Debian Patches
Status for rsync/3.2.7-1+deb12u5
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| disable_reconfigure_req.diff | Remove need to run reconfigure target=================================================================== | Samuel Henrique <samueloph@debian.org> | not-needed | |||
| skip_devices_test.patch | Skip "devices" test as it fails on kfreebsd and hurd Error log: /----- devices log follows Testing for symlinks using 'test -h' Let's try re-running the script under fakeroot... Testing for symlinks using 'test -h' cD+++++++++ block cD+++++++++ block2 default_perms_for_dir: sys_acl_get_file(., ACL_TYPE_DEFAULT): Operation not supported, falling back on umask cDc.T...... block3 sending incremental file list delta-transmission disabled for local transfer or --whole-file .d..t...... ./ cDc.t...... block cDc........ block2 cD+++++++++ block3 hD+++++++++ block3.5 => block3 cD+++++++++ char cD+++++++++ char2 cD+++++++++ char3 cS+++++++++ fifo total: matches=0 hash_hits=0 false_alarms=0 data=0 sent 160 bytes received 117 bytes 554.00 bytes/sec total size is 0 speedup is 0.00 check how the directory listings compare with diff: + + /<<PKGBUILDDIR>>/rsynctee -aii /<<PKGBUILDDIR>>/testtmp/devices/rsync.out --link-dest=/<<PKGBUILDDIR>>/testtmp/devices/to /<<PKGBUILDDIR>>/testtmp/devices/from/ /<<PKGBUILDDIR>>/testtmp/devices/chk/ rsync: failed to hard-link /<<PKGBUILDDIR>>/testtmp/devices/to/fifo with fifo: Invalid cross-device link (1073741842) cd ./ hD block hD block2 hD block3 hD block3.5 hD char hD char2 hD char3 cSc........ fifo rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1207) [sender=3.1.3] + cat + diff -u /<<PKGBUILDDIR>>/testtmp/devices/rsync.chk /<<PKGBUILDDIR>>/testtmp/devices/rsync.out /--- /<<PKGBUILDDIR>>/testtmp/devices/rsync.chk 2019-10-15 01:26:43.000000000 +0000 /+++ /<<PKGBUILDDIR>>/testtmp/devices/rsync.out 2019-10-15 01:26:43.000000000 +0000 @@ -6,4 +6,4 @@ hD char hD char2 hD char3 -hS fifo +cSc........ fifo + test_fail test 5 failed + echo test 5 failed test 5 failed + exit 1 /bin/fakeauth: Error 1 for child 7541 /bin/settrans: Error 1 for child 7540 ----- devices log ends FAIL devices =================================================================== |
Samuel Henrique <samueloph@debian.org> | no | |||
| perl_shebang.patch | Removes usage of env on perl shebang as per Debian Policy § 10.4=================================================================== | Samuel Henrique <samueloph@debian.org> | not-needed | |||
| fix_rrsync_man_generation.patch | Fix manpage installation for rrsync Otherwise we would get "ERROR: support/rrsync.1 cannot be created." I'm not confident this is the best approach on solving this issue, but I know this works with no regressions. This patch needs to be reviewed before being submitted to upstream. =================================================================== |
Samuel Henrique <samueloph@debian.org> | no | |||
| avoid_quoting_of_tilde_when_its_a_destination_arg.patch | Avoid quoting of tilde when it's a destination arg. | Wayne Davison <wayne@opencoder.net> | no | 2022-11-05 | ||
| trust_the_sender_on_a_local_transfer.patch | Trust the sender on a local transfer. | Wayne Davison <wayne@opencoder.net> | no | 2022-12-01 | ||
| raise-protocol-version-to-32.patch | [PATCH 1/3] raise protocol version to 32 make it easier to spot unpatched servers |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-12-10 | ||
| 2026-05-20/0001-Fix-warning-about-conflicting-lseek-lseek64-prototyp.patch | [PATCH 01/56] Fix warning about conflicting lseek/lseek64 prototypes Clang rightfully complains about conflicting prototypes, as both lseek() variants are redefined: syscall.c:394:10: warning: a function declaration without a prototype is deprecated in all versions of C and is treated as a zero-parameter prototype in C2x, conflicting with a previous declaration [-Wdeprecated-non-prototype] off64_t lseek64(); ^ /usr/include/unistd.h:350:18: note: conflicting prototype is here extern __off64_t lseek64 (int __fd, __off64_t __offset, int __whence) ^ 1 warning generated. The point of the #ifdef is to build for the configured OFF_T; there is no reason to redefine lseek/lseek64, which should have been found via configure. |
Holger Hoffstätte <holger@applied-asynchrony.com> | no | 2023-09-04 | ||
| 2026-05-20/0002-hlink-Fix-function-pointer-cast-in-qsort.patch | [PATCH 02/56] hlink: Fix function pointer cast in qsort() Replace unsafe generic function pointer cast with proper type cast for qsort() comparison function. This fixes a potential type mismatch warning without changing the behavior. |
Charalampos Mitrodimas <charmitro@posteo.net> | no | 2024-11-20 | ||
| 2026-05-20/0003-bool-is-a-keyword-in-C23.patch | [PATCH 03/56] bool is a keyword in C23 | Michal Ruprich <mruprich@redhat.com> | no | 2025-01-17 | ||
| 2026-05-20/0004-Fix-warning-about-missing-bomb-.-prototype.patch | [PATCH 04/56] Fix warning about missing bomb(..) prototype Clang rightfully complains about invoking bomb(..) without a proper prototype: lib/pool_alloc.c:171:16: warning: passing arguments to a function without a prototype is deprecated in all versions of C and is not supported in C2x [-Wdeprecated-non-prototype] (*pool->bomb)(bomb_msg, __FILE__, __LINE__); ^ 1 warning generated. |
Holger Hoffstätte <holger@applied-asynchrony.com> | no | 2023-09-04 | ||
| 2026-05-20/0005-Some-checksum-buffer-fixes.patch | [PATCH 05/56] Some checksum buffer fixes. - Put sum2_array into sum_struct to hold an array of sum2 checksums that are each xfer_sum_len bytes. - Remove sum2 buf from sum_buf. - Add macro sum2_at() to access each sum2 array element. - Throw an error if a sums header has an s2length larger than xfer_sum_len. |
Wayne Davison <wayne@opencoder.net> | no | 2024-10-29 | ||
| 2026-05-20/0006-Another-cast-when-multiplying-integers.patch | [PATCH 06/56] Another cast when multiplying integers. | Wayne Davison <wayne@opencoder.net> | no | 2024-11-05 | ||
| 2026-05-20/0007-prevent-information-leak-off-the-stack.patch | [PATCH 07/56] prevent information leak off the stack prevent leak of uninitialised stack data in hash_search |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-14 | ||
| 2026-05-20/0008-refuse-fuzzy-options-when-fuzzy-not-selected.patch | [PATCH 08/56] refuse fuzzy options when fuzzy not selected this prevents a malicious server providing a file to compare to when the user has not given the fuzzy option |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-23 | ||
| 2026-05-20/0009-added-secure_relative_open.patch | [PATCH 09/56] added secure_relative_open() this is an open that enforces no symlink following for all path components in a relative path |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-23 | ||
| 2026-05-20/0010-receiver-use-secure_relative_open-for-basis-file.patch | [PATCH 10/56] receiver: use secure_relative_open() for basis file this prevents attacks where the basis file is manipulated by a malicious sender to gain information about files outside the destination tree |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-23 | ||
| 2026-05-20/0011-disallow-.-elements-in-relpath-for-secure_relative_o.patch | [PATCH 11/56] disallow ../ elements in relpath for secure_relative_open | Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-26 | ||
| 2026-05-20/0012-Refuse-a-duplicate-dirlist.patch | [PATCH 12/56] Refuse a duplicate dirlist. | Wayne Davison <wayne@opencoder.net> | no | 2024-11-14 | ||
| 2026-05-20/0013-range-check-dir_ndx-before-use.patch | [PATCH 13/56] range check dir_ndx before use | Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-26 | ||
| 2026-05-20/0014-make-safe-links-stricter.patch | [PATCH 14/56] make --safe-links stricter when --safe-links is used also reject links where a '../' component is included in the destination as other than the leading part of the filename |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-11-23 | ||
| 2026-05-20/0015-fixed-symlink-race-condition-in-sender.patch | [PATCH 15/56] fixed symlink race condition in sender when we open a file that we don't expect to be a symlink use O_NOFOLLOW to prevent a race condition where an attacker could change a file between being a normal file and a symlink |
Andrew Tridgell <andrew@tridgell.net> | no | 2024-12-18 | ||
| 2026-05-20/0016-syscall-fix-a-Y2038-bug-by-replacing-Int32x32To64-wi.patch | [PATCH 16/56] syscall: fix a Y2038 bug by replacing Int32x32To64 with multiplication Int32x32To64 macro internally truncates the arguments to int32, while time_t is 64-bit on most/all modern platforms. Therefore, usage of this macro creates a Year 2038 bug. |
Silent <zdanio95@gmail.com> | no | 2025-01-13 | ||
| 2026-05-20/0017-options.c-Fix-segv-if-poptGetContext-returns-NULL.patch | [PATCH 17/56] options.c: Fix segv if poptGetContext returns NULL If poptGetContext returns NULL, perhaps due to OOM, a NULL pointer is passed into poptReadDefaultConfig() which in turns SEGVs when trying to dereference it. This was found using https://github.com/sahlberg/malloc-fail-tester.git $ ./test_malloc_failure.sh rsync -Pav crash crosh |
Ronnie Sahlberg <ronniesahlberg@gmail.com> | no | 2025-01-30 | ||
| 2026-05-20/0018-Using-a-correct-time-in-log-file.patch | [PATCH 18/56] Using a correct time in log file | Michal Ruprich <mruprich@redhat.com> | no | 2025-01-31 | ||
| 2026-05-20/0019-configure.ac-check-for-xattr-support-both-in-libc-an.patch | [PATCH 19/56] configure.ac: check for xattr support both in libc and in -lattr In 2015, the attr/xattr.h header was fully removed from upstream attr. In 2020, rsync started preferring the standard header, if it exists: https://github.com/RsyncProject/rsync/pull/22 But the fix was incomplete. We still looked for the getxattr function in -lattr, and used it if -lattr exists. This was the case even if the system libc was sufficient to provide the needed functions. Result: overlinking to -lattr, if it happened to be installed for any other reason. ``` checking whether to support extended attributes... Using Linux xattrs checking for getxattr in -lattr... yes ``` Instead, use a different autoconf macro that first checks if the function is available for use without any libraries (e.g. it is in libc). Result: ``` checking whether to support extended attributes... Using Linux xattrs checking for library containing getxattr... none required ``` |
Eli Schwartz <eschwartz@gentoo.org> | no | 2025-04-22 | ||
| 2026-05-20/0020-util-fixed-issue-in-clean_fname.patch | [PATCH 20/56] util: fixed issue in clean_fname() fixes buffer underflow (not exploitable) in clean_fname |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-08-23 | ||
| 2026-05-20/0021-testsuite-added-clean-fname-underflow-test.patch | [PATCH 21/56] testsuite: added clean-fname-underflow test | Andrew Tridgell <andrew@tridgell.net> | no | 2025-08-23 | ||
| 2026-05-20/0022-fixed-an-invalid-access-to-files-array.patch | [PATCH 22/56] fixed an invalid access to files array this was found by Calum Hutton from Rapid7. It is a real bug, but analysis shows it can't be leverged into an exploit. Worth fixing though. Many thanks to Calum and Rapid7 for finding and reporting this |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-08-23 | ||
| 2026-05-20/0023-fix-uninitialized-buf1-in-get_checksum2-MD4-path.patch | [PATCH 23/56] fix uninitialized buf1 in get_checksum2() MD4 path The static buf1 pointer was only allocated when len > len1, but on first call with len == 0, this condition is false (0 > 0), leaving buf1 NULL when passed to memcpy(). Fixes #673 |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-30 | ||
| 2026-05-20/0024-reject-negative-token-values-in-compressed-stream-re.patch | [PATCH 24/56] reject negative token values in compressed stream receivers Validate that token numbers read from compressed streams are non-negative. A negative token value would cause the return value of recv_*_token() to become positive, which callers interpret as literal data length, but no data pointer is set on this code path. While this only causes the receiver to crash (which is process-isolated and only affects the attacker's own connection), it's still undefined behavior. |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-30 | ||
| 2026-05-20/0025-acl-fixed-ACL-ID-mapping-for-non-root.patch | [PATCH 25/56] acl: fixed ACL ID mapping for non-root closes issue #618 |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-01-19 | ||
| 2026-05-20/0026-fix-uninitialized-mul_one-in-AVX2-checksum-and-add-S.patch | [PATCH 26/56] fix uninitialized mul_one in AVX2 checksum and add SIMD checksum test The AVX2 get_checksum1_avx2_64() read mul_one before initializing it, which is undefined behavior. Replace the cmpeq/abs trick with _mm256_set1_epi8(1) to match the SSSE3 and SSE2 versions. Add a TEST_SIMD_CHECKSUM1 test mode that verifies all SIMD paths (SSE2, SSSE3, AVX2, and the full dispatch chain) produce identical results to the C reference, across multiple buffer sizes with both aligned and unaligned buffers. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-03-01 | ||
| 2026-05-20/0027-Fix-glibc-2.43-constness-warnings.patch | [PATCH 27/56] Fix glibc-2.43 constness warnings Glibc 2.43 added C23 const-preserving overloads to various string functions, which change the return type depending on the constness of the argument(s). Currently this leads to warnings from calls to strtok() or strchr(). Fix this by properly declaring the respective variable types. |
Holger Hoffstätte <holger@applied-asynchrony.com> | no | 2026-04-06 | ||
| 2026-05-20/0028-zlib-convert-K-R-function-definitions-to-ANSI-style.patch | [PATCH 28/56] zlib: convert K&R function definitions to ANSI style The bundled zlib 1.2.8 used K&R-style function definitions which are rejected by clang 16+ as hard errors. Convert all 90 functions across 9 files to ANSI-style prototypes. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-16 | ||
| 2026-05-20/0029-fix-signed-integer-overflow-in-proxy-protocol-v2-hea.patch | [PATCH 29/56] fix signed integer overflow in proxy protocol v2 header parsing The len field in the proxy v2 header was declared as signed char, allowing a negative size to bypass the validation check and cause a stack buffer overflow when passed to read_buf() as size_t. This bug was reported by John Walker from ZeroPath, many thanks for the clear report! With the current code this bug does not represent a security issue as it only results in the exit of the forked process that is specific to the attached client, so it is equivalent to the client closing the socket, so no CVE for this, but it is good to fix it to prevent a future issue. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-16 | ||
| 2026-05-20/0030-zero-all-new-memory-from-allocations.patch | [PATCH 30/56] zero all new memory from allocations Change my_alloc() to use calloc instead of malloc so all fresh allocations return zeroed memory. Also zero the expanded portion in expand_item_list() after realloc, since it knows both old and new sizes. This gives more predictable behaviour in case of bugs where uninitialised or stale memory is accidentally accessed. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-22 | ||
| 2026-05-20/0031-xattrs-fixed-count-in-qsort.patch | [PATCH 31/56] xattrs: fixed count in qsort this fixes the count passed to the sort of the xattr list. This issue was reported here: https://www.openwall.com/lists/oss-security/2026/04/16/2 the bug is not exploitable due to the fork-per-connection design of rsync, the attack is the equivalent of the user closing the socket themselves. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-22 | ||
| 2026-05-20/0032-call-tzset-before-chroot-to-cache-timezone-data.patch | [PATCH 32/56] call tzset() before chroot to cache timezone data localtime/localtime_r need /etc/localtime for timezone info. After chroot this file is inaccessible, causing log timestamps to fall back to UTC. Calling tzset() before chroot ensures the timezone data is cached by glibc for subsequent calls. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-22 | ||
| 2026-05-20/0033-testsuite-xattrs-ignore-SUNWattr_-in-the-Solaris-xls.patch | [PATCH 33/56] testsuite/xattrs: ignore SUNWattr_* in the Solaris xls helper The Solaris xls() function listed every entry in the file's xattr directory, which on Solaris includes OS-managed SUNWattr_ro and SUNWattr_rw pseudo-attributes. SUNWattr_rw embeds the file creation time, so its bytes naturally differ between the source and destination files, making the xattrs and xattrs-hlink tests fail with diffs that have nothing to do with rsync. Rsync's own listxattr wrapper already filters these out (lib/sysxattrs.c), so the right fix is to filter them in the test display too. Other platforms are unaffected because each has its own xls() branch in the case statement. With the test now actually passing on Solaris, drop the CI hack that overwrote testsuite/xattrs.test with a skip stub. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-30 | ||
| 2026-05-20/0034-syscall-use-openat2-RESOLVE_BENEATH-on-Linux-for-sec.patch | [PATCH 34/56] syscall: use openat2(RESOLVE_BENEATH) on Linux for secure_relative_open The CVE fix in commit c35e283 made secure_relative_open() walk every component of relpath with O_NOFOLLOW. That blocks every symlink in the path, which is stricter than the threat model required: legitimate directory symlinks within the destination tree (e.g. when using -K / --copy-dirlinks) are also rejected, breaking delta transfers with "failed verification -- update discarded". See issue #715. On Linux 5.6+, openat2(RESOLVE_BENEATH | RESOLVE_NO_MAGICLINKS) gives us exactly what we want: the kernel rejects any resolution that would escape the starting directory (via "..", absolute paths, or symlinks pointing outside dirfd) while still following symlinks that resolve within it. /proc magic-links are blocked too. Use openat2 first; fall back to the existing per-component O_NOFOLLOW walk on ENOSYS (kernel < 5.6). The lexical "../" checks at the head of the function are kept as defense in depth. The Linux gate is plain #ifdef __linux__: the runtime ENOSYS fallback covers the only case that actually matters (header present + old kernel), and any Linux build environment without linux/openat2.h will fail with a clear "no such file" error rather than silently disabling the protection. Verified manually that openat2(RESOLVE_BENEATH) blocks all four escape patterns (absolute symlink, ../ symlink, lexical .., absolute path) while allowing direct and within-tree symlinks. The new testsuite/symlink-dirlink-basis.test (taken from PR #864 by Samuel Henrique) exercises the issue #715 regression and passes; full make check passes 47/47. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-30 | ||
| 2026-05-20/0035-syscall-also-use-O_RESOLVE_BENEATH-on-FreeBSD-and-Ma.patch | [PATCH 35/56] syscall: also use O_RESOLVE_BENEATH on FreeBSD and MacOS FreeBSD and MacOS have O_RESOLVE_BENEATH as an openat() flag with the same "must not escape dirfd" semantics as Linux's RESOLVE_BENEATH. The kernel rejects ".." escapes, absolute symlinks, and symlinks whose target lies outside dirfd, while still following symlinks that resolve within it -- the same trade-off that fixes issue #715 on Linux. Add a parallel BSD path in secure_relative_open(), gated on declared. Unlike Linux, BSD doesn't have the header/runtime split where the symbol can exist without kernel support, so no runtime fallback is needed: if the flag compiles in, the kernel honours it. OpenBSD and NetBSD have no equivalent kernel primitive and continue to use the existing per-component O_NOFOLLOW walk; issue #715 remains visible on those platforms (a userland resolver or unveil(2)-based fence would be follow-up work). |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-30 | ||
| 2026-05-20/0036-testsuite-skip-symlink-dirlink-basis-on-platforms-wi.patch | [PATCH 36/56] testsuite: skip symlink-dirlink-basis on platforms without RESOLVE_BENEATH secure_relative_open() has a kernel-enforced "stay below dirfd" path on Linux 5.6+ (openat2 RESOLVE_BENEATH) and FreeBSD 13+ (openat O_RESOLVE_BENEATH). On Solaris, OpenBSD, NetBSD, and Cygwin the code falls back to the per-component O_NOFOLLOW walk, which by design rejects every directory symlink in the path -- the very case this test exercises. Mark the test skipped there rather than have it fail with a known regression that's tracked separately. macOS is intentionally not in the skip list: although it does not have O_RESOLVE_BENEATH either, the test passes there in practice; investigation of the underlying reason is left as follow-up. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-30 | ||
| 2026-05-20/0037-syscall-clientserver-am_chrooted-and-use_secure_syml.patch | [PATCH 37/56] syscall+clientserver: am_chrooted and use_secure_symlinks for daemon-no-chroot (CVE-2026-29518) CVE-2026-29518: an rsync daemon configured with "use chroot = no" is exposed to a TOCTOU race on parent path components. A local attacker with write access to a module can replace a parent directory component with a symlink between the receiver's check and its open(), redirecting reads (basis-file disclosure) and writes (file overwrite) outside the module. Under elevated daemon privilege this allows privilege escalation. Default "use chroot = yes" is not exposed. Add secure_relative_open() in syscall.c. It walks the parent components under RESOLVE_BENEATH (Linux 5.6+) / O_RESOLVE_BENEATH (FreeBSD 13+, macOS 15+) / per-component O_NOFOLLOW elsewhere, anchored at a trusted dirfd, so a parent- symlink swap is rejected by the kernel. Route the receiver's basis-file open in receiver.c through it when use_secure_symlinks is set in clientserver.c rsync_module(). |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-31 | ||
| 2026-05-20/0038-sender-fix-read-path-TOCTOU-by-opening-from-module-r.patch | [PATCH 38/56] sender: fix read-path TOCTOU by opening from module root (CVE-2026-29518) The sender's file open was vulnerable to the same TOCTOU symlink race as the receiver-side basis-file open. change_pathname() calls chdir() into subdirectories, which follows symlinks; an attacker could race to swap a directory for a symlink between the chdir and the file open, allowing reads of privileged files through the daemon. Reconstruct the full relative path (F_PATHNAME + fname) and open via secure_relative_open() from the trusted module_dir, which walks each path component without following symlinks. This is independent of CWD, so the chdir race is neutralised. CVE-2026-29518. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-03-01 | ||
| 2026-05-20/0039-syscall-receiver-secure-receiver-side-do_chmod-again.patch | [PATCH 39/56] syscall+receiver: secure receiver-side do_chmod against symlink-race TOCTOU CVE-2026-29518's fix routed the receiver's open() through secure_relative_open(), but every other path-based syscall the receiver runs on sender-controllable paths is vulnerable to the same TOCTOU primitive. This commit closes the chmod variant. Add do_chmod_at() that opens the parent of fname under secure_relative_open() and uses fchmodat() against the resulting dirfd. Gate the secure path on am_daemon && !am_chrooted (the same gate use_secure_symlinks already uses for the receiver basis-file open), so non-daemon callers and chrooted daemons keep the original do_chmod() fast path. Migrate the receiver-side do_chmod() call sites in delete.c, generator.c, rsync.c, and xattrs.c. Adds testsuite/chmod-symlink-race.test (with t_chmod_secure helper) as regression coverage. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-04 | ||
| 2026-05-20/0040-util1-secure-change_dir-against-symlink-race-chdir-e.patch | [PATCH 40/56] util1: secure change_dir() against symlink-race chdir-escape The receiver's chdir(2) into a destination subdirectory followed attacker-planted symlinks at every path component. Once CWD escaped the module, every subsequent path-relative syscall (open, chmod, lchown, ...) inherited the escape -- defeating secure_relative_open's RESOLVE_BENEATH anchor against AT_FDCWD, since the anchor itself was now outside the module. Route change_dir's relative target through secure_relative_open() and fchdir() to the resulting dirfd in am_daemon && !am_chrooted mode, so the chdir step itself can no longer follow a parent- symlink. Same treatment applied to the CD_SKIP_CHDIR / set_path_only path so it also can't follow attacker symlinks during path tracking. Adds testsuite/sender-flist-symlink-leak.test covering the sender-side flist resolution variant of the same primitive. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-05 | ||
| 2026-05-20/0041-syscall-add-symlink-race-safe-do_-_at-wrappers-and-h.patch | [PATCH 41/56] syscall: add symlink-race-safe do_*_at() wrappers and harden secure_relative_open Add the rest of the path-based syscall wrappers and migrate every receiver-side caller: - do_lchown_at, do_rename_at, do_mkdir_at, do_symlink_at, do_mknod_at, do_link_at, do_unlink_at, do_rmdir_at, do_utimensat_at, do_stat_at, do_lstat_at Same shape as do_chmod_at: open each parent under secure_relative_open(), call the *at() variant against the dirfd, fall through to the bare path-based syscall in non-daemon / chrooted / absolute-path / no-parent cases. macOS's setattrlist-based set_times tier is also routed through the utimensat_at path on daemon-no-chroot. Hardenings to secure_relative_open() itself: - confine basedir resolution under the same kernel mechanism used for relpath (basedirs from --copy-dest / --link-dest are sender-controllable in daemon mode) - reject any '..' component (bare '..', 'foo/..', 'subdir/..') so the per-component O_NOFOLLOW fallback can't escape - return the dirfd we built up from the per-component fallback when the caller passed O_DIRECTORY (otherwise every do_*_at failed with EINVAL on platforms without RESOLVE_BENEATH) Adds testsuite/alt-dest-symlink-race.test and testsuite/secure-relpath-validation.test (with t_secure_relpath helper) as regression coverage for the new hardenings. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-05 | ||
| 2026-05-20/0042-util1-syscall-secure-copy_file-source-dest-opens-bar.patch | [PATCH 42/56] util1+syscall: secure copy_file source/dest opens; bare-path defence-in-depth Three related codex audit findings: Finding 3a: copy_file()'s source open in util1.c used do_open_nofollow(), which only rejects a final-component symlink. A parent-component symlink (e.g. --copy-dest=cd where cd -> /outside) follows freely and reads outside the module. Route through secure_relative_open() with O_NOFOLLOW. Finding 3b: generator.c's in-place backup-file create still used a bare do_open with O_CREAT, leaving a tiny but reachable parent-symlink window between the secure unlink (already through do_unlink_at) and the create. Add do_open_at() that goes through a secure parent dirfd, and route the call site through it. Finding 3c: copy_file()'s destination open in unlink_and_reopen() had the same bare-do_open pattern; route through do_open_at as well. Adds testsuite/copy-dest-source-symlink.test and testsuite/bare-do-open-symlink-race.test as regression coverage for both attack shapes. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-06 | ||
| 2026-05-20/0043-testsuite-end-to-end-regression-test-for-chdir-symli.patch | [PATCH 43/56] testsuite: end-to-end regression test for chdir-symlink-race testsuite/chdir-symlink-race.test runs an actual rsync daemon (via RSYNC_CONNECT_PROG to avoid the network) configured with "use chroot = no", plants a symlink at module/subdir -> ../outside, and runs four flavours of attacker-shaped transfer (single-file poc_chmod, -r push into the symlinked subdir with --size-only and without, -r push into the module root). All four must leave the outside-the-module sentinel file's mode AND content unchanged. Portability: - file_mode() helper falls back to BSD stat -f %Lp when GNU stat -c %a is unavailable (macOS, FreeBSD). - Pre-saved pristine copy + cmp(1) replaces sha1sum, which differs across platforms (sha1sum / shasum / sha1). Tests are kept running as root in the user-namespace re-exec wrapper used by symlink-race tests so the daemon's setuid path doesn't drop into the test user's identity (which on Linux would mean the chmod-escape code path can't trigger because the test user doesn't have CAP_FOWNER over the outside file). |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-05 | ||
| 2026-05-20/0044-token-harden-compressed-token-decoding-against-integ.patch | [PATCH 44/56] token: harden compressed-token decoding against integer overflow The receiver's three compressed-token decoders -- recv_deflated_token (zlib), recv_zstd_token, and recv_compressed_token (lz4) -- accumulated rx_token (a 32-bit signed counter) without overflow checking. A malicious sender could craft a compressed-token stream that walked rx_token past INT32_MAX, with careful manipulation leaking process memory contents to the wire (environment variables, passwords, heap pointers, library pointers -- significantly weakening ASLR and facilitating further exploitation). Cap rx_token at MAX_TOKEN_INDEX = 0x7ffffffe. Fold the bookkeeping into recv_compressed_token_num() and recv_compressed_token_run() shared by all three decoders. Reject negative or out-of-range token values explicitly. Also cap the simple_recv_token literal-block length at the source: any wire-supplied length > CHUNK_SIZE is ill-formed (the matching simple_send_token never writes a chunk larger than CHUNK_SIZE), so reject before looping on attacker-controlled bytes. enabled (the default for protocols >= 30 when both peers advertise it). Disabling compression on the daemon ("refuse options = compress" in rsyncd.conf) is the available workaround. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-04-29 | ||
| 2026-05-20/0045-testsuite-cover-refuse-options-compress-for-the-daem.patch | [PATCH 45/56] testsuite: cover 'refuse options = compress' for the daemon Add a daemon-refuse-compress test that builds a module configured with 'refuse options = compress' and asserts that: 1. an attempted -z transfer to that module fails with an error mentioning --compress, and 2. the same transfer without -z still succeeds. This pins down the documented way to disable all compression on a daemon, which previously had no automated coverage. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-01 | ||
| 2026-05-20/0046-receiver-add-parent_ndx-0-guard-mirroring-797e17f.patch | [PATCH 46/56] receiver: add parent_ndx<0 guard, mirroring 797e17f Commit 797e17f ("fixed an invalid access to files array") added a parent_ndx < 0 guard to send_files() in sender.c, but the visually- identical block in recv_files() in receiver.c was not updated. A malicious rsync:// server can therefore drive any connecting client into the same out-of-bounds dir_flist->files[-1] read followed by a file_struct dereference in f_name() one line later. parent_ndx = -1 on the first received flist when the sender omits a leading "." entry; rsync.c flist_for_ndx() does not reject ndx == 0 in that state because the range check evaluates 0 < 0 = false; and read_ndx_and_attrs() only validates ndx with the ITEM_TRANSFER bit set, so iflags=ITEM_IS_NEW (or any other non-transfer iflag word) bypasses the check. Apply the same guard receiver-side. Confirmed: the same PoC (a minimal Python rsyncd that handshakes with CF_INC_RECURSE, sends a no-leading-"." flist, and emits ndx=0 with ITEM_IS_NEW) crashes unpatched 3.4.2 with SEGV_MAPERR si_addr=0x4101a-class in the receiver child; with this guard it exits cleanly with code 2 (RERR_PROTOCOL). The attack surface delta over the sender variant is large: the original was malicious-client -> daemon, this is malicious-server -> any rsync client doing a normal rsync:// or remote-shell pull. Reported by Pratham Gupta (alchemy1729). |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-05 | ||
| 2026-05-20/0047-clientserver-fix-hostname-ACL-bypass-when-using-daem.patch | [PATCH 47/56] clientserver: fix hostname ACL bypass when using daemon chroot On an rsync daemon configured with "daemon chroot", the reverse-DNS lookup of the connecting client was performed *after* the chroot had been entered. If the chroot did not contain the files glibc needs for resolution (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules), the lookup failed and client_name() returned "UNKNOWN". Hostname-based deny rules ("hosts deny = *.evil.example") therefore could not match, and an attacker controlling their PTR record could connect from a hostname the administrator had intended to deny. IP-based ACLs were unaffected. Do the reverse DNS lookup before chroot/setuid; client_name() caches its result, so the post-chroot call uses the cached value and hostname-based ACLs work even when DNS is unavailable post-chroot. Adds testsuite/daemon-chroot-acl.test as end-to-end regression coverage. The test sets up an empty chroot directory, configures "hosts deny = <localhost-resolved-name>" with daemon chroot, and asserts the connection is refused with @ERROR access denied. Uses unshare --user --map-root-user for non-root CAP_SYS_CHROOT; skips cleanly on non-Linux or when user namespaces aren't available. |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-31 | ||
| 2026-05-20/0048-defence-in-depth-bound-wire-supplied-counts-and-leng.patch | [PATCH 48/56] defence-in-depth: bound wire-supplied counts and lengths Multiple receiver-side fields read from the wire were trusted without upper-bound checks. A hostile peer could either request extreme allocations (DoS via --max-alloc) or, on platforms where read_varint returned a negative value, push ~SIZE_MAX through the size_t conversion to wrap downstream length checks. Introduce read_int_bounded(), read_varint_bounded() and read_varint_size() in io.c so wire-derived integer ranges are checked at the read site rather than scattered across each caller, with RERR_PROTOCOL on out-of-range input. Apply the bounded primitives to: - sum->count (checksum count -- previously could overflow (size_t)count * xfer_sum_len on 32-bit with raised max-alloc) - xattrs: count, name_len, datum_len, plus rel_pos overflow detect to stop chain wrapping the num accumulator - acls: ida-entry count - flist: file mode S_IFMT validation, modtime_nsec range check - delete-stat counters in main: per-summand cap so the total can't overflow a signed 32-bit accumulator Reporters include Joshua Rogers (checksum-count overflow finding). |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-31 | ||
| 2026-05-20/0049-defence-in-depth-guard-cumulative-snprintf-against-l.patch | [PATCH 49/56] defence-in-depth: guard cumulative snprintf against length underflow Two cumulative-snprintf patterns in log.c (rsyserr) and main.c (output_itemized_counts) had the shape len = snprintf(buf, sizeof buf, ...); len += snprintf(buf+len, sizeof buf - len, ...); with no guard between calls. snprintf returns the would-have-been length on truncation, so a truncated first call leaves "sizeof buf - len" as a negative-then-promoted-to-size_t value, underflowing into a huge size_t and writing past buf. Realistic exposure is small in both cases (log header well under buffer, only ~5 itemized iterations writing ~25 chars each into a 1024-byte buffer) but the defect class matches bb0a8118 and the fix is cheap. Guard before each subsequent call. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-01 | ||
| 2026-05-20/0050-defence-in-depth-receiver-block-index-bounds-read_de.patch | [PATCH 50/56] defence-in-depth: receiver block-index bounds + read_delay_line null check Two assorted audit findings: - receive_data() never bounds-checked the block index returned by recv_token() against sum.count before computing offset2 and feeding it to map_ptr(). An out-of-bounds index from a hostile sender produces invalid memory access. Add a sum.count bounds check. - read_delay_line()'s strchr() call could return NULL when no space was found, but the code unconditionally added 1 to the result before dereferencing. Low impact (just a disconnect on exit of the client-specific forked process) but the NULL deref is real. Guard the NULL. Both reported by Joshua Rogers. |
Andrew Tridgell <andrew@tridgell.net> | no | 2025-12-31 | ||
| 2026-05-20/0052-exclude-fix-crashes-with-fortified-strlcpy.patch | [PATCH 52/56] exclude: fix crashes with fortified strlcpy() Fortified (-D_FORTIFY_SOURCE=2 for gcc) builds make strlcpy() crash when its third parameter (size) is larger than the buffer: $ rsync -FFXHav '--filter=merge global-rsync-filter' Align-37-43/ xxx sending incremental file list *** buffer overflow detected ***: terminated It's in the exclude code in setup_merge_file(): strlcpy(y, save, MAXPATHLEN); Note the 'y' pointer was incremented, so it no longer points to memory with MAXPATHLEN "owned" bytes. Fix it by remembering the number of copied bytes into the 'save' buffer and use that instead of MAXPATHLEN which is clearly incorrect. Fixes #511. |
Jiri Slaby <jslaby@suse.cz> | no | 2023-08-18 | ||
| 2026-05-20/0053-testsuite-use-integer-sleep-in-clean-fname-underflow.patch | [PATCH 53/56] testsuite: use integer sleep in clean-fname-underflow.test Solaris /usr/bin/sleep is POSIX and rejects fractional seconds, which made the test abort silently under `set -eu` (empty log, FAIL). One second is more than enough for the daemon to listen. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-07 | ||
| 2026-05-20/0055-popt-fix-poptDupArgv-strlcpy-size-argument.patch | [PATCH 55/56] popt: fix poptDupArgv strlcpy size argument The bundled popt 1.18 (rsync 3.2.7) calls strlcpy(dst, argv[i], nb) inside the per-arg loop in poptDupArgv(), where nb is the TOTAL allocation size — not the remaining bytes after dst has advanced. The actual write was always within the malloc'd buffer, so it was silent on older glibcs, but glibc 2.39+ fortified strlcpy compares the size argument against __bos(dst) and aborts with "*** buffer overflow detected ***" once dst passes through any bytes. That broke ~15 tests on Ubuntu 24.04 / glibc 2.39 in CI (any test spawning a child rsync via popt's argv duplication path). Pass the remaining bytes (end_buf - dst) so the size argument matches reality. Master fixed the same bug differently in popt 1.19 (4c8683c8 "update to popt 1.19") by switching to stpcpy, but pulling that 1500-line refresh into a security backport is heavier than warranted. |
Andrew Tridgell <andrew@tridgell.net> | no | 2026-05-07 | ||
| Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch | Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED fixes commit 688f5c379a43 (Refuse a duplicate dirlist.) |
Natanael Copa <ncopa@alpinelinux.org> | yes | debian upstream | https://github.com/ncopa/rsync/commit/efb85fd8db9e8f74eb3ab91ebf44f6ed35e3da5b | 2025-01-15 |
| fix-aclocalm4-include-paths.patch | aclocal.m4: Fix relative paths for incluion of m4/{have_type,header_major_fixed,socklen_t}.m4 | Salvatore Bonaccorso <carnil@debian.org> | not-needed |
All known versions for source package 'rsync'
- 3.4.3+ds1-2 (sid)
- 3.4.2+ds1-2 (forky)
- 3.4.1+ds1-5+deb13u3 (trixie-security)
- 3.4.1+ds1-5+deb13u2 (trixie)
- 3.2.7-1+deb12u5 (bookworm-security)
- 3.2.7-1+deb12u4 (bookworm)