CVS commit: pkgsrc/net/rsync

["Kimmo Suominen" <kim%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   kim
Date:           Mon Mar 16 16:05:56 UTC 2026

Modified Files:
        pkgsrc/net/rsync: Makefile distinfo
Added Files:
        pkgsrc/net/rsync/patches: patch-sender.c

Log Message:
rsync: Patch for CVE-2025-10158


To generate a diff of this commit:
cvs rdiff -u -r1.130 -r1.131 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.63 -r1.64 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/net/rsync/patches/patch-sender.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.130 pkgsrc/net/rsync/Makefile:1.131
--- pkgsrc/net/rsync/Makefile:1.130     Thu Jan 16 01:04:40 2025
+++ pkgsrc/net/rsync/Makefile   Mon Mar 16 16:05:56 2026
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.130 2025/01/16 01:04:40 tnn Exp $
+# $NetBSD: Makefile,v 1.131 2026/03/16 16:05:56 kim Exp $
 
 DISTNAME=      rsync-3.4.1
+PKGREVISION=   1
 CATEGORIES=    net
 MASTER_SITES=  http://rsync.samba.org/ftp/rsync/
 MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/

Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.63 pkgsrc/net/rsync/distinfo:1.64
--- pkgsrc/net/rsync/distinfo:1.63      Thu Jan 16 01:04:40 2025
+++ pkgsrc/net/rsync/distinfo   Mon Mar 16 16:05:56 2026
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.63 2025/01/16 01:04:40 tnn Exp $
+$NetBSD: distinfo,v 1.64 2026/03/16 16:05:56 kim Exp $
 
 BLAKE2s (rsync-3.4.1.tar.gz) = 7a433af3dc309baa0573a8d204ae492da6a49d7b7aa19d31675d2717c4b5c2c8
 SHA512 (rsync-3.4.1.tar.gz) = a3ecde4843ddb795308dca88581b868ac0221eb6f88a1477d7a9a2ecb4e4686042966bdddbab40866f90a4715d3104daa7b83222ddf0f3387b796a86bde8e5c2
 Size (rsync-3.4.1.tar.gz) = 1172739 bytes
 SHA1 (patch-Makefile.in) = 34c3cc57846e451a0adbd19fcb19ae682b7e1ae3
 SHA1 (patch-acls.c) = 9be60c0c1abedc961fa95bba2bb23d802a09bc62
+SHA1 (patch-sender.c) = 81324c3ff32a12f27e0e95657f440752fe6e87d0

Added files:

Index: pkgsrc/net/rsync/patches/patch-sender.c
diff -u /dev/null pkgsrc/net/rsync/patches/patch-sender.c:1.1
--- /dev/null   Mon Mar 16 16:05:56 2026
+++ pkgsrc/net/rsync/patches/patch-sender.c     Mon Mar 16 16:05:56 2026
@@ -0,0 +1,30 @@
+$NetBSD: patch-sender.c,v 1.1 2026/03/16 16:05:56 kim Exp $
+
+https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f.patch
+
+From: Andrew Tridgell <andrew%tridgell.net@localhost>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c39e..b1588b701 100644
+--- sender.c
++++ sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+               if (ndx - cur_flist->ndx_start >= 0)
+                       file = cur_flist->files[ndx - cur_flist->ndx_start];
++              else if (cur_flist->parent_ndx < 0)
++                      exit_cleanup(RERR_PROTOCOL);
+               else
+                       file = dir_flist->files[cur_flist->parent_ndx];
+               if (F_PATHNAME(file)) {