From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/rsync: security bump to version 3.2.5
Date: Sat, 27 Aug 2022 09:53:09 +0200 [thread overview]
Message-ID: <20220827075309.GL37358@scaer> (raw)
In-Reply-To: <20220826214620.75193-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2022-08-26 23:46 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2022-29154: An issue was discovered in rsync before 3.2.5 that
> allows malicious remote servers to write arbitrary files inside the
> directories of connecting peers. The server chooses which
> files/directories are sent to the client. However, the rsync client
> performs insufficient validation of file names. A malicious rsync
> server (or Man-in-The-Middle attacker) can overwrite arbitrary files
> in the rsync client target directory and subdirectories (for example,
> overwrite the .ssh/authorized_keys file).
> - Drop patches (already in version)
> - Update hash of COPYING (make openssl license exception clearer by
> having it at the top and use modern links in COPYING:
> https://github.com/WayneD/rsync/commit/dde469513625c0e10216da9b6f6546aa844431f7)
>
> https://github.com/WayneD/rsync/blob/v3.2.5/NEWS.md
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...n-the-certificate-when-using-openssl.patch | 29 -------------------
> ...g-with-a-zlib-with-external-read_buf.patch | 27 -----------------
> package/rsync/rsync.hash | 6 ++--
> package/rsync/rsync.mk | 5 +---
> 4 files changed, 4 insertions(+), 63 deletions(-)
> delete mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> delete mode 100644 package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
>
> diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> deleted file mode 100644
> index 13edeff944..0000000000
> --- a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> +++ /dev/null
> @@ -1,29 +0,0 @@
> -From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
> -From: Matt McCutchen <matt@mattmccutchen.net>
> -Date: Wed, 26 Aug 2020 12:16:08 -0400
> -Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
> - openssl.
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Retrieved from:
> -https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859]
> ----
> - rsync-ssl | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/rsync-ssl b/rsync-ssl
> -index 8101975a..46701af1 100755
> ---- a/rsync-ssl
> -+++ b/rsync-ssl
> -@@ -129,7 +129,7 @@ function rsync_ssl_helper {
> - fi
> -
> - if [[ $RSYNC_SSL_TYPE == openssl ]]; then
> -- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
> -+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
> - elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
> - exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
> - else
> ---
> -2.25.1
> -
> diff --git a/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch b/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
> deleted file mode 100644
> index 0af090732c..0000000000
> --- a/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -From 60dd42be603a79cd57cec076fe1680e9037be774 Mon Sep 17 00:00:00 2001
> -From: Wayne Davison <wayne@opencoder.net>
> -Date: Mon, 11 Apr 2022 08:29:54 -0700
> -Subject: [PATCH] Handle linking with a zlib with external read_buf.
> -
> -[Retrieved from:
> -https://github.com/WayneD/rsync/commit/60dd42be603a79cd57cec076fe1680e9037be774]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - rsync.h | 4 ++++
> - 1 file changed, 4 insertions(+)
> -
> -diff --git a/rsync.h b/rsync.h
> -index 4b30570b..e5aacd25 100644
> ---- a/rsync.h
> -+++ b/rsync.h
> -@@ -1172,6 +1172,10 @@ struct name_num_obj {
> - struct name_num_item list[10]; /* we'll get a compile error/warning if this is ever too small */
> - };
> -
> -+#ifdef EXTERNAL_ZLIB
> -+#define read_buf read_buf_
> -+#endif
> -+
> - #ifndef __cplusplus
> - #include "proto.h"
> - #endif
> diff --git a/package/rsync/rsync.hash b/package/rsync/rsync.hash
> index 92f6156ba8..f0ba4d321d 100644
> --- a/package/rsync/rsync.hash
> +++ b/package/rsync/rsync.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -# https://download.samba.org/pub/rsync/src/rsync-3.2.3.tar.gz.asc
> -sha256 becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e rsync-3.2.3.tar.gz
> +# https://download.samba.org/pub/rsync/src/rsync-3.2.5.tar.gz.asc
> +sha256 2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba rsync-3.2.5.tar.gz
> # Locally calculated
> -sha256 0d33aa97d302cb9df27f99dfa28d58001c2479a02317956f1a7a890f3937a976 COPYING
> +sha256 85c19ea50a224c2d0067a69c083584e5717b40b76610ec1218f91385775067dd COPYING
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 5b51ca1df7..e288033b98 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RSYNC_VERSION = 3.2.3
> +RSYNC_VERSION = 3.2.5
> RSYNC_SITE = http://rsync.samba.org/ftp/rsync/src
> RSYNC_LICENSE = GPL-3.0+ with exceptions
> RSYNC_LICENSE_FILES = COPYING
> @@ -21,9 +21,6 @@ RSYNC_CONF_OPTS = \
> --disable-lz4 \
> --disable-asm
>
> -# 0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> -RSYNC_IGNORE_CVES += CVE-2020-14387
> -
> ifeq ($(BR2_PACKAGE_ACL),y)
> RSYNC_DEPENDENCIES += acl
> else
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-08-27 7:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-26 21:46 [Buildroot] [PATCH 1/1] package/rsync: security bump to version 3.2.5 Fabrice Fontaine
2022-08-27 7:53 ` Yann E. MORIN [this message]
2022-09-17 15:27 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220827075309.GL37358@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.