Package: rsync | Debian Sources

Package: rsync / 3.2.7-1+deb12u2

Metadata

Package	Version	Patches format
rsync	3.2.7-1+deb12u2	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
disable_reconfigure_req.diff \| (download)	Makefile.in \| 20 0 + 20 - 0 ! 1 file changed, 20 deletions(-)	remove need to run reconfigure target
skip_devices_test.patch \| (download)	testsuite/devices.test \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	skip "devices" test as it fails on kfreebsd and hurd Error log: /
perl_shebang.patch \| (download)	support/cvs2includes \| 2 1 + 1 - 0 ! support/file-attr-restore \| 2 1 + 1 - 0 ! support/files-to-excludes \| 2 1 + 1 - 0 ! support/logfilter \| 2 1 + 1 - 0 ! support/lsh \| 2 1 + 1 - 0 ! support/mnt-excl \| 2 1 + 1 - 0 ! support/rsyncstats \| 2 1 + 1 - 0 ! 7 files changed, 7 insertions(+), 7 deletions(-)	removes usage of env on perl shebang as per debian policy 10.4
fix_rrsync_man_generation.patch \| (download)	maybe-make-man \| 8 2 + 6 - 0 ! 1 file changed, 2 insertions(+), 6 deletions(-)	fix manpage installation for rrsync Otherwise we would get "ERROR: support/rrsync.1 cannot be created." I'm not confident this is the best approach on solving this issue, but I know this works with no regressions. This patch needs to be reviewed before being submitted to upstream.
avoid_quoting_of_tilde_when_its_a_destination_arg.patch \| (download)	options.c \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	[patch] avoid quoting of tilde when it's a destination arg.
trust_the_sender_on_a_local_transfer.patch \| (download)	main.c \| 6 5 + 1 - 0 ! 1 file changed, 5 insertions(+), 1 deletion(-)	[patch] trust the sender on a local transfer.
CVE 2024 12084/0001 Some checksum buffer fixes.patch \| (download)	io.c \| 3 2 + 1 - 0 ! match.c \| 8 4 + 4 - 0 ! rsync.c \| 5 4 + 1 - 0 ! rsync.h \| 4 3 + 1 - 0 ! sender.c \| 4 3 + 1 - 0 ! 5 files changed, 16 insertions(+), 8 deletions(-)	[patch 1/2] some checksum buffer fixes. - Put sum2_array into sum_struct to hold an array of sum2 checksums that are each xfer_sum_len bytes. - Remove sum2 buf from sum_buf. - Add macro sum2_at() to access each sum2 array element. - Throw an error if a sums header has an s2length larger than xfer_sum_len.
CVE 2024 12084/0002 Another cast when multiplying integers.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! sender.c \| 2 1 + 1 - 0 ! 2 files changed, 2 insertions(+), 2 deletions(-)	[patch 2/2] another cast when multiplying integers.
CVE 2024 12085/0001 prevent information leak off the stack.patch \| (download)	match.c \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	[patch] prevent information leak off the stack prevent leak of uninitialised stack data in hash_search
CVE 2024 12086/0001 refuse fuzzy options when fuzzy not selected.patch \| (download)	receiver.c \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	[patch 1/4] refuse fuzzy options when fuzzy not selected this prevents a malicious server providing a file to compare to when the user has not given the fuzzy option
CVE 2024 12086/0002 added secure_relative_open.patch \| (download)	syscall.c \| 74 74 + 0 - 0 ! 1 file changed, 74 insertions(+)	[patch 2/4] added secure_relative_open() this is an open that enforces no symlink following for all path components in a relative path
CVE 2024 12086/0003 receiver use secure_relative_open for basis file.patch \| (download)	receiver.c \| 42 26 + 16 - 0 ! 1 file changed, 26 insertions(+), 16 deletions(-)	[patch 3/4] receiver: use secure_relative_open() for basis file this prevents attacks where the basis file is manipulated by a malicious sender to gain information about files outside the destination tree
CVE 2024 12086/0004 disallow . elements in relpath for secure_relative_o.patch \| (download)	syscall.c \| 7 7 + 0 - 0 ! 1 file changed, 7 insertions(+)	[patch 4/4] disallow ../ elements in relpath for secure_relative_open
CVE 2024 12087/0001 Refuse a duplicate dirlist.patch \| (download)	flist.c \| 9 9 + 0 - 0 ! rsync.h \| 1 1 + 0 - 0 ! 2 files changed, 10 insertions(+)	[patch 1/2] refuse a duplicate dirlist.
CVE 2024 12087/0002 range check dir_ndx before use.patch \| (download)	flist.c \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	[patch 2/2] range check dir_ndx before use
CVE 2024 12088/0001 make safe links stricter.patch \| (download)	testsuite/safe-links.test \| 55 55 + 0 - 0 ! testsuite/unsafe-byname.test \| 2 1 + 1 - 0 ! util1.c \| 26 25 + 1 - 0 ! 3 files changed, 81 insertions(+), 2 deletions(-)	[patch] make --safe-links stricter when --safe-links is used also reject links where a '../' component is included in the destination as other than the leading part of the filename
CVE 2024 12747/0001 fixed symlink race condition in sender.patch \| (download)	checksum.c \| 2 1 + 1 - 0 ! flist.c \| 2 1 + 1 - 0 ! generator.c \| 4 2 + 2 - 0 ! receiver.c \| 2 1 + 1 - 0 ! sender.c \| 2 1 + 1 - 0 ! syscall.c \| 20 20 + 0 - 0 ! t_unsafe.c \| 3 3 + 0 - 0 ! tls.c \| 3 3 + 0 - 0 ! trimslash.c \| 2 2 + 0 - 0 ! util1.c \| 2 1 + 1 - 0 ! 10 files changed, 35 insertions(+), 7 deletions(-)	[patch] fixed symlink race condition in sender when we open a file that we don't expect to be a symlink use O_NOFOLLOW to prevent a race condition where an attacker could change a file between being a normal file and a symlink
raise protocol version to 32.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	[patch 1/3] raise protocol version to 32 make it easier to spot unpatched servers
Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	fix flag_got_dir_flist collission with flag_hlinked
Fix_use after free_in_generator.patch \| (download)	generator.c \| 6 5 + 1 - 0 ! 1 file changed, 5 insertions(+), 1 deletion(-)	[patch] fix use-after-free in generator full_fname() will free the return value in the next call so we need to duplicate it before passing it to rsyserr. Fixes: https://github.com/RsyncProject/rsync/issues/704

Patch	File delta	Description
disable_reconfigure_req.diff \| (download)	Makefile.in \| 20 0 + 20 - 0 ! 1 file changed, 20 deletions(-)	remove need to run reconfigure target
skip_devices_test.patch \| (download)	testsuite/devices.test \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	skip "devices" test as it fails on kfreebsd and hurd Error log: /
perl_shebang.patch \| (download)	support/cvs2includes \| 2 1 + 1 - 0 ! support/file-attr-restore \| 2 1 + 1 - 0 ! support/files-to-excludes \| 2 1 + 1 - 0 ! support/logfilter \| 2 1 + 1 - 0 ! support/lsh \| 2 1 + 1 - 0 ! support/mnt-excl \| 2 1 + 1 - 0 ! support/rsyncstats \| 2 1 + 1 - 0 ! 7 files changed, 7 insertions(+), 7 deletions(-)	removes usage of env on perl shebang as per debian policy 10.4
fix_rrsync_man_generation.patch \| (download)	maybe-make-man \| 8 2 + 6 - 0 ! 1 file changed, 2 insertions(+), 6 deletions(-)	fix manpage installation for rrsync Otherwise we would get "ERROR: support/rrsync.1 cannot be created." I'm not confident this is the best approach on solving this issue, but I know this works with no regressions. This patch needs to be reviewed before being submitted to upstream.
avoid_quoting_of_tilde_when_its_a_destination_arg.patch \| (download)	options.c \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	[patch] avoid quoting of tilde when it's a destination arg.
trust_the_sender_on_a_local_transfer.patch \| (download)	main.c \| 6 5 + 1 - 0 ! 1 file changed, 5 insertions(+), 1 deletion(-)	[patch] trust the sender on a local transfer.
CVE 2024 12084/0001 Some checksum buffer fixes.patch \| (download)	io.c \| 3 2 + 1 - 0 ! match.c \| 8 4 + 4 - 0 ! rsync.c \| 5 4 + 1 - 0 ! rsync.h \| 4 3 + 1 - 0 ! sender.c \| 4 3 + 1 - 0 ! 5 files changed, 16 insertions(+), 8 deletions(-)	[patch 1/2] some checksum buffer fixes. - Put sum2_array into sum_struct to hold an array of sum2 checksums that are each xfer_sum_len bytes. - Remove sum2 buf from sum_buf. - Add macro sum2_at() to access each sum2 array element. - Throw an error if a sums header has an s2length larger than xfer_sum_len.
CVE 2024 12084/0002 Another cast when multiplying integers.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! sender.c \| 2 1 + 1 - 0 ! 2 files changed, 2 insertions(+), 2 deletions(-)	[patch 2/2] another cast when multiplying integers.
CVE 2024 12085/0001 prevent information leak off the stack.patch \| (download)	match.c \| 3 3 + 0 - 0 ! 1 file changed, 3 insertions(+)	[patch] prevent information leak off the stack prevent leak of uninitialised stack data in hash_search
CVE 2024 12086/0001 refuse fuzzy options when fuzzy not selected.patch \| (download)	receiver.c \| 5 5 + 0 - 0 ! 1 file changed, 5 insertions(+)	[patch 1/4] refuse fuzzy options when fuzzy not selected this prevents a malicious server providing a file to compare to when the user has not given the fuzzy option
CVE 2024 12086/0002 added secure_relative_open.patch \| (download)	syscall.c \| 74 74 + 0 - 0 ! 1 file changed, 74 insertions(+)	[patch 2/4] added secure_relative_open() this is an open that enforces no symlink following for all path components in a relative path
CVE 2024 12086/0003 receiver use secure_relative_open for basis file.patch \| (download)	receiver.c \| 42 26 + 16 - 0 ! 1 file changed, 26 insertions(+), 16 deletions(-)	[patch 3/4] receiver: use secure_relative_open() for basis file this prevents attacks where the basis file is manipulated by a malicious sender to gain information about files outside the destination tree
CVE 2024 12086/0004 disallow . elements in relpath for secure_relative_o.patch \| (download)	syscall.c \| 7 7 + 0 - 0 ! 1 file changed, 7 insertions(+)	[patch 4/4] disallow ../ elements in relpath for secure_relative_open
CVE 2024 12087/0001 Refuse a duplicate dirlist.patch \| (download)	flist.c \| 9 9 + 0 - 0 ! rsync.h \| 1 1 + 0 - 0 ! 2 files changed, 10 insertions(+)	[patch 1/2] refuse a duplicate dirlist.
CVE 2024 12087/0002 range check dir_ndx before use.patch \| (download)	flist.c \| 4 4 + 0 - 0 ! 1 file changed, 4 insertions(+)	[patch 2/2] range check dir_ndx before use
CVE 2024 12088/0001 make safe links stricter.patch \| (download)	testsuite/safe-links.test \| 55 55 + 0 - 0 ! testsuite/unsafe-byname.test \| 2 1 + 1 - 0 ! util1.c \| 26 25 + 1 - 0 ! 3 files changed, 81 insertions(+), 2 deletions(-)	[patch] make --safe-links stricter when --safe-links is used also reject links where a '../' component is included in the destination as other than the leading part of the filename
CVE 2024 12747/0001 fixed symlink race condition in sender.patch \| (download)	checksum.c \| 2 1 + 1 - 0 ! flist.c \| 2 1 + 1 - 0 ! generator.c \| 4 2 + 2 - 0 ! receiver.c \| 2 1 + 1 - 0 ! sender.c \| 2 1 + 1 - 0 ! syscall.c \| 20 20 + 0 - 0 ! t_unsafe.c \| 3 3 + 0 - 0 ! tls.c \| 3 3 + 0 - 0 ! trimslash.c \| 2 2 + 0 - 0 ! util1.c \| 2 1 + 1 - 0 ! 10 files changed, 35 insertions(+), 7 deletions(-)	[patch] fixed symlink race condition in sender when we open a file that we don't expect to be a symlink use O_NOFOLLOW to prevent a race condition where an attacker could change a file between being a normal file and a symlink
raise protocol version to 32.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	[patch 1/3] raise protocol version to 32 make it easier to spot unpatched servers
Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED.patch \| (download)	rsync.h \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	fix flag_got_dir_flist collission with flag_hlinked
Fix_use after free_in_generator.patch \| (download)	generator.c \| 6 5 + 1 - 0 ! 1 file changed, 5 insertions(+), 1 deletion(-)	[patch] fix use-after-free in generator full_fname() will free the return value in the next call so we need to duplicate it before passing it to rsyserr. Fixes: https://github.com/RsyncProject/rsync/issues/704