CVS commit: [pkgsrc-2017Q3] pkgsrc/net/rsync

["S.P.Zeidler" <spz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   spz
Date:           Sun Nov 12 12:27:21 UTC 2017

Modified Files:
        pkgsrc/net/rsync [pkgsrc-2017Q3]: Makefile distinfo
Added Files:
        pkgsrc/net/rsync/patches [pkgsrc-2017Q3]: patch-authenticate.c
            patch-xattrs.c

Log Message:
Pullup ticket #5640 - requested by sevan
net/rsync: security patch

Revisions pulled up:
- net/rsync/Makefile                                            1.105
- net/rsync/distinfo                                            1.45
- net/rsync/patches/patch-authenticate.c                        1.3
- net/rsync/patches/patch-xattrs.c                              1.1

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   spz
   Date:           Fri Nov 10 06:59:16 UTC 2017

   Modified Files:
           pkgsrc/net/rsync: Makefile distinfo
   Added Files:
           pkgsrc/net/rsync/patches: patch-authenticate.c patch-xattrs.c

   Log Message:
   patch for CVE-2017-16548, mitigation for weak checksums

   To generate a diff of this commit:
   cvs rdiff -u -r1.104 -r1.105 pkgsrc/net/rsync/Makefile
   cvs rdiff -u -r1.44 -r1.45 pkgsrc/net/rsync/distinfo
   cvs rdiff -u -r0 -r1.3 pkgsrc/net/rsync/patches/patch-authenticate.c
   cvs rdiff -u -r0 -r1.1 pkgsrc/net/rsync/patches/patch-xattrs.c


To generate a diff of this commit:
cvs rdiff -u -r1.104 -r1.104.8.1 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.44 -r1.44.18.1 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r0 -r1.3.2.2 pkgsrc/net/rsync/patches/patch-authenticate.c
cvs rdiff -u -r0 -r1.1.2.2 pkgsrc/net/rsync/patches/patch-xattrs.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.104 pkgsrc/net/rsync/Makefile:1.104.8.1
--- pkgsrc/net/rsync/Makefile:1.104     Thu Jan 19 18:52:20 2017
+++ pkgsrc/net/rsync/Makefile   Sun Nov 12 12:27:20 2017
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.104 2017/01/19 18:52:20 agc Exp $
+# $NetBSD: Makefile,v 1.104.8.1 2017/11/12 12:27:20 spz Exp $
 
 DISTNAME=      rsync-3.1.2
+PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  http://rsync.samba.org/ftp/rsync/
 MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/
@@ -18,6 +19,8 @@ CONFIGURE_ARGS+=      --with-included-popt
 CONFIGURE_ARGS+=       --with-rsyncd-conf=${PKG_SYSCONFDIR}/rsyncd.conf
 TEST_TARGET=           test
 
+USE_TOOLS+=    perl
+
 PKG_SYSCONFSUBDIR=     rsync
 
 RCD_SCRIPTS=           rsyncd

Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.44 pkgsrc/net/rsync/distinfo:1.44.18.1
--- pkgsrc/net/rsync/distinfo:1.44      Wed Dec 23 19:53:24 2015
+++ pkgsrc/net/rsync/distinfo   Sun Nov 12 12:27:20 2017
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.44 2015/12/23 19:53:24 ryoon Exp $
+$NetBSD: distinfo,v 1.44.18.1 2017/11/12 12:27:20 spz Exp $
 
 SHA1 (rsync-3.1.2.tar.gz) = 0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a
 RMD160 (rsync-3.1.2.tar.gz) = f7d6c0c9752af8d9eb933cffc6032c1763490a04
@@ -6,3 +6,5 @@ SHA512 (rsync-3.1.2.tar.gz) = 4c55fd69f4
 Size (rsync-3.1.2.tar.gz) = 892724 bytes
 SHA1 (patch-Makefile.in) = df3479e93de86524a391433a3d6e6108a797835a
 SHA1 (patch-ab) = 98aa07a50314e3309b48f803d6febb1138eae1f2
+SHA1 (patch-authenticate.c) = 0612fb141cea1509b882df78f1b90fa52b1092b0
+SHA1 (patch-xattrs.c) = 9883ea79a60c786dd5a3dc74f4872621823c9377

Added files:

Index: pkgsrc/net/rsync/patches/patch-authenticate.c
diff -u /dev/null pkgsrc/net/rsync/patches/patch-authenticate.c:1.3.2.2
--- /dev/null   Sun Nov 12 12:27:21 2017
+++ pkgsrc/net/rsync/patches/patch-authenticate.c       Sun Nov 12 12:27:20 2017
@@ -0,0 +1,29 @@
+$NetBSD: patch-authenticate.c,v 1.3.2.2 2017/11/12 12:27:20 spz Exp $
+
+3.1.2 is not vulnerable to CVE-2017-15994, the code is different,
+but not allowing fallback to MD4 for passwords is a good idea by now.
+Patch from
+https://git.samba.org/?p=rsync.git;a=blobdiff;f=authenticate.c;h=a106b0f60a8cb88e37080bc5e2a58ce28c66f379;hp=d60ee20b6b53a9351efbdf175f36525ead220de6;hb=9a480deec4d20277d8e20bc55515ef0640ca1e55;hpb=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
+
+--- authenticate.c.orig        2015-08-24 18:54:00.000000000 +0000
++++ authenticate.c
+@@ -22,6 +22,7 @@
+ #include "itypes.h"
+ 
+ extern int read_only;
++extern int protocol_version;
+ extern char *password_file;
+ 
+ /***************************************************************************
+@@ -237,6 +238,11 @@ char *auth_server(int f_in, int f_out, i
+       if (!users || !*users)
+               return "";
+ 
++      if (protocol_version < 21) { /* Don't allow a weak checksum for the password. */
++              rprintf(FERROR, "ERROR: protocol version is too old!\n");
++              exit_cleanup(RERR_PROTOCOL);
++      }
++
+       gen_challenge(addr, challenge);
+ 
+       io_printf(f_out, "%s%s\n", leader, challenge);

Index: pkgsrc/net/rsync/patches/patch-xattrs.c
diff -u /dev/null pkgsrc/net/rsync/patches/patch-xattrs.c:1.1.2.2
--- /dev/null   Sun Nov 12 12:27:21 2017
+++ pkgsrc/net/rsync/patches/patch-xattrs.c     Sun Nov 12 12:27:20 2017
@@ -0,0 +1,18 @@
+$NetBSD: patch-xattrs.c,v 1.1.2.2 2017/11/12 12:27:20 spz Exp $
+
+patch for CVE-2017-16548 from
+https://git.samba.org/rsync.git/?p=rsync.git;a=blobdiff;f=xattrs.c;h=4867e6f5b8ad2934d43b06f3b99b7b3690a6dc7a;hp=68305d7559b34f5cc2f196b74429b82fa6ff49dd;hb=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1;hpb=bc112b0e7feece62ce98708092306639a8a53cce
+
+--- xattrs.c.orig      2015-08-08 19:47:03.000000000 +0000
++++ xattrs.c
+@@ -696,6 +696,10 @@ void receive_xattr(int f, struct file_st
+                       out_of_memory("receive_xattr");
+               name = ptr + dget_len + extra_len;
+               read_buf(f, name, name_len);
++              if (name_len < 1 || name[name_len-1] != '\0') {
++                      rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
++                      exit_cleanup(RERR_FILEIO);
++              }
+               if (dget_len == datum_len)
+                       read_buf(f, ptr, dget_len);
+               else {