CVS commit: pkgsrc/net/rsync

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/rsync
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Mon, 11 May 2026 06:21:51 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Mon May 11 06:21:51 UTC 2026

Modified Files:
        pkgsrc/net/rsync: Makefile distinfo
Removed Files:
        pkgsrc/net/rsync/patches: patch-sender.c

Log Message:
rsync: updated to 3.4.2

rsync 3.4.2 (28 Apr 2026)

Changes in this version:

SECURITY RELATED:

Several security-relevant defects were reported and fixed since 3.4.1. None were assigned a CVE — rsync's fork-per-connection design scopes the impact of each of these to the attacker's own 
connection, which is equivalent to the client closing the socket itself — but they are fixed here as a matter of hygiene and to reduce the chances of a future exploitable combination. Many thanks to 
the external researchers who reported these issues.

Fixed a signed integer overflow in the PROXY protocol v2 header parser: a negative len field could bypass the size check and cause a stack buffer overflow in read_buf(). Reported by John Walker of 
ZeroPath.

Fixed an invalid access to the files array. Reported by Calum Hutton of Rapid7.

Reject negative token values in the compressed-stream token decoder; a negative value could cause callers to misinterpret a missing data pointer as literal data. Reported by Will Sergeant.

Fixed the element count passed to the xattr qsort() (see https://www.openwall.com/lists/oss-security/2026/04/16/2).

Fixed a buffer underflow in clean_fname(), and added a regression test.

Fixed an uninitialized mul_one in the AVX2 get_checksum1 path (undefined behaviour), and added a SIMD-checksum self-test that cross-checks SSE2, SSSE3 and AVX2 against the C reference on both aligned 
and unaligned buffers.

Fixed an uninitialized buf1 on the first call to get_checksum2() in the MD4 path.

Zero all new memory from internal allocations: my_alloc() now uses calloc, and expand_item_list() zeros the expanded portion after realloc. This gives more predictable behaviour if stale or 
uninitialised memory is ever accidentally read.

BUG FIXES:

Call tzset() before chroot so that log timestamps continue to reflect the configured local timezone after the daemon chroots (glibc needs /etc/localtime, which is unreachable post-chroot).

Use the correct time when writing to the log file.

Do not clear DISPLAY unconditionally.

Fixed a Y2038 bug in syscall.c by replacing the Int32x32To64 macro (which truncates its arguments to 32 bits) with a plain 64-bit multiplication.

Fixed ACL ID mapping for non-root users.

Fixed handling of objects with many xattrs on FreeBSD.

Fixed --open-noatime not taking effect when opening regular files: O_NOATIME is now also passed to do_open_nofollow(), which has been used for regular files since the CVE fix "fixed symlink race 
condition in sender".

Ignore "directory has vanished" errors.

Fixed the removal of multiple leading slashes.

Added the missing --dirs long option.

Fixed a segfault if poptGetContext() returns NULL (e.g. under OOM) by not passing NULL to poptReadDefaultConfig(). Reported by Ronnie Sahlberg; found with malloc-fail-tester.

Fixed a build error on ia64 NonStop (which treats missing prototypes as an error, not a warning).

Fixed a flaky hardlinks test.

ENHANCEMENTS:

Added multi-threaded zstd compression, gated by a new --compress-threads=N option, with validation and man-page coverage.

Documented the temp dir parameter in the rsyncd.conf man page.

Improved rendering of interior dashes in long-option names in md-convert.

PORTABILITY / BUILD:

Fixed glibc 2.43 const-preserving overloads of strtok(), strchr() etc. by declaring the affected locals with the right constness. Contributed by Holger Hoffstätte.

Converted the bundled zlib 1.2.8 from K&R-style function definitions to ANSI prototypes, so it builds with clang 16+.

Avoid using bool as an identifier; it is a keyword in C23.

configure.ac: check for xattr functions in libc first and only fall back to -lattr, avoiding spurious overlinking when -lattr happens to be installed. Contributed by Eli Schwartz.

Made the build reproducible by honouring SOURCE_DATE_EPOCH for the manpage date.

Removed obsolete popt/findme.c and popt/findme.h that upstream popt 1.14 folded into popt.c. Contributed by Alan Coopersmith.

INTERNAL:

Made many module-global variables const so they can live in .rodata and enable additional compiler optimization.


To generate a diff of this commit:
cvs rdiff -u -r1.131 -r1.132 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.64 -r1.65 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/net/rsync/patches/patch-sender.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.131 pkgsrc/net/rsync/Makefile:1.132
--- pkgsrc/net/rsync/Makefile:1.131     Mon Mar 16 16:05:56 2026
+++ pkgsrc/net/rsync/Makefile   Mon May 11 06:21:51 2026
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.131 2026/03/16 16:05:56 kim Exp $
+# $NetBSD: Makefile,v 1.132 2026/05/11 06:21:51 adam Exp $
 
-DISTNAME=      rsync-3.4.1
-PKGREVISION=   1
+DISTNAME=      rsync-3.4.2
 CATEGORIES=    net
 MASTER_SITES=  http://rsync.samba.org/ftp/rsync/
 MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/

Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.64 pkgsrc/net/rsync/distinfo:1.65
--- pkgsrc/net/rsync/distinfo:1.64      Mon Mar 16 16:05:56 2026
+++ pkgsrc/net/rsync/distinfo   Mon May 11 06:21:51 2026
@@ -1,8 +1,7 @@
-$NetBSD: distinfo,v 1.64 2026/03/16 16:05:56 kim Exp $
+$NetBSD: distinfo,v 1.65 2026/05/11 06:21:51 adam Exp $
 
-BLAKE2s (rsync-3.4.1.tar.gz) = 7a433af3dc309baa0573a8d204ae492da6a49d7b7aa19d31675d2717c4b5c2c8
-SHA512 (rsync-3.4.1.tar.gz) = a3ecde4843ddb795308dca88581b868ac0221eb6f88a1477d7a9a2ecb4e4686042966bdddbab40866f90a4715d3104daa7b83222ddf0f3387b796a86bde8e5c2
-Size (rsync-3.4.1.tar.gz) = 1172739 bytes
+BLAKE2s (rsync-3.4.2.tar.gz) = 45b332162e527bcc84e577be98e134a8645e2e15482ddb91d7cd02934161eb45
+SHA512 (rsync-3.4.2.tar.gz) = 74f623e7f5234ffc12fc60d30f4439bc18796404c866365b7c3bfda87f42b33fc01ce6060187534b6b47d799f5b47fcdb84717faff88b6ce30eb230f1b93afe7
+Size (rsync-3.4.2.tar.gz) = 1190383 bytes
 SHA1 (patch-Makefile.in) = 34c3cc57846e451a0adbd19fcb19ae682b7e1ae3
 SHA1 (patch-acls.c) = 9be60c0c1abedc961fa95bba2bb23d802a09bc62
-SHA1 (patch-sender.c) = 81324c3ff32a12f27e0e95657f440752fe6e87d0

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/converters/py-bidi
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/converters/py-bidi
Indexes:

Home | Main Index | Thread Index | Old Index