enable make check and fix CVE-2022-29154
This commit is contained in:
panxiaohe
parent
a7ca8a1a99
commit
73b69187e1
@ -1,29 +0,0 @@
|
||||
From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001
|
||||
From: Jeriko One <jeriko.one@gmx.us>
|
||||
Date: Thu, 2 Nov 2017 23:44:19 -0700
|
||||
Subject: [PATCH] Check fname in recv_files sooner.
|
||||
|
||||
---
|
||||
receiver.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/receiver.c b/receiver.c
|
||||
index baae3a91..9fdafa15 100644
|
||||
--- a/receiver.c
|
||||
+++ b/receiver.c
|
||||
@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
|
||||
file = dir_flist->files[cur_flist->parent_ndx];
|
||||
fname = local_name ? local_name : f_name(file, fbuf);
|
||||
|
||||
+ if (daemon_filter_list.head
|
||||
+ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
|
||||
+ rprintf(FERROR, "attempt to hack rsync failed.\n");
|
||||
+ exit_cleanup(RERR_PROTOCOL);
|
||||
+ }
|
||||
+
|
||||
if (DEBUG_GTE(RECV, 1))
|
||||
rprintf(FINFO, "recv_files(%s)\n", fname);
|
||||
|
||||
--
|
||||
2.17.1
|
||||
|
||||
116
backport-CVE-2022-29154.patch
Normal file
116
backport-CVE-2022-29154.patch
Normal file
@ -0,0 +1,116 @@
|
||||
From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
|
||||
From: Wayne Davison <wayne@opencoder.net>
|
||||
Date: Sun, 31 Jul 2022 16:55:34 -0700
|
||||
Subject: [PATCH] Some extra file-list safety checks.
|
||||
|
||||
Conflict:don't apply add_implied_include(),adapt context in flist.c,delete rsync.1.md
|
||||
Reference:https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871
|
||||
---
|
||||
exclude.c | 4 +++-
|
||||
flist.c | 10 ++++++++++
|
||||
main.c | 2 ++
|
||||
receiver.c | 11 +++++++----
|
||||
4 files changed, 22 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/exclude.c b/exclude.c
|
||||
index a0090b2..684935f 100644
|
||||
--- a/exclude.c
|
||||
+++ b/exclude.c
|
||||
@@ -45,6 +45,7 @@ filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
|
||||
filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
|
||||
|
||||
int saw_xattr_filter = 0;
|
||||
+int trust_sender_filter = 0;
|
||||
|
||||
/* Need room enough for ":MODS " prefix plus some room to grow. */
|
||||
#define MAX_RULE_PREFIX (16)
|
||||
@@ -721,7 +722,7 @@ static void report_filter_result(enum logcode code, char const *name,
|
||||
: name_flags & NAME_IS_DIR ? "directory"
|
||||
: "file";
|
||||
rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
|
||||
- w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
|
||||
+ w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
|
||||
t, name, ent->pattern,
|
||||
ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
|
||||
}
|
||||
@@ -894,6 +895,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
|
||||
}
|
||||
switch (ch) {
|
||||
case ':':
|
||||
+ trust_sender_filter = 1;
|
||||
rule->rflags |= FILTRULE_PERDIR_MERGE
|
||||
| FILTRULE_FINISH_SETUP;
|
||||
/* FALL THROUGH */
|
||||
diff --git a/flist.c b/flist.c
|
||||
index 60e843c..0e527a7 100644
|
||||
--- a/flist.c
|
||||
+++ b/flist.c
|
||||
@@ -70,6 +70,7 @@ extern int need_unsorted_flist;
|
||||
extern int sender_symlink_iconv;
|
||||
extern int output_needs_newline;
|
||||
extern int sender_keeps_checksum;
|
||||
+extern int trust_sender_filter;
|
||||
extern int unsort_ndx;
|
||||
extern uid_t our_uid;
|
||||
extern struct stats stats;
|
||||
@@ -904,6 +905,15 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
|
||||
exit_cleanup(RERR_UNSUPPORTED);
|
||||
}
|
||||
|
||||
+ if (*thisname != '.' || thisname[1] != '\0') {
|
||||
+ int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
|
||||
+ if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
|
||||
+ && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
|
||||
+ rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
|
||||
+ exit_cleanup(RERR_PROTOCOL);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (inc_recurse && S_ISDIR(mode)) {
|
||||
if (one_file_system) {
|
||||
/* Room to save the dir's device for -x */
|
||||
diff --git a/main.c b/main.c
|
||||
index ee9630f..7561e21 100644
|
||||
--- a/main.c
|
||||
+++ b/main.c
|
||||
@@ -78,6 +78,7 @@ extern BOOL flist_receiving_enabled;
|
||||
extern BOOL shutting_down;
|
||||
extern int backup_dir_len;
|
||||
extern int basis_dir_cnt;
|
||||
+extern int trust_sender_filter;
|
||||
extern struct stats stats;
|
||||
extern char *stdout_format;
|
||||
extern char *logfile_format;
|
||||
@@ -534,6 +535,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
|
||||
#ifdef ICONV_CONST
|
||||
setup_iconv();
|
||||
#endif
|
||||
+ trust_sender_filter = 1;
|
||||
} else if (local_server) {
|
||||
/* If the user didn't request --[no-]whole-file, force
|
||||
* it on, but only if we're not batch processing. */
|
||||
diff --git a/receiver.c b/receiver.c
|
||||
index 6218452..147d7e5 100644
|
||||
--- a/receiver.c
|
||||
+++ b/receiver.c
|
||||
@@ -583,10 +583,13 @@ int recv_files(int f_in, int f_out, char *local_name)
|
||||
if (DEBUG_GTE(RECV, 1))
|
||||
rprintf(FINFO, "recv_files(%s)\n", fname);
|
||||
|
||||
- if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
|
||||
- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
|
||||
- rprintf(FERROR, "attempt to hack rsync failed.\n");
|
||||
- exit_cleanup(RERR_PROTOCOL);
|
||||
+ if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
|
||||
+ int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
|
||||
+ if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
|
||||
+ rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
|
||||
+ fname);
|
||||
+ exit_cleanup(RERR_PROTOCOL);
|
||||
+ }
|
||||
}
|
||||
|
||||
#ifdef SUPPORT_XATTRS
|
||||
--
|
||||
2.27.0
|
||||
|
||||
57
backport-rsync-noatime-2.patch
Normal file
57
backport-rsync-noatime-2.patch
Normal file
@ -0,0 +1,57 @@
|
||||
Optionally preserve atimes.
|
||||
|
||||
Based on https://bugzilla.samba.org/show_bug.cgi?id=7249#c1 by Nicolas George.
|
||||
|
||||
Index: rsync/tls.c
|
||||
===================================================================
|
||||
--- rsync.orig/tls.c
|
||||
+++ rsync/tls.c
|
||||
@@ -53,6 +53,7 @@ int preserve_perms = 0;
|
||||
int preserve_executability = 0;
|
||||
int preallocate_files = 0;
|
||||
int inplace = 0;
|
||||
+int noatime = 0;
|
||||
|
||||
#ifdef SUPPORT_XATTRS
|
||||
|
||||
Index: rsync/t_unsafe.c
|
||||
===================================================================
|
||||
--- rsync.orig/t_unsafe.c
|
||||
+++ rsync/t_unsafe.c
|
||||
@@ -33,6 +33,10 @@ int preserve_perms = 0;
|
||||
int preserve_executability = 0;
|
||||
short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
|
||||
|
||||
+/* This is to make syscall.o shut up. */
|
||||
+int noatime = 0;
|
||||
+
|
||||
+
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
Index: rsync/wildtest.c
|
||||
===================================================================
|
||||
--- rsync.orig/wildtest.c
|
||||
+++ rsync/wildtest.c
|
||||
@@ -32,6 +32,9 @@ int fnmatch_errors = 0;
|
||||
|
||||
int wildmatch_errors = 0;
|
||||
|
||||
+/* This is to make syscall.o shut up. */
|
||||
+int noatime = 0;
|
||||
+
|
||||
typedef char bool;
|
||||
|
||||
int output_iterations = 0;
|
||||
Index: rsync/trimslash.c
|
||||
===================================================================
|
||||
--- rsync.orig/trimslash.c
|
||||
+++ rsync/trimslash.c
|
||||
@@ -30,6 +30,7 @@ int preserve_perms = 0;
|
||||
int preserve_executability = 0;
|
||||
int preallocate_files = 0;
|
||||
int inplace = 0;
|
||||
+int noatime = 0;
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
22
rsync.spec
22
rsync.spec
@ -1,6 +1,6 @@
|
||||
Name: rsync
|
||||
Version: 3.1.3
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: Fast incremental file transfer utility
|
||||
License: GPLv3+
|
||||
URL: http://rsync.samba.org/
|
||||
@ -31,10 +31,11 @@ Patch10: Fix-zlib-CVE-2016-9842.patch
|
||||
Patch11: Fix-zlib-CVE-2016-9843.patch
|
||||
Patch12: Fix-bug-in-try_dests_reg-that-Florian-Zumbiehl-point.patch
|
||||
Patch13: Try-to-fix-the-iconv-crash-in-bug-11338.patch
|
||||
Patch14: CVE-2017-17433.patch
|
||||
Patch15: backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch
|
||||
Patch16: backport-CVE-2022-37434.patch
|
||||
Patch17: backport-A-fix-for-the-zlib-fix.patch
|
||||
Patch14: backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch
|
||||
Patch15: backport-CVE-2022-37434.patch
|
||||
Patch16: backport-A-fix-for-the-zlib-fix.patch
|
||||
Patch17: backport-rsync-noatime-2.patch
|
||||
Patch18: backport-CVE-2022-29154.patch
|
||||
|
||||
%description
|
||||
Rsync is an open source utility that provides fast incremental file transfer.
|
||||
@ -52,12 +53,14 @@ patch -p1 -i patches/acls.diff
|
||||
patch -p1 -i patches/xattrs.diff
|
||||
patch -p1 -i patches/copy-devices.diff
|
||||
|
||||
chmod -x support/*
|
||||
|
||||
%build
|
||||
%configure
|
||||
%make_build
|
||||
|
||||
%check
|
||||
make check
|
||||
chmod -x support/*
|
||||
|
||||
%install
|
||||
%make_install
|
||||
|
||||
@ -93,6 +96,11 @@ install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
|
||||
%{_mandir}/man5/rsyncd.conf.5*
|
||||
|
||||
%changelog
|
||||
* Fri Aug 26 2022 panxiaohe <panxh.life@foxmail.com> - 3.1.3-9
|
||||
- enable make check
|
||||
- delete redundant patch and renew rsync-noatime.patch
|
||||
- fix CVE-2022-29154
|
||||
|
||||
* Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.1.3-8
|
||||
- Fix CVE-2022-37434
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user