */
diff --git a/main.c b/main.c
index 46b97b5..c688e6d 100644
--- a/main.c
+++ b/main.c
@@ -87,6 +87,7 @@ extern BOOL shutting_down;
extern int backup_dir_len;
extern int basis_dir_cnt;
extern int default_af_hint;
+extern int trust_sender_filter;
extern struct stats stats;
extern char *stdout_format;
extern char *logfile_format;
@@ -642,6 +643,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
#ifdef ICONV_CONST
setup_iconv();
#endif
+ trust_sender_filter = 1;
} else if (local_server) {
/* If the user didn't request --[no-]whole-file, force
* it on, but only if we're not batch processing. */
diff --git a/receiver.c b/receiver.c
index 9df603f..3182e2d 100644
--- a/receiver.c
+++ b/receiver.c
@@ -584,10 +584,13 @@ int recv_files(int f_in, int f_out, char *local_name)
if (DEBUG_GTE(RECV, 1))
rprintf(FINFO, "recv_files(%s)\n", fname);
- if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
- rprintf(FERROR, "attempt to hack rsync failed.\n");
- exit_cleanup(RERR_PROTOCOL);
+ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
+ int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
+ if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
+ rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
+ fname);
+ exit_cleanup(RERR_PROTOCOL);
+ }
}
#ifdef SUPPORT_XATTRS
--
2.27.0

28
backport-CVE-2022-37434.patch
View File

@ -1,28 +0,0 @@
From 788f11ea6afeb96f0d84f140192165a1ca12ade4 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Sun, 7 Aug 2022 09:27:57 -0700
Subject: [PATCH] Fix zlib bug with a large gzip header extra field
From zlib commit eff308af425b67093bab25f80f1ae950166bece1.
Fixes CVE-2022-37434.
---
zlib/inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/zlib/inflate.c b/zlib/inflate.c
index e43abd9e0..d15132eaf 100644
--- a/zlib/inflate.c
+++ b/zlib/inflate.c
@@ -739,9 +739,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);

65
backport-Work-around-glibc-lchmod-issue-a-better-way.patch
View File

@ -1,65 +0,0 @@
From 9dd62525f3b98d692e031f22c02be8f775966503 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Sun, 29 Nov 2020 09:33:54 -0800
Subject: [PATCH] Work around glibc's lchmod() issue a better way.
---
syscall.c | 34 +++++++++++++++++++++-------------
1 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/syscall.c b/syscall.c
index b9c3b4e..11d10e4 100644
--- a/syscall.c
+++ b/syscall.c
@@ -227,27 +227,35 @@ int do_open(const char *pathname, int flags, mode_t mode)
#ifdef HAVE_CHMOD
int do_chmod(const char *path, mode_t mode)
{
+ static int switch_step = 0;
int code;
if (dry_run) return 0;
RETURN_ERROR_IF_RO_OR_LO;
+ switch (switch_step) {
#ifdef HAVE_LCHMOD
- code = lchmod(path, mode & CHMOD_BITS);
-#else
- if (S_ISLNK(mode)) {
+#include "case_N.h"
+ if ((code = lchmod(path, mode & CHMOD_BITS)) == 0 || errno != ENOTSUP)
+ break;
+ switch_step++;
+#endif
+
+#include "case_N.h"
+ if (S_ISLNK(mode)) {
# if defined HAVE_SETATTRLIST
- struct attrlist attrList;
- uint32_t m = mode & CHMOD_BITS; /* manpage is wrong: not mode_t! */
+ struct attrlist attrList;
+ uint32_t m = mode & CHMOD_BITS; /* manpage is wrong: not mode_t! */
- memset(&attrList, 0, sizeof attrList);
- attrList.bitmapcount = ATTR_BIT_MAP_COUNT;
- attrList.commonattr = ATTR_CMN_ACCESSMASK;
- code = setattrlist(path, &attrList, &m, sizeof m, FSOPT_NOFOLLOW);
+ memset(&attrList, 0, sizeof attrList);
+ attrList.bitmapcount = ATTR_BIT_MAP_COUNT;
+ attrList.commonattr = ATTR_CMN_ACCESSMASK;
+ code = setattrlist(path, &attrList, &m, sizeof m, FSOPT_NOFOLLOW);
# else
- code = 1;
+ code = 1;
# endif
- } else
- code = chmod(path, mode & CHMOD_BITS); /* DISCOURAGED FUNCTION */
-#endif /* !HAVE_LCHMOD */
+ } else
+ code = chmod(path, mode & CHMOD_BITS); /* DISCOURAGED FUNCTION */
+ break;
+ }
if (code != 0 && (preserve_perms || preserve_executability))
return code;
return 0;
--
1.8.3.1

BIN
rsync-3.2.3.tar.gz
View File

Binary file not shown.

BIN
rsync-3.2.5.tar.gz Normal file
View File

Binary file not shown.

BIN
rsync-patches-3.2.3.tar.gz
View File

Binary file not shown.

49
rsync.spec
View File

@ -1,16 +1,15 @@
Name: rsync
Version: 3.2.3
Release: 4
Version: 3.2.5
Release: 1
Summary: Fast incremental file transfer utility
License: GPLv3+
URL: http://rsync.samba.org/
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
Source1: https://download.samba.org/pub/rsync/src/rsync-patches-%{version}.tar.gz
Source2: rsyncd.socket
Source3: rsyncd.service
Source4: rsyncd.conf
Source5: rsyncd.sysconfig
Source6: rsyncd@.service
Source0: https://download.samba.org/pub/rsync/src/rsync-%{version}.tar.gz
Source1: rsyncd.socket
Source2: rsyncd.service
Source3: rsyncd.conf
Source4: rsyncd.sysconfig
Source5: rsyncd@.service
BuildRequires: git gcc systemd libacl-devel libattr-devel autoconf popt-devel
BuildRequires: lz4-devel openssl-devel libzstd-devel
@ -18,12 +17,6 @@ Provides: bundled(zlib) = 1.2.8 rsync-daemon
Obsoletes: rsync-daemon
%{?systemd_requires}
Patch1: backport-Work-around-glibc-lchmod-issue-a-better-way.patch
Patch2: backport-CVE-2020-14387-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
Patch3: backport-CVE-2022-37434.patch
Patch4: backport-A-fix-for-the-zlib-fix.patch
Patch5: backport-CVE-2022-29154.patch
%description
Rsync is an open source utility that provides fast incremental file transfer.
It uses the "rsync algorithm" which provides a very fast method for bringing
@ -34,9 +27,7 @@ at one of the ends of the link beforehand.
%package_help
%prep
%autosetup -b 1 -n %{name}-%{version} -p1
patch -p1 -i patches/copy-devices.diff
%autosetup -n %{name}-%{version} -p1
%build
%configure --disable-xxhash
@ -49,11 +40,11 @@ chmod -x support/*
%install
%make_install
install -D -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/rsyncd.socket
install -D -m644 %{SOURCE3} %{buildroot}/%{_unitdir}/rsyncd.service
install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/rsyncd.conf
install -D -m644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/sysconfig/rsyncd
install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
install -D -m644 %{SOURCE1} %{buildroot}/%{_unitdir}/rsyncd.socket
install -D -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/rsyncd.service
install -D -m644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/rsyncd.conf
install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/rsyncd
install -D -m644 %{SOURCE5} %{buildroot}/%{_unitdir}/rsyncd@.service
%pre
@ -83,15 +74,13 @@ install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
%{_mandir}/man5/rsyncd.conf.5*
%changelog
* Fri Aug 26 2022 panxiaohe <panxh.life@foxmail.com> - 3.2.3-4
- fix CVE-2022-29154
* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.2.3-3
- Fix CVE-2022-37434
* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.2.5-1
- Update version to 3.2.5
- Fix CVE-2022-29154,CVE-2022-37434
* Fri Jun 18 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 3.2.3-2
- Type:CVE
- CVE:CVE-2020-14387
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Fix CVE-2020-14387