From 73b69187e185b60062e61cb1e6b13e22749e03bb Mon Sep 17 00:00:00 2001
From: panxiaohe <panxh.life@foxmail.com>
Date: Fri, 26 Aug 2022 13:58:08 +0800
Subject: [PATCH] enable make check and fix CVE-2022-29154

---
 CVE-2017-17433.patch           |  29 ---------
 backport-CVE-2022-29154.patch  | 116 +++++++++++++++++++++++++++++++++
 backport-rsync-noatime-2.patch |  57 ++++++++++++++++
 rsync.spec                     |  22 +++++--
 4 files changed, 188 insertions(+), 36 deletions(-)
 delete mode 100644 CVE-2017-17433.patch
 create mode 100644 backport-CVE-2022-29154.patch
 create mode 100644 backport-rsync-noatime-2.patch

diff --git a/CVE-2017-17433.patch b/CVE-2017-17433.patch
deleted file mode 100644
index c9f8aac..0000000
--- a/CVE-2017-17433.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001
-From: Jeriko One <jeriko.one@gmx.us>
-Date: Thu, 2 Nov 2017 23:44:19 -0700
-Subject: [PATCH] Check fname in recv_files sooner.
-
----
- receiver.c | 6 ++++++
- 1 file changed, 6 insertions(+), 0 deletions(-)
-
-diff --git a/receiver.c b/receiver.c
-index baae3a91..9fdafa15 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
- 			file = dir_flist->files[cur_flist->parent_ndx];
- 		fname = local_name ? local_name : f_name(file, fbuf);
- 
-+		if (daemon_filter_list.head
-+		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
-+			rprintf(FERROR, "attempt to hack rsync failed.\n");
-+			exit_cleanup(RERR_PROTOCOL);
-+		}
-+
- 		if (DEBUG_GTE(RECV, 1))
- 			rprintf(FINFO, "recv_files(%s)\n", fname);
- 
--- 
-2.17.1
-
diff --git a/backport-CVE-2022-29154.patch b/backport-CVE-2022-29154.patch
new file mode 100644
index 0000000..b3edb11
--- /dev/null
+++ b/backport-CVE-2022-29154.patch
@@ -0,0 +1,116 @@
+From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Sun, 31 Jul 2022 16:55:34 -0700
+Subject: [PATCH] Some extra file-list safety checks.
+
+Conflict:don't apply add_implied_include(),adapt context in flist.c,delete rsync.1.md
+Reference:https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871
+---
+ exclude.c  |  4 +++-
+ flist.c    | 10 ++++++++++
+ main.c     |  2 ++
+ receiver.c | 11 +++++++----
+ 4 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/exclude.c b/exclude.c
+index a0090b2..684935f 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -45,6 +45,7 @@ filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" };
+ filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" };
+ 
+ int saw_xattr_filter = 0;
++int trust_sender_filter = 0;
+ 
+ /* Need room enough for ":MODS " prefix plus some room to grow. */
+ #define MAX_RULE_PREFIX (16)
+@@ -721,7 +722,7 @@ static void report_filter_result(enum logcode code, char const *name,
+ 			      : name_flags & NAME_IS_DIR ? "directory"
+ 			      : "file";
+ 		rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n",
+-		    w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)],
++		    w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)],
+ 		    t, name, ent->pattern,
+ 		    ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type);
+ 	}
+@@ -894,6 +895,7 @@ static filter_rule *parse_rule_tok(const char **rulestr_ptr,
+ 		}
+ 		switch (ch) {
+ 		case ':':
++			trust_sender_filter = 1;
+ 			rule->rflags |= FILTRULE_PERDIR_MERGE
+ 				      | FILTRULE_FINISH_SETUP;
+ 			/* FALL THROUGH */
+diff --git a/flist.c b/flist.c
+index 60e843c..0e527a7 100644
+--- a/flist.c
++++ b/flist.c
+@@ -70,6 +70,7 @@ extern int need_unsorted_flist;
+ extern int sender_symlink_iconv;
+ extern int output_needs_newline;
+ extern int sender_keeps_checksum;
++extern int trust_sender_filter;
+ extern int unsort_ndx;
+ extern uid_t our_uid;
+ extern struct stats stats;
+@@ -904,6 +905,15 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
+ 		exit_cleanup(RERR_UNSUPPORTED);
+ 	}
+ 
++	if (*thisname != '.' || thisname[1] != '\0') {
++		int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE;
++		if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */
++		 && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) {
++			rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname);
++			exit_cleanup(RERR_PROTOCOL);
++		}
++	}
++
+ 	if (inc_recurse && S_ISDIR(mode)) {
+ 		if (one_file_system) {
+ 			/* Room to save the dir's device for -x */
+diff --git a/main.c b/main.c
+index ee9630f..7561e21 100644
+--- a/main.c
++++ b/main.c
+@@ -78,6 +78,7 @@ extern BOOL flist_receiving_enabled;
+ extern BOOL shutting_down;
+ extern int backup_dir_len;
+ extern int basis_dir_cnt;
++extern int trust_sender_filter;
+ extern struct stats stats;
+ extern char *stdout_format;
+ extern char *logfile_format;
+@@ -534,6 +535,7 @@ static pid_t do_cmd(char *cmd, char *machine, char *user, char **remote_argv, in
+ #ifdef ICONV_CONST
+ 		setup_iconv();
+ #endif
++		trust_sender_filter = 1;
+ 	} else if (local_server) {
+ 		/* If the user didn't request --[no-]whole-file, force
+ 		 * it on, but only if we're not batch processing. */
+diff --git a/receiver.c b/receiver.c
+index 6218452..147d7e5 100644
+--- a/receiver.c
++++ b/receiver.c
+@@ -583,10 +583,13 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 		if (DEBUG_GTE(RECV, 1))
+ 			rprintf(FINFO, "recv_files(%s)\n", fname);
+ 
+-		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
+-		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+-			rprintf(FERROR, "attempt to hack rsync failed.\n");
+-			exit_cleanup(RERR_PROTOCOL);
++		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) {
++			int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE;
++			if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) {
++				rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n",
++					fname);
++				exit_cleanup(RERR_PROTOCOL);
++			}
+ 		}
+ 
+ #ifdef SUPPORT_XATTRS
+-- 
+2.27.0
+
diff --git a/backport-rsync-noatime-2.patch b/backport-rsync-noatime-2.patch
new file mode 100644
index 0000000..9c53735
--- /dev/null
+++ b/backport-rsync-noatime-2.patch
@@ -0,0 +1,57 @@
+Optionally preserve atimes.
+    
+Based on https://bugzilla.samba.org/show_bug.cgi?id=7249#c1 by Nicolas George.
+
+Index: rsync/tls.c
+===================================================================
+--- rsync.orig/tls.c
++++ rsync/tls.c
+@@ -53,6 +53,7 @@ int preserve_perms = 0;
+ int preserve_executability = 0;
+ int preallocate_files = 0;
+ int inplace = 0;
++int noatime = 0;
+ 
+ #ifdef SUPPORT_XATTRS
+ 
+Index: rsync/t_unsafe.c
+===================================================================
+--- rsync.orig/t_unsafe.c
++++ rsync/t_unsafe.c
+@@ -33,6 +33,10 @@ int preserve_perms = 0;
+ int preserve_executability = 0;
+ short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
+ 
++/* This is to make syscall.o shut up. */
++int noatime = 0;
++
++
+ int
+ main(int argc, char **argv)
+ {
+Index: rsync/wildtest.c
+===================================================================
+--- rsync.orig/wildtest.c
++++ rsync/wildtest.c
+@@ -32,6 +32,9 @@ int fnmatch_errors = 0;
+ 
+ int wildmatch_errors = 0;
+ 
++/* This is to make syscall.o shut up. */
++int noatime = 0;
++
+ typedef char bool;
+ 
+ int output_iterations = 0;
+Index: rsync/trimslash.c
+===================================================================
+--- rsync.orig/trimslash.c
++++ rsync/trimslash.c
+@@ -30,6 +30,7 @@ int preserve_perms = 0;
+ int preserve_executability = 0;
+ int preallocate_files = 0;
+ int inplace = 0;
++int noatime = 0;
+ 
+ int
+ main(int argc, char **argv)
diff --git a/rsync.spec b/rsync.spec
index 259e193..2c13aa1 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -1,6 +1,6 @@
 Name:           rsync
 Version:        3.1.3
-Release:        8
+Release:        9
 Summary:        Fast incremental file transfer utility
 License:        GPLv3+
 URL:            http://rsync.samba.org/
@@ -31,10 +31,11 @@ Patch10:        Fix-zlib-CVE-2016-9842.patch
 Patch11:        Fix-zlib-CVE-2016-9843.patch
 Patch12:        Fix-bug-in-try_dests_reg-that-Florian-Zumbiehl-point.patch
 Patch13:        Try-to-fix-the-iconv-crash-in-bug-11338.patch
-Patch14:        CVE-2017-17433.patch
-Patch15:        backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch 
-Patch16:        backport-CVE-2022-37434.patch
-Patch17:        backport-A-fix-for-the-zlib-fix.patch
+Patch14:        backport-Use-a-lock-to-not-fail-on-a-left-over-pid-file.patch
+Patch15:        backport-CVE-2022-37434.patch
+Patch16:        backport-A-fix-for-the-zlib-fix.patch
+Patch17:        backport-rsync-noatime-2.patch
+Patch18:        backport-CVE-2022-29154.patch
 
 %description
 Rsync is an open source utility that provides fast incremental file transfer.
@@ -52,12 +53,14 @@ patch -p1 -i patches/acls.diff
 patch -p1 -i patches/xattrs.diff
 patch -p1 -i patches/copy-devices.diff
 
-chmod -x support/*
-
 %build
 %configure
 %make_build
 
+%check
+make check
+chmod -x support/*
+
 %install
 %make_install
 
@@ -93,6 +96,11 @@ install -D -m644 %{SOURCE6} %{buildroot}/%{_unitdir}/rsyncd@.service
 %{_mandir}/man5/rsyncd.conf.5*
 
 %changelog
+* Fri Aug 26 2022 panxiaohe <panxh.life@foxmail.com> - 3.1.3-9
+- enable make check
+- delete redundant patch and renew rsync-noatime.patch
+- fix CVE-2022-29154
+
 * Thu Aug 18 2022 fuanan <fuanan3@h-partners.com> - 3.1.3-8
 - Fix CVE-2022-37434