pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2017Q4]: pkgsrc/net/rsync Pullup ticket #5671 - requested by snj
details: https://anonhg.NetBSD.org/pkgsrc/rev/9b1c58501667
branches: pkgsrc-2017Q4
changeset: 373099:9b1c58501667
user: spz <spz%pkgsrc.org@localhost>
date: Sat Jan 06 22:51:51 2018 +0000
description:
Pullup ticket #5671 - requested by snj
net/rsync: security patch
Revisions pulled up:
- net/rsync/Makefile 1.106
- net/rsync/distinfo 1.46
- net/rsync/patches/patch-receiver.c 1.1
- net/rsync/patches/patch-rsync.c 1.1
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: snj
Date: Sun Dec 31 20:55:43 UTC 2017
Modified Files:
pkgsrc/net/rsync: Makefile distinfo
Added Files:
pkgsrc/net/rsync/patches: patch-receiver.c patch-rsync.c
Log Message:
net/rsync: Fix CVE-2017-17433 and CVE-2017-17434.
Bump PKGREVISION to 2.
To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.45 -r1.46 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/net/rsync/patches/patch-receiver.c \
pkgsrc/net/rsync/patches/patch-rsync.c
diffstat:
net/rsync/Makefile | 4 +-
net/rsync/distinfo | 4 ++-
net/rsync/patches/patch-receiver.c | 47 ++++++++++++++++++++++++++++++++++++++
net/rsync/patches/patch-rsync.c | 28 ++++++++++++++++++++++
4 files changed, 80 insertions(+), 3 deletions(-)
diffs (112 lines):
diff -r aa3b81f7d8ab -r 9b1c58501667 net/rsync/Makefile
--- a/net/rsync/Makefile Thu Jan 04 22:20:47 2018 +0000
+++ b/net/rsync/Makefile Sat Jan 06 22:51:51 2018 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.105 2017/11/10 06:59:16 spz Exp $
+# $NetBSD: Makefile,v 1.105.2.1 2018/01/06 22:51:51 spz Exp $
DISTNAME= rsync-3.1.2
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= net
MASTER_SITES= http://rsync.samba.org/ftp/rsync/
MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/
diff -r aa3b81f7d8ab -r 9b1c58501667 net/rsync/distinfo
--- a/net/rsync/distinfo Thu Jan 04 22:20:47 2018 +0000
+++ b/net/rsync/distinfo Sat Jan 06 22:51:51 2018 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.45 2017/11/10 06:59:16 spz Exp $
+$NetBSD: distinfo,v 1.45.2.1 2018/01/06 22:51:51 spz Exp $
SHA1 (rsync-3.1.2.tar.gz) = 0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a
RMD160 (rsync-3.1.2.tar.gz) = f7d6c0c9752af8d9eb933cffc6032c1763490a04
@@ -7,4 +7,6 @@
SHA1 (patch-Makefile.in) = df3479e93de86524a391433a3d6e6108a797835a
SHA1 (patch-ab) = 98aa07a50314e3309b48f803d6febb1138eae1f2
SHA1 (patch-authenticate.c) = 0612fb141cea1509b882df78f1b90fa52b1092b0
+SHA1 (patch-receiver.c) = 5bf0b7ceaaf79e0fd5f93e1c433162e9248fe37c
+SHA1 (patch-rsync.c) = e390038a9592d9bc3e77ebc2aabfa62bdd6778b3
SHA1 (patch-xattrs.c) = 9883ea79a60c786dd5a3dc74f4872621823c9377
diff -r aa3b81f7d8ab -r 9b1c58501667 net/rsync/patches/patch-receiver.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rsync/patches/patch-receiver.c Sat Jan 06 22:51:51 2018 +0000
@@ -0,0 +1,47 @@
+$NetBSD: patch-receiver.c,v 1.1.2.2 2018/01/06 22:51:51 spz Exp $
+
+Fix for CVE-2017-17433, taken from:
+
+https://git.samba.org/?p=rsync.git;a=commitdiff;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
+
+Fix for CVE-2017-17434, taken from:
+
+https://git.samba.org/?p=rsync.git;a=commitdiff;h=5509597decdbd7b91994210f700329d8a35e70a1
+
+--- receiver.c.orig 2015-09-07 10:07:17.000000000 -0700
++++ receiver.c 2017-12-31 12:46:27.078487190 -0800
+@@ -580,6 +580,12 @@ int recv_files(int f_in, int f_out, char
+ file = dir_flist->files[cur_flist->parent_ndx];
+ fname = local_name ? local_name : f_name(file, fbuf);
+
++ if (daemon_filter_list.head
++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
++ rprintf(FERROR, "attempt to hack rsync failed.\n");
++ exit_cleanup(RERR_PROTOCOL);
++ }
++
+ if (DEBUG_GTE(RECV, 1))
+ rprintf(FINFO, "recv_files(%s)\n", fname);
+
+@@ -651,12 +657,6 @@ int recv_files(int f_in, int f_out, char
+
+ cleanup_got_literal = 0;
+
+- if (daemon_filter_list.head
+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+- rprintf(FERROR, "attempt to hack rsync failed.\n");
+- exit_cleanup(RERR_PROTOCOL);
+- }
+-
+ if (read_batch) {
+ int wanted = redoing
+ ? we_want_redo(ndx)
+@@ -728,7 +728,7 @@ int recv_files(int f_in, int f_out, char
+ break;
+ }
+ if (!fnamecmp || (daemon_filter_list.head
+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
++ && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
+ fnamecmp = fname;
+ fnamecmp_type = FNAMECMP_FNAME;
+ }
diff -r aa3b81f7d8ab -r 9b1c58501667 net/rsync/patches/patch-rsync.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/net/rsync/patches/patch-rsync.c Sat Jan 06 22:51:51 2018 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-rsync.c,v 1.1.2.2 2018/01/06 22:51:51 spz Exp $
+
+Fix for CVE-2017-17434, taken from:
+
+https://git.samba.org/?p=rsync.git;a=commitdiff;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
+
+--- rsync.c.orig 2015-08-08 12:47:03.000000000 -0700
++++ rsync.c 2017-12-31 12:40:50.353165397 -0800
+@@ -49,6 +49,7 @@ extern int flist_eof;
+ extern int file_old_total;
+ extern int keep_dirlinks;
+ extern int make_backups;
++extern int sanitize_paths;
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern struct chmod_mode_struct *daemon_chmod_modes;
+ #ifdef ICONV_OPTION
+@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_o
+ if (iflags & ITEM_XNAME_FOLLOWS) {
+ if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
+ exit_cleanup(RERR_PROTOCOL);
++
++ if (sanitize_paths) {
++ sanitize_path(buf, buf, "", 0, SP_DEFAULT);
++ len = strlen(buf);
++ }
+ } else {
+ *buf = '\0';
+ len = -1;
Home |
Main Index |
Thread Index |
Old Index