FreeBSD Bugzilla – Attachment 188988 Details for
Bug 224477
net/rsync: add patches to fix security vulnerabilities
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch file
net_rsync.patch (text/plain), 5.69 KB, created by
Yasuhiro Kimura
on 2017-12-20 09:58:22 UTC
(
hide
)
Description:
patch file
Filename:
MIME Type:
Creator:
Yasuhiro Kimura
Created:
2017-12-20 09:58:22 UTC
Size:
5.69 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 456770) >+++ Makefile (working copy) >@@ -3,8 +3,8 @@ > > PORTNAME= rsync > PORTVERSION= 3.1.2 >+PORTREVISION= 8 > CATEGORIES= net ipv6 >-PORTREVISION= 7 > MASTER_SITES= http://rsync.samba.org/ftp/rsync/ \ > https://rsync.samba.org/ftp/rsync/ \ > ftp://ftp.fu-berlin.de/pub/unix/network/rsync/ \ >Index: files/patch-CVE-2017-16548 >=================================================================== >--- files/patch-CVE-2017-16548 (nonexistent) >+++ files/patch-CVE-2017-16548 (working copy) >@@ -0,0 +1,31 @@ >+From: Wayne Davison <wayned@samba.org> >+Date: Sun, 5 Nov 2017 11:33:15 -0800 >+Subject: Enforce trailing \0 when receiving xattr name values. Fixes bug >+ 13112. >+Origin: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 >+Bug: https://bugzilla.samba.org/show_bug.cgi?id=13112 >+Bug-Debian: https://bugs.debian.org/880954 >+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16548 >+ >+--- >+ xattrs.c | 4 ++++ >+ 1 file changed, 4 insertions(+) >+ >+diff --git a/xattrs.c b/xattrs.c >+index 68305d75..4867e6f5 100644 >+--- a/xattrs.c >++++ b/xattrs.c >+@@ -824,6 +824,10 @@ void receive_xattr(int f, struct file_struct *file) >+ out_of_memory("receive_xattr"); >+ name = ptr + dget_len + extra_len; >+ read_buf(f, name, name_len); >++ if (name_len < 1 || name[name_len-1] != '\0') { >++ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n"); >++ exit_cleanup(RERR_FILEIO); >++ } >+ if (dget_len == datum_len) >+ read_buf(f, ptr, dget_len); >+ else { >+-- >+2.15.1 >+ >Index: files/patch-CVE-2017-17433 >=================================================================== >--- files/patch-CVE-2017-17433 (nonexistent) >+++ files/patch-CVE-2017-17433 (working copy) >@@ -0,0 +1,44 @@ >+From: Jeriko One <jeriko.one@gmx.us> >+Date: Thu, 2 Nov 2017 23:44:19 -0700 >+Subject: Check fname in recv_files sooner. >+Origin: https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 >+Bug-Debian: https://bugs.debian.org/883667 >+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17433 >+ >+--- >+ receiver.c | 12 ++++++------ >+ 1 file changed, 6 insertions(+), 6 deletions(-) >+ >+diff --git a/receiver.c b/receiver.c >+index baae3a91..9fdafa15 100644 >+--- a/receiver.c >++++ b/receiver.c >+@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name) >+ file = dir_flist->files[cur_flist->parent_ndx]; >+ fname = local_name ? local_name : f_name(file, fbuf); >+ >++ if (daemon_filter_list.head >++ && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { >++ rprintf(FERROR, "attempt to hack rsync failed.\n"); >++ exit_cleanup(RERR_PROTOCOL); >++ } >++ >+ if (DEBUG_GTE(RECV, 1)) >+ rprintf(FINFO, "recv_files(%s)\n", fname); >+ >+@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name) >+ >+ cleanup_got_literal = 0; >+ >+- if (daemon_filter_list.head >+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { >+- rprintf(FERROR, "attempt to hack rsync failed.\n"); >+- exit_cleanup(RERR_PROTOCOL); >+- } >+- >+ if (read_batch) { >+ int wanted = redoing >+ ? we_want_redo(ndx) >+-- >+2.15.1 >+ >Index: files/patch-CVE-2017-17434-1 >=================================================================== >--- files/patch-CVE-2017-17434-1 (nonexistent) >+++ files/patch-CVE-2017-17434-1 (working copy) >@@ -0,0 +1,38 @@ >+From: Jeriko One <jeriko.one@gmx.us> >+Date: Thu, 16 Nov 2017 17:05:42 -0800 >+Subject: [1/2] Sanitize xname in read_ndx_and_attrs. >+Origin: https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9 >+Bug-Debian: https://bugs.debian.org/883665 >+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434 >+ >+--- >+ rsync.c | 6 ++++++ >+ 1 file changed, 6 insertions(+) >+ >+diff --git a/rsync.c b/rsync.c >+index b82e5988..a0945ba4 100644 >+--- a/rsync.c >++++ b/rsync.c >+@@ -49,6 +49,7 @@ extern int flist_eof; >+ extern int file_old_total; >+ extern int keep_dirlinks; >+ extern int make_backups; >++extern int sanitize_paths; >+ extern struct file_list *cur_flist, *first_flist, *dir_flist; >+ extern struct chmod_mode_struct *daemon_chmod_modes; >+ #ifdef ICONV_OPTION >+@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, >+ if (iflags & ITEM_XNAME_FOLLOWS) { >+ if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0) >+ exit_cleanup(RERR_PROTOCOL); >++ >++ if (sanitize_paths) { >++ sanitize_path(buf, buf, "", 0, SP_DEFAULT); >++ len = strlen(buf); >++ } >+ } else { >+ *buf = '\0'; >+ len = -1; >+-- >+2.15.1 >+ >Index: files/patch-CVE-2017-17434-2 >=================================================================== >--- files/patch-CVE-2017-17434-2 (nonexistent) >+++ files/patch-CVE-2017-17434-2 (working copy) >@@ -0,0 +1,27 @@ >+From: Jeriko One <jeriko.one@gmx.us> >+Date: Thu, 16 Nov 2017 17:26:03 -0800 >+Subject: [2/2] Check daemon filter against fnamecmp in recv_files(). >+Origin: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1 >+Bug-Debian: https://bugs.debian.org/883665 >+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17434 >+ >+--- >+ receiver.c | 2 +- >+ 1 file changed, 1 insertion(+), 1 deletion(-) >+ >+diff --git a/receiver.c b/receiver.c >+index 9fdafa15..9c46242e 100644 >+--- a/receiver.c >++++ b/receiver.c >+@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name) >+ break; >+ } >+ if (!fnamecmp || (daemon_filter_list.head >+- && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) { >++ && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) { >+ fnamecmp = fname; >+ fnamecmp_type = FNAMECMP_FNAME; >+ } >+-- >+2.15.1 >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=188988">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 224477
: 188988