From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/rsync: security bump to version 3.2.5
Date: Sat, 27 Aug 2022 09:53:09 +0200 [thread overview]
Message-ID: <20220827075309.GL37358@scaer> (raw)
In-Reply-To: <20220826214620.75193-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2022-08-26 23:46 +0200, Fabrice Fontaine spake thusly:
> - Fix CVE-2022-29154: An issue was discovered in rsync before 3.2.5 that
> allows malicious remote servers to write arbitrary files inside the
> directories of connecting peers. The server chooses which
> files/directories are sent to the client. However, the rsync client
> performs insufficient validation of file names. A malicious rsync
> server (or Man-in-The-Middle attacker) can overwrite arbitrary files
> in the rsync client target directory and subdirectories (for example,
> overwrite the .ssh/authorized_keys file).
> - Drop patches (already in version)
> - Update hash of COPYING (make openssl license exception clearer by
> having it at the top and use modern links in COPYING:
> https://github.com/WayneD/rsync/commit/dde469513625c0e10216da9b6f6546aa844431f7)
>
> https://github.com/WayneD/rsync/blob/v3.2.5/NEWS.md
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...n-the-certificate-when-using-openssl.patch | 29 -------------------
> ...g-with-a-zlib-with-external-read_buf.patch | 27 -----------------
> package/rsync/rsync.hash | 6 ++--
> package/rsync/rsync.mk | 5 +---
> 4 files changed, 4 insertions(+), 63 deletions(-)
> delete mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> delete mode 100644 package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
>
> diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> deleted file mode 100644
> index 13edeff944..0000000000
> --- a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> +++ /dev/null
> @@ -1,29 +0,0 @@
> -From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
> -From: Matt McCutchen <matt@mattmccutchen.net>
> -Date: Wed, 26 Aug 2020 12:16:08 -0400
> -Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
> - openssl.
> -
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> -[Retrieved from:
> -https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859]
> ----
> - rsync-ssl | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/rsync-ssl b/rsync-ssl
> -index 8101975a..46701af1 100755
> ---- a/rsync-ssl
> -+++ b/rsync-ssl
> -@@ -129,7 +129,7 @@ function rsync_ssl_helper {
> - fi
> -
> - if [[ $RSYNC_SSL_TYPE == openssl ]]; then
> -- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
> -+ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
> - elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
> - exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
> - else
> ---
> -2.25.1
> -
> diff --git a/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch b/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
> deleted file mode 100644
> index 0af090732c..0000000000
> --- a/package/rsync/0002-Handle-linking-with-a-zlib-with-external-read_buf.patch
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -From 60dd42be603a79cd57cec076fe1680e9037be774 Mon Sep 17 00:00:00 2001
> -From: Wayne Davison <wayne@opencoder.net>
> -Date: Mon, 11 Apr 2022 08:29:54 -0700
> -Subject: [PATCH] Handle linking with a zlib with external read_buf.
> -
> -[Retrieved from:
> -https://github.com/WayneD/rsync/commit/60dd42be603a79cd57cec076fe1680e9037be774]
> -Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ----
> - rsync.h | 4 ++++
> - 1 file changed, 4 insertions(+)
> -
> -diff --git a/rsync.h b/rsync.h
> -index 4b30570b..e5aacd25 100644
> ---- a/rsync.h
> -+++ b/rsync.h
> -@@ -1172,6 +1172,10 @@ struct name_num_obj {
> - struct name_num_item list[10]; /* we'll get a compile error/warning if this is ever too small */
> - };
> -
> -+#ifdef EXTERNAL_ZLIB
> -+#define read_buf read_buf_
> -+#endif
> -+
> - #ifndef __cplusplus
> - #include "proto.h"
> - #endif
> diff --git a/package/rsync/rsync.hash b/package/rsync/rsync.hash
> index 92f6156ba8..f0ba4d321d 100644
> --- a/package/rsync/rsync.hash
> +++ b/package/rsync/rsync.hash
> @@ -1,5 +1,5 @@
> # Locally calculated after checking pgp signature
> -# https://download.samba.org/pub/rsync/src/rsync-3.2.3.tar.gz.asc
> -sha256 becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e rsync-3.2.3.tar.gz
> +# https://download.samba.org/pub/rsync/src/rsync-3.2.5.tar.gz.asc
> +sha256 2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba rsync-3.2.5.tar.gz
> # Locally calculated
> -sha256 0d33aa97d302cb9df27f99dfa28d58001c2479a02317956f1a7a890f3937a976 COPYING
> +sha256 85c19ea50a224c2d0067a69c083584e5717b40b76610ec1218f91385775067dd COPYING
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 5b51ca1df7..e288033b98 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RSYNC_VERSION = 3.2.3
> +RSYNC_VERSION = 3.2.5
> RSYNC_SITE = http://rsync.samba.org/ftp/rsync/src
> RSYNC_LICENSE = GPL-3.0+ with exceptions
> RSYNC_LICENSE_FILES = COPYING
> @@ -21,9 +21,6 @@ RSYNC_CONF_OPTS = \
> --disable-lz4 \
> --disable-asm
>
> -# 0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> -RSYNC_IGNORE_CVES += CVE-2020-14387
> -
> ifeq ($(BR2_PACKAGE_ACL),y)
> RSYNC_DEPENDENCIES += acl
> else
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-08-27 7:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-26 21:46 [Buildroot] [PATCH 1/1] package/rsync: security bump to version 3.2.5 Fabrice Fontaine
2022-08-27 7:53 ` Yann E. MORIN [this message]
2022-09-17 15:27 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220827075309.GL37358@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox