diff --git a/debian/changelog b/debian/changelog index 036aec9..12145c1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +rsync (3.3.0+ds1-4) unstable; urgency=critical + + [ Salvatore Bonaccorso ] + * Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED + (Closes: #1093089, #1093052) + + [ Samuel Henrique ] + * d/p/Fix_use-after-free_in_generator: New patch to fix UAF + + -- Samuel Henrique Wed, 15 Jan 2025 18:34:49 +0000 + rsync (3.3.0+ds1-3) unstable; urgency=critical * Import upstream patches for CVE-2024-12084, CVE-2024-12085, diff --git a/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch b/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch new file mode 100644 index 0000000..bf39d9b --- /dev/null +++ b/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch @@ -0,0 +1,40 @@ +From: Natanael Copa +Date: Wed, 15 Jan 2025 15:10:24 +0100 +Subject: Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED +Origin: https://github.com/ncopa/rsync/commit/efb85fd8db9e8f74eb3ab91ebf44f6ed35e3da5b +Bug: https://github.com/RsyncProject/rsync/issues/697 +Bug-Debian: https://bugs.debian.org/1093089 +Bug-Debian: https://bugs.debian.org/1093052 +Bug: https://github.com/RsyncProject/rsync/issues/702 + +fixes commit 688f5c379a43 (Refuse a duplicate dirlist.) + +Fixes: https://github.com/RsyncProject/rsync/issues/702 +Fixes: https://github.com/RsyncProject/rsync/issues/697 +--- + rsync.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync.h b/rsync.h +index 9be1297bdd29..479ac4848991 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -84,7 +84,6 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ +-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +@@ -93,6 +92,7 @@ + #define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */ + #define FLAG_TIME_FAILED (1<<11)/* generator */ + #define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */ ++#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */ + + /* These flags are passed to functions but not stored. */ + +-- +2.47.1 + diff --git a/debian/patches/Fix_use-after-free_in_generator.patch b/debian/patches/Fix_use-after-free_in_generator.patch new file mode 100644 index 0000000..5d3ccb2 --- /dev/null +++ b/debian/patches/Fix_use-after-free_in_generator.patch @@ -0,0 +1,31 @@ +From f923b19fd85039a2b0e908391074872334646d51 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Wed, 15 Jan 2025 15:48:04 +0100 +Subject: [PATCH] Fix use-after-free in generator + +full_fname() will free the return value in the next call so we need to +duplicate it before passing it to rsyserr. + +Fixes: https://github.com/RsyncProject/rsync/issues/704 +--- + generator.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/generator.c b/generator.c +index 3f13bb95..b56fa569 100644 +--- a/generator.c ++++ b/generator.c +@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const + + if (!skip_atomic) { + if (do_rename(tmpname, fname) < 0) { ++ char *full_tmpname = strdup(full_fname(tmpname)); ++ if (full_tmpname == NULL) ++ out_of_memory("atomic_create"); + rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed", +- full_fname(tmpname), full_fname(fname)); ++ full_tmpname, full_fname(fname)); ++ free(full_tmpname); + do_unlink(tmpname); + return 0; + } diff --git a/debian/patches/series b/debian/patches/series index 0675583..200175d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,7 @@ rsync-upstream-CVE-patches-v3/CVE-2024-12747/0001-fixed-symlink-race-condition-i rsync-upstream-CVE-patches-v3/version_update/0001-raise-protocol-version-to-32.patch rsync-upstream-CVE-patches-v3/version_update/0002-change-version-to-3.4.0.patch rsync-upstream-CVE-patches-v3/version_update/0003-update-NEWS-for-3.4.0.patch + +# Regression from CVE-2024-12087 (#1093052) +Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch +Fix_use-after-free_in_generator.patch