Update version to 3.2.5

2022-11-07 18:50:34 +08:00 · 2022-11-07 18:50:34 +08:00 · 79d4257526
commit 79d4257526
parent e4eff5d75a
9 changed files with 19 additions and 288 deletions
--- a/backport-A-fix-for-the-zlib-fix.patch
+++ b/backport-A-fix-for-the-zlib-fix.patch
@ -1,26 +0,0 @@
 From 9e2921fce8c518e370c324407d35bc83ba12f2d5 Mon Sep 17 00:00:00 2001
 From: Wayne Davison <wayne@opencoder.net>
 Date: Mon, 8 Aug 2022 20:05:10 -0700
 Subject: [PATCH] A fix for the zlib fix.
 ---
 zlib/inflate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/zlib/inflate.c b/zlib/inflate.c
 index d15132ea..e9840b67 100644
 --- a/zlib/inflate.c
 +++ b/zlib/inflate.c
@@ -739,10 +739,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 -                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
                         state->head->extra != Z_NULL &&
 -                        len < state->head->extra_max) {
 +                        (len = state->head->extra_len - state->length) <
 +                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
--- a/backport-CVE-2020-14387-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
+++ b/backport-CVE-2020-14387-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
@ -1,23 +0,0 @@
 From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
 From: Matt McCutchen <matt@mattmccutchen.net>
 Date: Wed, 26 Aug 2020 12:16:08 -0400
 Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
 openssl.
 ---
 rsync-ssl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/rsync-ssl b/rsync-ssl
 index 8101975a..46701af1 100755
 --- a/rsync-ssl
 +++ b/rsync-ssl
@@ -129,7 +129,7 @@ function rsync_ssl_helper {
     fi
     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
 -	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
 +	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
     elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
 	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
     else
--- a/backport-CVE-2022-29154.patch
+++ b/backport-CVE-2022-29154.patch
@ -1,116 +0,0 @@
 From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
 From: Wayne Davison <wayne@opencoder.net>
 Date: Sun, 31 Jul 2022 16:55:34 -0700
 Subject: [PATCH] Some extra file-list safety checks.
 Conflict:don't apply add_implied_include(),adapt context in flist.c,delete rsync.1.md
 Reference:https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871
 ---
 exclude.c  |  4 +++-
 flist.c    | 10 ++++++++++
 main.c     |  2 ++
 receiver.c | 11 +++++++----
 4 files changed, 22 insertions(+), 5 deletions(-)
 diff --git a/exclude.c b/exclude.c
 index e095744..ab91999 100644
 --- a/exclude.c
 +++ b/exclude.c
@@ -46,6 +46,7 @@ filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
 filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
 int saw_xattr_filter = 0;
 +int trust_sender_filter = 0;
 /* Need room enough for ":MODS " prefix plus some room to grow. */
 #define MAX_RULE_PREFIX (16)
@@ -714,7 +715,7 @@ static void report_filter_result(enum logcode code, char const *name,
 			      : name_flags & NAME_IS_DIR ? "directory"
 			      : "file";
 		rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
 -		    w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
 +		    w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
 		    t, name, ent->pattern,
 		    ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
 	}
@@ -886,6 +887,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
 		}
 		switch (ch) {
 		case ':':
 +			trust_sender_filter = 1;
 			rule->rflags |= FILTRULE_PERDIR_MERGE
 				      | FILTRULE_FINISH_SETUP;
 			/* FALL THROUGH */
 diff --git a/flist.c b/flist.c
 index 5a1e424..5d5c7a2 100644
 --- a/flist.c
 +++ b/flist.c
@@ -72,6 +72,7 @@ extern int need_unsorted_flist;
 extern int sender_symlink_iconv;
 extern int output_needs_newline;
 extern int sender_keeps_checksum;
 +extern int trust_sender_filter;
 extern int unsort_ndx;
 extern uid_t our_uid;
 extern struct stats stats;
@@ -971,6 +972,15 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 		exit_cleanup(RERR_UNSUPPORTED);
 	}
 +	if (*thisname != '.' || thisname[1] != '\0') {
 +		int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
 +		if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
 +		 && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
 +			rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
 +			exit_cleanup(RERR_PROTOCOL);
 +		}
 +	}
 +
 	if (inc_recurse && S_ISDIR(mode)) {
 		if (one_file_system) {
 			/* Room to save the dir's device for -x */
 diff --git a/main.c b/main.c
 index 46b97b5..c688e6d 100644
 --- a/main.c
 +++ b/main.c
@@ -87,6 +87,7 @@ extern BOOL shutting_down;
 extern int backup_dir_len;
 extern int basis_dir_cnt;
 extern int default_af_hint;
 +extern int trust_sender_filter;
 extern struct stats stats;
 extern char *stdout_format;
 extern char *logfile_format;
@@ -642,6 +643,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
 #ifdef ICONV_CONST
 		setup_iconv();
 #endif
 +		trust_sender_filter = 1;
 	} else if (local_server) {
 		/* If the user didn't request --[no-]whole-file, force
 		 * it on, but only if we're not batch processing. */
 diff --git a/receiver.c b/receiver.c
 index 9df603f..3182e2d 100644
 --- a/receiver.c
 +++ b/receiver.c
@@ -584,10 +584,13 @@ int recv_files(int f_in, int f_out, char *local_name)
 		if (DEBUG_GTE(RECV, 1))
 			rprintf(FINFO, "recv_files(%s)\n", fname);
 -		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
 -		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
 -			rprintf(FERROR, "attempt to hack rsync failed.\n");
 -			exit_cleanup(RERR_PROTOCOL);
 +		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
 +			int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
 +			if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
 +				rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
 +					fname);
 +				exit_cleanup(RERR_PROTOCOL);
 +			}
 		}
 #ifdef SUPPORT_XATTRS
 -- 
 2.27.0
--- a/backport-CVE-2022-37434.patch
+++ b/backport-CVE-2022-37434.patch
@ -1,28 +0,0 @@
 From 788f11ea6afeb96f0d84f140192165a1ca12ade4 Mon Sep 17 00:00:00 2001
 From: Wayne Davison <wayne@opencoder.net>
 Date: Sun, 7 Aug 2022 09:27:57 -0700
 Subject: [PATCH] Fix zlib bug with a large gzip header extra field
 From zlib commit eff308af425b67093bab25f80f1ae950166bece1.
 Fixes CVE-2022-37434.
 ---
 zlib/inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/zlib/inflate.c b/zlib/inflate.c
 index e43abd9e0..d15132eaf 100644
 --- a/zlib/inflate.c
 +++ b/zlib/inflate.c
@@ -739,9 +739,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
 +                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
 -                        state->head->extra != Z_NULL) {
 -                        len = state->head->extra_len - state->length;
 +                        state->head->extra != Z_NULL &&
 +                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
--- a/backport-Work-around-glibc-lchmod-issue-a-better-way.patch
+++ b/backport-Work-around-glibc-lchmod-issue-a-better-way.patch
@ -1,65 +0,0 @@
 From 9dd62525f3b98d692e031f22c02be8f775966503 Mon Sep 17 00:00:00 2001
 From: Wayne Davison <wayne@opencoder.net>
 Date: Sun, 29 Nov 2020 09:33:54 -0800
 Subject: [PATCH] Work around glibc's lchmod() issue a better way.
 ---
 syscall.c    | 34 +++++++++++++++++++++-------------
 1 files changed, 21 insertions(+), 13 deletions(-)
 diff --git a/syscall.c b/syscall.c
 index b9c3b4e..11d10e4 100644
 --- a/syscall.c
 +++ b/syscall.c
@@ -227,27 +227,35 @@ int do_open(const char *pathname, int flags, mode_t mode)
 #ifdef HAVE_CHMOD
 int do_chmod(const char *path, mode_t mode)
 {
 +	static int switch_step = 0;
 	int code;
 	if (dry_run) return 0;
 	RETURN_ERROR_IF_RO_OR_LO;
 +	switch (switch_step) {
 #ifdef HAVE_LCHMOD
 -	code = lchmod(path, mode & CHMOD_BITS);
 -#else
 -	if (S_ISLNK(mode)) {
 +#include "case_N.h"
 +		if ((code = lchmod(path, mode & CHMOD_BITS)) == 0 || errno != ENOTSUP)
 +			break;
 +		switch_step++;
 +#endif
 +
 +#include "case_N.h"
 +		if (S_ISLNK(mode)) {
 # if defined HAVE_SETATTRLIST
 -		struct attrlist attrList;
 -		uint32_t m = mode & CHMOD_BITS; /* manpage is wrong: not mode_t! */
 +			struct attrlist attrList;
 +			uint32_t m = mode & CHMOD_BITS; /* manpage is wrong: not mode_t! */
 -		memset(&attrList, 0, sizeof attrList);
 -		attrList.bitmapcount = ATTR_BIT_MAP_COUNT;
 -		attrList.commonattr = ATTR_CMN_ACCESSMASK;
 -		code = setattrlist(path, &attrList, &m, sizeof m, FSOPT_NOFOLLOW);
 +			memset(&attrList, 0, sizeof attrList);
 +			attrList.bitmapcount = ATTR_BIT_MAP_COUNT;
 +			attrList.commonattr = ATTR_CMN_ACCESSMASK;
 +			code = setattrlist(path, &attrList, &m, sizeof m, FSOPT_NOFOLLOW);
 # else
 -		code = 1;
 +			code = 1;
 # endif
 -	} else
 -		code = chmod(path, mode & CHMOD_BITS); /* DISCOURAGED FUNCTION */
 -#endif /* !HAVE_LCHMOD */
 +		} else
 +			code = chmod(path, mode & CHMOD_BITS); /* DISCOURAGED FUNCTION */
 +		break;
 +	}
 	if (code != 0 && (preserve_perms || preserve_executability))
 		return code;
 	return 0;
 -- 
 1.8.3.1
--- a/rsync-3.2.3.tar.gz
+++ b/rsync-3.2.3.tar.gz
--- a/rsync-3.2.5.tar.gz
+++ b/rsync-3.2.5.tar.gz
--- a/rsync-patches-3.2.3.tar.gz
+++ b/rsync-patches-3.2.3.tar.gz
--- a/rsync.spec
+++ b/rsync.spec
@ -1,16 +1,15 @@
 Name:           rsync
-Version:        3.2.3
+Version:        3.2.5
-Release:        4
+Release:        1
 Summary:        Fast incremental file transfer utility
 License:        GPLv3+
 URL:            http://rsync.samba.org/
-Source0:        https://download.samba.org/pub/rsync/src/rsync-%{version}%{?prerelease}.tar.gz
+Source0:        https://download.samba.org/pub/rsync/src/rsync-%{version}.tar.gz
-Source1:        https://download.samba.org/pub/rsync/src/rsync-patches-%{version}.tar.gz
+Source1:        rsyncd.socket
-Source2:        rsyncd.socket
+Source2:        rsyncd.service
-Source3:        rsyncd.service
+Source3:        rsyncd.conf
-Source4:        rsyncd.conf
+Source4:        rsyncd.sysconfig
-Source5:        rsyncd.sysconfig
+Source5:        rsyncd@.service
 Source6:        rsyncd@.service
 BuildRequires:  git gcc systemd libacl-devel libattr-devel autoconf popt-devel
 BuildRequires:  lz4-devel openssl-devel libzstd-devel
@ -18,12 +17,6 @@ Provides:       bundled(zlib) = 1.2.8 rsync-daemon
 Obsoletes:      rsync-daemon
 %{?systemd_requires}
 Patch1: backport-Work-around-glibc-lchmod-issue-a-better-way.patch
 Patch2: backport-CVE-2020-14387-rsync-ssl-Verify-the-hostname-in-the-certificate-whe.patch
 Patch3: backport-CVE-2022-37434.patch
 Patch4: backport-A-fix-for-the-zlib-fix.patch
 Patch5: backport-CVE-2022-29154.patch
 %description
 Rsync is an open source utility that provides fast incremental file transfer.
 It uses the "rsync algorithm" which provides a very fast method for bringing
@ -34,9 +27,7 @@ at one of the ends of the link beforehand.
 %package_help
 %prep
-%autosetup -b 1 -n %{name}-%{version} -p1
+%autosetup -n %{name}-%{version} -p1
 patch -p1 -i patches/copy-devices.diff
 %build
 %configure --disable-xxhash
@ -49,11 +40,11 @@ chmod -x support/*
 %install
 %make_install
-install -D -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/rsyncd.socket
+install -D -m644 %{SOURCE1} %{buildroot}/%{_unitdir}/rsyncd.socket
-install -D -m644 %{SOURCE3} %{buildroot}/%{_unitdir}/rsyncd.service
+install -D -m644 %{SOURCE2} %{buildroot}/%{_unitdir}/rsyncd.service
-install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/rsyncd.conf
+install -D -m644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/rsyncd.conf
-install -D -m644 %{SOURCE5} %{buildroot}/%{_sysconfdir}/sysconfig/rsyncd
+install -D -m644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/sysconfig/rsyncd
-install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
+install -D -m644 %{SOURCE5} %{buildroot}/%{_unitdir}/rsyncd@.service
 %pre
@ -83,15 +74,13 @@ install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
 %{_mandir}/man5/rsyncd.conf.5*
 %changelog
-* Fri Aug 26 2022 panxiaohe <panxh.life@foxmail.com> - 3.2.3-4
+* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.2.5-1
- fix CVE-2022-29154
+- Update version to 3.2.5
-
+- Fix CVE-2022-29154,CVE-2022-37434
 * Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.2.3-3
 - Fix CVE-2022-37434
 * Fri Jun 18 2021 yangzhuangzhuang <yangzhuangzhuang1@huawei.com> - 3.2.3-2
- Type:CVE
+- Type:bugfix
- CVE:CVE-2020-14387
+- ID:NA
 - SUG:NA
 - DESC:Fix CVE-2020-14387