pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: [pkgsrc-2026Q1] pkgsrc/net/rsync
Module Name: pkgsrc
Committed By: maya
Date: Thu May 21 14:46:14 UTC 2026
Modified Files:
pkgsrc/net/rsync [pkgsrc-2026Q1]: Makefile distinfo
Log Message:
Pullup ticket #7126 - requested by taca
net/rsync: Security fix
Revisions pulled up:
- net/rsync/Makefile 1.133
- net/rsync/distinfo 1.66
---
Module Name: pkgsrc
Committed By: adam
Date: Thu May 21 09:13:07 UTC 2026
Modified Files:
pkgsrc/net/rsync: Makefile distinfo
Log Message:
rsync: updated to 3.4.3
rsync 3.4.3 (20 May 2026)
Changes in this version:
SECURITY FIXES:
Six CVEs are fixed in this release. All six are assigned by
VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every
case. Three of the six (CVE-2026-29518, CVE-2026-43617,
CVE-2026-43619) require non-default daemon configuration to reach:
the first and third need `use chroot = no` for a module, the second
needs `daemon chroot = ...` set in rsyncd.conf. Two (CVE-2026-43618,
CVE-2026-43620) are reachable from a normal pull or a normal
authenticated daemon connection. The sixth (CVE-2026-45232) is
reachable only when `RSYNC_PROXY` is set and the proxy (or a MITM)
returns a pathological response. Many thanks to the external
researchers who reported these issues.
- CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
allowing local privilege escalation in daemon mode without chroot.
An rsync daemon configured with "use chroot = no" was exposed to a
time-of-check / time-of-use race on parent path components: a local
attacker with write access to a module could replace a parent
directory component with a symlink between the receiver's check and
its open(), redirecting reads (basis-file disclosure) and writes
(file overwrite) outside the module. Default "use chroot = yes" is
not exposed. `secure_relative_open()` (added in 3.4.0 for
CVE-2024-12086) was previously unused in the daemon-no-chroot
case; the fix enables it there and reroutes the sender's
read-path opens through it. Reported by Nullx3D (Batuhan Sancak),
Damien Neil and Michael Stapelberg.
- CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an
rsync daemon configured with `daemon chroot = /X` in rsyncd.conf
when the chroot tree lacks DNS resolution support. The
reverse-DNS lookup of the connecting client was performed *after*
the daemon chroot had been entered; if /X did not contain the
libc resolver fixtures (`/etc/resolv.conf`, `/etc/nsswitch.conf`,
`/etc/hosts`, NSS service modules) the lookup failed and the
connecting hostname was set to "UNKNOWN", causing hostname-based
deny rules to silently fail open. IP-based ACLs are unaffected.
The per-module `use chroot` setting is unrelated to this issue.
The fix performs the lookup before entering the daemon chroot.
Reported by MegaManSec.
- CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
compressed-token decoder enabling remote memory disclosure to an
authenticated daemon peer. The receiver accumulated a 32-bit
signed counter without overflow checking; a malicious sender could
trigger an overflow that, with careful manipulation, leaked process
memory contents to the attacker -- environment variables,
passwords, heap and library pointers -- significantly weakening
ASLR. The fix bounds the counter and adds wire-input validation in
several adjacent places (defence-in-depth). Workaround for older
releases: `refuse options = compress` in rsyncd.conf. Reported by
Omar Elsayed.
- CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
system calls in "use chroot = no" daemon mode (generalisation of
CVE-2026-29518). Earlier fixes for symlink races on the receiver's
open() call missed the same race class on every other path-based
system call: chmod, lchown, utimes, rename, unlink, mkdir, symlink,
mknod, link, rmdir and lstat. The fix routes each affected
path-based syscall through a parent dirfd opened under
RESOLVE_BENEATH-equivalent kernel-enforced confinement (openat2 on
Linux 5.6+, O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+,
per-component O_NOFOLLOW walk elsewhere). Default "use chroot =
yes" is not exposed. Reported by Andrew Tridgell as a follow-on
audit of CVE-2026-29518.
- CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
receiver's recv_files() enabling remote denial-of-service of any
client pulling from a malicious server (incomplete fix of commit
797e17f). The earlier parent_ndx<0 guard added to send_files() was
not applied to the visually-identical block in recv_files(). A
malicious rsync server can drive any connecting client into a
deterministic SIGSEGV by setting CF_INC_RECURSE in the
compatibility flags and sending a crafted file list and transfer
record. inc_recurse is the protocol-30+ default, so no special
options are required on the victim. Workaround for older
releases: `--no-inc-recursive` on the client. Reported by Pratham
Gupta.
- CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
write in the rsync client's HTTP CONNECT proxy handler
(`establish_proxy_connection()` in `socket.c`). After issuing the
CONNECT request, rsync read the proxy's first response line one
byte at a time into a 1024-byte stack buffer with the bound
`cp < &buffer[sizeof buffer - 1]`. If the proxy (or a MITM in
front of it) returned 1023+ bytes on that first line without a
newline terminator, `cp` exited the loop pointing at a buffer slot
the loop never wrote, leaving `*cp` holding stale stack data from
the earlier `snprintf()` of the outgoing CONNECT request. The
post-loop logic then wrote a single `\0` one byte past the end of
the buffer on the stack. Reach is client-side only, and only when
`RSYNC_PROXY` is set so rsync tunnels an `rsync://` connection
through an HTTP CONNECT proxy. The written byte is always `\0`
and the offset is fixed by the buffer size, not attacker-chosen,
so this is not an arbitrary-write primitive: practical impact is
corruption of one adjacent stack byte and possible later
misbehaviour or crash. The fix detects the "buffer filled without
finding `\n`" case explicitly by position and refuses the response
with "proxy response line too long". Reported by Aisle Research
via Michal Ruprich (rsync-3.4.1-2.el10 QE).
In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative `snprintf()` callers, a parent block-index bounds check on
the receiver, a NULL check in `read_delay_line()`, a lower ceiling on
`MAX_WIRE_DEL_STAT` to avoid signed-int overflow in the
`read_del_stats()` accumulator, rejection of hyphen-prefixed
remote-shell hostnames (defence-in-depth against argv-injection in
tooling that forwards untrusted input into the hostspec position;
reported by Aisle Research via Michal Ruprich), and a NULL-check on
`localtime_r()` in `timestring()` to keep a malicious server from
crashing the client by advertising a file with an out-of-range
modtime.
BUG FIXES:
- Fixed a regression introduced by the 3.4.0 secure_relative_open()
CVE fix where legitimate directory symlinks on the receiver side
(e.g. when using `-K` / `--copy-dirlinks`) caused "failed
verification -- update discarded" errors on delta transfers. The
old code rejected every symlink in the path with a per-component
`O_NOFOLLOW` walk; the receiver now uses kernel-enforced "stay
below dirfd" path resolution where available.
PORTABILITY / BUILD:
- secure_relative_open() now uses `openat2(RESOLVE_BENEATH |
RESOLVE_NO_MAGICLINKS)` on Linux 5.6+, and `openat()` with
`O_RESOLVE_BENEATH` on FreeBSD 13+ and macOS 15+ (Sequoia) /
iOS 18+. The kernel rejects ".." escapes, absolute symlinks, and
symlinks whose target lies outside the starting directory, while
still following symlinks that resolve within it -- the same
trade-off that fixes the issue 715 regression without weakening
the original CVE protection. Other platforms (Solaris, OpenBSD,
NetBSD, Cygwin) retain the previous per-component `O_NOFOLLOW`
walk; on those platforms the issue 715 regression remains
visible.
- testsuite/xattrs: ignore `SUNWattr_*` in the Solaris `xls`
helper.
To generate a diff of this commit:
cvs rdiff -u -r1.131.2.1 -r1.131.2.2 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.64.2.1 -r1.64.2.2 pkgsrc/net/rsync/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.131.2.1 pkgsrc/net/rsync/Makefile:1.131.2.2
--- pkgsrc/net/rsync/Makefile:1.131.2.1 Thu May 21 02:31:24 2026
+++ pkgsrc/net/rsync/Makefile Thu May 21 14:46:14 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.131.2.1 2026/05/21 02:31:24 maya Exp $
+# $NetBSD: Makefile,v 1.131.2.2 2026/05/21 14:46:14 maya Exp $
-DISTNAME= rsync-3.4.2
+DISTNAME= rsync-3.4.3
CATEGORIES= net
MASTER_SITES= http://rsync.samba.org/ftp/rsync/
MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/
Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.64.2.1 pkgsrc/net/rsync/distinfo:1.64.2.2
--- pkgsrc/net/rsync/distinfo:1.64.2.1 Thu May 21 02:31:24 2026
+++ pkgsrc/net/rsync/distinfo Thu May 21 14:46:14 2026
@@ -1,7 +1,7 @@
-$NetBSD: distinfo,v 1.64.2.1 2026/05/21 02:31:24 maya Exp $
+$NetBSD: distinfo,v 1.64.2.2 2026/05/21 14:46:14 maya Exp $
-BLAKE2s (rsync-3.4.2.tar.gz) = 45b332162e527bcc84e577be98e134a8645e2e15482ddb91d7cd02934161eb45
-SHA512 (rsync-3.4.2.tar.gz) = 74f623e7f5234ffc12fc60d30f4439bc18796404c866365b7c3bfda87f42b33fc01ce6060187534b6b47d799f5b47fcdb84717faff88b6ce30eb230f1b93afe7
-Size (rsync-3.4.2.tar.gz) = 1190383 bytes
+BLAKE2s (rsync-3.4.3.tar.gz) = 555d685bab1140ae36af9ffa20ae2c899daaf4ea6a24e7bb79cdae236bd55539
+SHA512 (rsync-3.4.3.tar.gz) = 1bf2d7cea7a42c9cd070ffaa5e9e029fbce2c18973d8e946f2a6a91c781d2f3ff2449a8ff2431206396caf1f7d9901865f10772c09019d93318e26196160644f
+Size (rsync-3.4.3.tar.gz) = 1216482 bytes
SHA1 (patch-Makefile.in) = 34c3cc57846e451a0adbd19fcb19ae682b7e1ae3
SHA1 (patch-acls.c) = 9be60c0c1abedc961fa95bba2bb23d802a09bc62
Home |
Main Index |
Thread Index |
Old Index