diff options
Diffstat (limited to 'debian/patches/rsync-upstream-CVE-patches-v3/version_update')
3 files changed, 107 insertions, 0 deletions
diff --git a/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0001-raise-protocol-version-to-32.patch b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0001-raise-protocol-version-to-32.patch new file mode 100644 index 0000000..94054fd --- /dev/null +++ b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0001-raise-protocol-version-to-32.patch @@ -0,0 +1,26 @@ +From 163e05b1680c4a3b448fa68d03c3fca9589f3bc4 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Tue, 10 Dec 2024 13:34:01 +1100 +Subject: [PATCH 1/3] raise protocol version to 32 + +make it easier to spot unpatched servers +--- + rsync.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync.h b/rsync.h +index b9a7101a..9be1297b 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -111,7 +111,7 @@ + + /* Update this if you make incompatible changes and ALSO update the + * SUBPROTOCOL_VERSION if it is not a final (official) release. */ +-#define PROTOCOL_VERSION 31 ++#define PROTOCOL_VERSION 32 + + /* This is used when working on a new protocol version or for any unofficial + * protocol tweaks. It should be a non-zero value for each pre-release repo +-- +2.34.1 + diff --git a/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0002-change-version-to-3.4.0.patch b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0002-change-version-to-3.4.0.patch new file mode 100644 index 0000000..22b3b3f --- /dev/null +++ b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0002-change-version-to-3.4.0.patch @@ -0,0 +1,20 @@ +From 481228ff763050c1e1751877bd343a7378d990ba Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Wed, 18 Dec 2024 09:08:24 +1100 +Subject: [PATCH 2/3] change version to 3.4.0 + +Backported-By: Samuel Henrique <samueloph@debian.org> +* Change previous version from the patch, from "3.3.1dev" to "3.3.0" + +--- + version.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: rsync/version.h +=================================================================== +--- rsync.orig/version.h ++++ rsync/version.h +@@ -1,2 +1,2 @@ +-#define RSYNC_VERSION "3.3.0" ++#define RSYNC_VERSION "3.4.0" + #define MAINTAINER_TZ_OFFSET -7.0 diff --git a/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0003-update-NEWS-for-3.4.0.patch b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0003-update-NEWS-for-3.4.0.patch new file mode 100644 index 0000000..8627b55 --- /dev/null +++ b/debian/patches/rsync-upstream-CVE-patches-v3/version_update/0003-update-NEWS-for-3.4.0.patch @@ -0,0 +1,61 @@ +From 53f72320ba25b1dbb263dd14c26dc34c8ef3c89b Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <andrew@tridgell.net> +Date: Wed, 18 Dec 2024 09:20:33 +1100 +Subject: [PATCH 3/3] update NEWS for 3.4.0 + +Backported-By: Samuel Henrique <samueloph@debian.org> +* Update patch context since upstream had other staged entries and we are just cherry-picking + the CVE fixes. + +--- + NEWS.md | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +Index: rsync/NEWS.md +=================================================================== +--- rsync.orig/NEWS.md ++++ rsync/NEWS.md +@@ -1,3 +1,43 @@ ++# NEWS for rsync 3.4.0 (9 January 2025) ++ ++Version 3.4.0 is a security release fixing 6 important security bugs ++found by two different security research teams. Many thanks to Simon ++Scannell leading the google security team for 5 of the issues and ++Aleksei Gorban (loqpa) for the 6th issue. ++ ++All users are strongly enourages to update to 3.4.0 as soon as ++possible. ++ ++## Changes in this version: ++ ++### BUG FIXES: ++ ++- fixed 6 security issues, see CVE for full details ++ ++- CVE-2024-12087 A server can make a client write files outside of the ++ destination directory using symbolic links ++ ++- CVE-2024-12088 A --safe-links bypass vulnerability can result in a ++ client pointing outside of the destination directory ++ ++- CVE-2024-12086 Server leaks arbitrary client files when a client is ++ connected to a malicious server. ++ ++- CVE-2024-12085 Info leak via uninitialized stack contents defeats ++ address space layout randomization. ++ ++- CVE-2024-12084 A vulnerability in the heap buffer overflow in ++ checksum parsing allows an attacker to write <= 48 bytes past the ++ sum2 buffer limit ++ ++- CVE-2024-XXXX (not yet assigned) symlink race condition in sender ++ ++- update to popt 1.19 ++ ++- correct type size for orig_umask ++ ++------------------------------------------------------------------------------ ++ + # NEWS for rsync 3.3.0 (6 Apr 2024) + + ## Changes in this version: |