https://nvd.nist.gov/vuln/detail/CVE-2022-29154 can we please have a fixed version? thx!
Hi, AFAIK, this CVE was published yesterday and remains under analysis, there is no details about a fix or workaround in the CVE itself or the project website. I'm pretty sure a fix will arise in the upcoming hours, so I will keep an eye on this one. I'm not sure if at this point contacting the maintainer or rushing the process will help. Thanks for the heads-up. Regards, -- rodrigo
Status Update I had an exchange with rsync maintainer[1], and we can expect a final 3.5.2 release in about a week. A 3.5.2pre2 was pushed yesterday (09-08-2022). Moving from tar archives to git repo could be an option but - it requires some heavy changes in the way the port is done since in tar archives, some files are pre-processed. - 3.5.2 still having bugs and is not ready for production. I took a look in other OSS such Debian, and AFAIK no action was taken, we still waiting for an official release. [1] https://github.com/WayneD/rsync/issues/345
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=6c5b063e240ba123d9d8d888cf00866f50766afd commit 6c5b063e240ba123d9d8d888cf00866f50766afd Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2022-08-10 09:01:54 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2022-08-10 09:04:11 +0000 security/vuxml: Document rsync client-side arbitrary file write vulnerability PR: 265633 security/vuxml/vuln-2022.xml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+)
(In reply to commit-hook from comment #3) Vulnerability reported in the vuxml database
v3.5.2 has been releases: https://github.com/WayneD/rsync/releases/tag/v3.2.5
(In reply to Dani I. from comment #5) Yes, I notice that. I was checking their progress every day. Good news it compiles without error so upgrade and MFH is under process
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d7990faa348a894f6d8c4563abcaadc2cebaafc7 commit d7990faa348a894f6d8c4563abcaadc2cebaafc7 Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2022-08-16 15:45:13 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2022-08-16 15:59:14 +0000 net/rsync: Update to 3.2.5 Major changes: * CVE-2022-29154 Added some file-list safety checking * CVE-2022-37434 Fix in the bundled zlib (buffer overflow issue) * Fix the handling of filenames specified with backslash-quoted wildcards whith the remote-arg-escaping * Fix configure check for signed char that causes bogus checksums * rsync is compiled with an xxhash 0.8 library * New --trust-sender option to bypass the extra file-list safety checking Full changelog: https://github.com/WayneD/rsync/blob/master/NEWS.md PR: 265633 Reported by: rob2g2 <rob2g2-freebsd@bitbert.com> Relnotes: yes Security: CVE-2022-29154 Security: CVE-2022-37434 net/rsync/Makefile | 3 +-- net/rsync/distinfo | 14 +++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-)
A commit in branch 2022Q3 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=af0a5e4af6e253bc3f9ca1f5dd3154656bf3525e commit af0a5e4af6e253bc3f9ca1f5dd3154656bf3525e Author: Rodrigo Osorio <rodrigo@FreeBSD.org> AuthorDate: 2022-08-16 15:45:13 +0000 Commit: Rodrigo Osorio <rodrigo@FreeBSD.org> CommitDate: 2022-08-16 16:04:13 +0000 net/rsync: Update to 3.2.5 Major changes: * CVE-2022-29154 Added some file-list safety checking * CVE-2022-37434 Fix in the bundled zlib (buffer overflow issue) * Fix the handling of filenames specified with backslash-quoted wildcards whith the remote-arg-escaping * Fix configure check for signed char that causes bogus checksums * rsync is compiled with an xxhash 0.8 library * New --trust-sender option to bypass the extra file-list safety checking Full changelog: https://github.com/WayneD/rsync/blob/master/NEWS.md PR: 265633 Reported by: rob2g2 <rob2g2-freebsd@bitbert.com> Relnotes: yes Security: CVE-2022-29154 Security: CVE-2022-37434 (cherry picked from commit d7990faa348a894f6d8c4563abcaadc2cebaafc7) net/rsync/Makefile | 3 +-- net/rsync/distinfo | 14 +++++++++----- 2 files changed, 10 insertions(+), 7 deletions(-)
New version committed in main and quarter branch
I'm unable to build the new version, I think the distinfo has some duplicated lines in it? Running "make makesum" fixes this. =======================<phase: fetch >============================ ===> License GPLv3+ accepted by the user => rsync-3.2.5.tar.gz doesn't seem to exist in /portdistfiles/. => Attempting to fetch ftp://freebsd.mirrors.es.net/pub/FreeBSD/ports/distfiles/rsync-3.2.5.tar.gz fetch: ftp://freebsd.mirrors.es.net/pub/FreeBSD/ports/distfiles/rsync-3.2.5.tar.gz: Connection refused => Attempting to fetch https://www.mirrorservice.org/sites/rsync.samba.org/src/rsync-3.2.5.tar.gz rsync-3.2.5.tar.gz 1103 kB 419 kBps 03s => rsync-patches-3.2.5.tar.gz doesn't seem to exist in /portdistfiles/. => Attempting to fetch ftp://freebsd.mirrors.es.net/pub/FreeBSD/ports/distfiles/rsync-patches-3.2.5.tar.gz fetch: 141521: No such file or directory fetch: 141521: No such file or directory [...]
I can confirm this. Unfortunately, even after running "make makesum" Poudriere still can't fetch the source.
(In reply to K J Petrie from comment #11) Duplicated lines was removed this morning. Did you update your ports tree ? main 1c2e6a5f3eeeae1b80acd25e32ada9685804ec8b 2022Q3 7dc1a00adc354287544d6c98eef74a71a2bb8a7
At 8:41 BST (07:41 UTC). Evidently that was too early. Now built. Thanks