CVS commit: pkgsrc/net/rsync

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu May 21 09:13:07 UTC 2026

Modified Files:
        pkgsrc/net/rsync: Makefile distinfo

Log Message:
rsync: updated to 3.4.3

rsync 3.4.3 (20 May 2026)

Changes in this version:

SECURITY FIXES:

Six CVEs are fixed in this release.  All six are assigned by
VulnCheck as CNA.  Affected versions are 3.4.2 and earlier in every
case.  Three of the six (CVE-2026-29518, CVE-2026-43617,
CVE-2026-43619) require non-default daemon configuration to reach:
the first and third need `use chroot = no` for a module, the second
needs `daemon chroot = ...` set in rsyncd.conf.  Two (CVE-2026-43618,
CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection.  The sixth (CVE-2026-45232) is
reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
returns a pathological response.  Many thanks to the external
researchers who reported these issues.

- CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
  allowing local privilege escalation in daemon mode without chroot.
  An rsync daemon configured with "use chroot = no" was exposed to a
  time-of-check / time-of-use race on parent path components: a local
  attacker with write access to a module could replace a parent
  directory component with a symlink between the receiver's check and
  its open(), redirecting reads (basis-file disclosure) and writes
  (file overwrite) outside the module.  Default "use chroot = yes" is
  not exposed.  `secure_relative_open()` (added in 3.4.0 for
  CVE-2024-12086) was previously unused in the daemon-no-chroot
  case; the fix enables it there and reroutes the sender's
  read-path opens through it.  Reported by Nullx3D (Batuhan Sancak),
  Damien Neil and Michael Stapelberg.

- CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
  rsync daemon configured with `daemon chroot = /X` in rsyncd.conf
  when the chroot tree lacks DNS resolution support.  The
  reverse-DNS lookup of the connecting client was performed *after*
  the daemon chroot had been entered; if /X did not contain the
  libc resolver fixtures (`/etc/resolv.conf`, `/etc/nsswitch.conf`,
  `/etc/hosts`, NSS service modules) the lookup failed and the
  connecting hostname was set to "UNKNOWN", causing hostname-based
  deny rules to silently fail open.  IP-based ACLs are unaffected.
  The per-module `use chroot` setting is unrelated to this issue.
  The fix performs the lookup before entering the daemon chroot.
  Reported by MegaManSec.

- CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
  compressed-token decoder enabling remote memory disclosure to an
  authenticated daemon peer.  The receiver accumulated a 32-bit
  signed counter without overflow checking; a malicious sender could
  trigger an overflow that, with careful manipulation, leaked process
  memory contents to the attacker -- environment variables,
  passwords, heap and library pointers -- significantly weakening
  ASLR.  The fix bounds the counter and adds wire-input validation in
  several adjacent places (defence-in-depth).  Workaround for older
  releases: `refuse options = compress` in rsyncd.conf.  Reported by
  Omar Elsayed.

- CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
  system calls in "use chroot = no" daemon mode (generalisation of
  CVE-2026-29518).  Earlier fixes for symlink races on the receiver's
  open() call missed the same race class on every other path-based
  system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
  mknod, link, rmdir and lstat.  The fix routes each affected
  path-based syscall through a parent dirfd opened under
  RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
  Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
  per-component O_NOFOLLOW walk elsewhere).  Default "use chroot =
  yes" is not exposed.  Reported by Andrew Tridgell as a follow-on
  audit of CVE-2026-29518.

- CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
  receiver's recv_files() enabling remote denial-of-service of any
  client pulling from a malicious server (incomplete fix of commit
  797e17f).  The earlier parent_ndx<0 guard added to send_files() was
  not applied to the visually-identical block in recv_files().  A
  malicious rsync server can drive any connecting client into a
  deterministic SIGSEGV by setting CF_INC_RECURSE in the
  compatibility flags and sending a crafted file list and transfer
  record.  inc_recurse is the protocol-30+ default, so no special
  options are required on the victim.  Workaround for older
  releases: `--no-inc-recursive` on the client.  Reported by Pratham
  Gupta.

- CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
  write in the rsync client's HTTP CONNECT proxy handler
  (`establish_proxy_connection()` in `socket.c`).  After issuing the
  CONNECT request, rsync read the proxy's first response line one
  byte at a time into a 1024-byte stack buffer with the bound
  `cp < &buffer[sizeof buffer - 1]`.  If the proxy (or a MITM in
  front of it) returned 1023+ bytes on that first line without a
  newline terminator, `cp` exited the loop pointing at a buffer slot
  the loop never wrote, leaving `*cp` holding stale stack data from
  the earlier `snprintf()` of the outgoing CONNECT request.  The
  post-loop logic then wrote a single `\0` one byte past the end of
  the buffer on the stack.  Reach is client-side only, and only when
  `RSYNC_PROXY` is set so rsync tunnels an `rsync://` connection
  through an HTTP CONNECT proxy.  The written byte is always `\0`
  and the offset is fixed by the buffer size, not attacker-chosen,
  so this is not an arbitrary-write primitive: practical impact is
  corruption of one adjacent stack byte and possible later
  misbehaviour or crash.  The fix detects the "buffer filled without
  finding `\n`" case explicitly by position and refuses the response
  with "proxy response line too long".  Reported by Aisle Research
  via Michal Ruprich (rsync-3.4.1-2.el10 QE).

In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative `snprintf()` callers, a parent block-index bounds check on
the receiver, a NULL check in `read_delay_line()`, a lower ceiling on
`MAX_WIRE_DEL_STAT` to avoid signed-int overflow in the
`read_del_stats()` accumulator, rejection of hyphen-prefixed
remote-shell hostnames (defence-in-depth against argv-injection in
tooling that forwards untrusted input into the hostspec position;
reported by Aisle Research via Michal Ruprich), and a NULL-check on
`localtime_r()` in `timestring()` to keep a malicious server from
crashing the client by advertising a file with an out-of-range
modtime.

BUG FIXES:

- Fixed a regression introduced by the 3.4.0 secure_relative_open()
  CVE fix where legitimate directory symlinks on the receiver side
  (e.g. when using `-K` / `--copy-dirlinks`) caused "failed
  verification -- update discarded" errors on delta transfers. The
  old code rejected every symlink in the path with a per-component
  `O_NOFOLLOW` walk; the receiver now uses kernel-enforced "stay
  below dirfd" path resolution where available.

PORTABILITY / BUILD:

- secure_relative_open() now uses `openat2(RESOLVE_BENEATH |
  RESOLVE_NO_MAGICLINKS)` on Linux 5.6+, and `openat()` with
  `O_RESOLVE_BENEATH` on FreeBSD 13+ and macOS 15+ (Sequoia) /
  iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
  symlinks whose target lies outside the starting directory, while
  still following symlinks that resolve within it -- the same
  trade-off that fixes the issue 715 regression without weakening
  the original CVE protection. Other platforms (Solaris, OpenBSD,
  NetBSD, Cygwin) retain the previous per-component `O_NOFOLLOW`
  walk; on those platforms the issue 715 regression remains
  visible.

- testsuite/xattrs: ignore `SUNWattr_*` in the Solaris `xls`
  helper.


To generate a diff of this commit:
cvs rdiff -u -r1.132 -r1.133 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.65 -r1.66 pkgsrc/net/rsync/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.132 pkgsrc/net/rsync/Makefile:1.133
--- pkgsrc/net/rsync/Makefile:1.132     Mon May 11 06:21:51 2026
+++ pkgsrc/net/rsync/Makefile   Thu May 21 09:13:07 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.132 2026/05/11 06:21:51 adam Exp $
+# $NetBSD: Makefile,v 1.133 2026/05/21 09:13:07 adam Exp $
 
-DISTNAME=      rsync-3.4.2
+DISTNAME=      rsync-3.4.3
 CATEGORIES=    net
 MASTER_SITES=  http://rsync.samba.org/ftp/rsync/
 MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/

Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.65 pkgsrc/net/rsync/distinfo:1.66
--- pkgsrc/net/rsync/distinfo:1.65      Mon May 11 06:21:51 2026
+++ pkgsrc/net/rsync/distinfo   Thu May 21 09:13:07 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.65 2026/05/11 06:21:51 adam Exp $
+$NetBSD: distinfo,v 1.66 2026/05/21 09:13:07 adam Exp $
 
-BLAKE2s (rsync-3.4.2.tar.gz) = 45b332162e527bcc84e577be98e134a8645e2e15482ddb91d7cd02934161eb45
-SHA512 (rsync-3.4.2.tar.gz) = 74f623e7f5234ffc12fc60d30f4439bc18796404c866365b7c3bfda87f42b33fc01ce6060187534b6b47d799f5b47fcdb84717faff88b6ce30eb230f1b93afe7
-Size (rsync-3.4.2.tar.gz) = 1190383 bytes
+BLAKE2s (rsync-3.4.3.tar.gz) = 555d685bab1140ae36af9ffa20ae2c899daaf4ea6a24e7bb79cdae236bd55539
+SHA512 (rsync-3.4.3.tar.gz) = 1bf2d7cea7a42c9cd070ffaa5e9e029fbce2c18973d8e946f2a6a91c781d2f3ff2449a8ff2431206396caf1f7d9901865f10772c09019d93318e26196160644f
+Size (rsync-3.4.3.tar.gz) = 1216482 bytes
 SHA1 (patch-Makefile.in) = 34c3cc57846e451a0adbd19fcb19ae682b7e1ae3
 SHA1 (patch-acls.c) = 9be60c0c1abedc961fa95bba2bb23d802a09bc62