Bug 247795

Summary: net/rsync: Update to 3.2.3
Product: Ports & Packages Reporter: Kubilay Kocak <koobs>
Component: Individual Port(s)Assignee: Rodrigo Osorio <rodrigo>
Status: Closed FIXED    
Severity: Affects Many People CC: colin, fred, joneum, leres, pi, ports-secteam, trix
Priority: Normal Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (rodrigo)
rodrigo: merge-quarterly+
Hardware: Any   
OS: Any   
URL: https://download.samba.org/pub/rsync/NEWS#3.2.3

Description Kubilay Kocak freebsd_committer freebsd_triage 2020-07-06 07:30:02 UTC
Note:

3.2.0 includes security updates, relevant if rsync uses the bundled zlib library (and not system (ports version)):

  Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, 
  CVE-2016-9841, and CVE-2016-9840.

3.1.3 contains security fixes too:


  Fixed a buffer overrun in the protocol's handling of xattr names and ensure 
  that the received name is null terminated.

  Fix an issue with ‑‑protect-args where the user could specify the arg in the 
  protected-arg list and short-circuit some of the arg-sanitizing code.
Comment 1 Kurt Jaeger freebsd_committer freebsd_triage 2020-07-06 07:35:47 UTC
*** Bug 247796 has been marked as a duplicate of this bug. ***
Comment 2 Rodrigo Osorio freebsd_committer freebsd_triage 2020-07-06 21:33:32 UTC
Hi,

The Patch since 3.2.0 RC, and will be pushed in the next days.
I just wanna wait a couple of days since the rsync developers still fixing their 3.2.X releases (3.2.0, 3.2.1, 3.2.2) and a 3.2.3 seems to be on the go.

Regarding security fixes, they are all from from 2016/2017. So no reason to rush and update and break rsync.
Comment 3 Rodrigo Osorio freebsd_committer freebsd_triage 2020-07-28 07:03:18 UTC
Done, thanks for the heads up
Comment 4 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-28 08:19:23 UTC
@Rodrigo Can you reference the "ports rXXXXXXX" for the VuXML entry, head commit and MFH (merge) please
Comment 5 Craig Leres freebsd_committer freebsd_triage 2020-07-28 17:30:06 UTC
With 3.2.2 I find that the build fails if I turn off ICONV

    checking for library containing MD5_Init... -lcrypto
    checking whether to enable xxhash checksum support... no
    configure.sh: error: Failed to find xxhash.h for xxhash checksum support.
    Use --disable-xxhash to continue without it.

If I add --disable-xxhash it still fails:

    checking whether to enable zstd compression... no
    configure.sh: error: Failed to find zstd.h for zstd compression support.
    Use --disable-zstd to continue without it.

Adding that:

    checking whether to enable LZ4 compression... no
    configure.sh: error: Failed to find lz4.h for lz4 compression support.
    Use --disable-lz4 to continue without it.

And I guess I don't want to disable zstd or lz4 compression so I stopped pulling the thread and enabled ICONV.
Comment 6 Trix Farrar 2020-08-13 14:24:48 UTC
Rsync version has moved on to 3.2.3.  Current fetch URL is https://rsync.samba.org/ftp/rsync/rsync-patches-3.2.3.tar.gz
Comment 7 commit-hook freebsd_committer freebsd_triage 2020-08-16 17:08:48 UTC
A commit references this bug:

Author: rodrigo
Date: Sun Aug 16 17:08:02 UTC 2020
New revision: 545124
URL: https://svnweb.freebsd.org/changeset/ports/545124

Log:
  net/rsync upgrade to 3.2.3

  major changes:
   - Fix multiple bugs in xattr code.
   - Restored the ability to use --bwlimit=0 to specify no bandwidth limit.
   - Fix a bug when combining --delete-missing-args with --no-implied-dirs & -R where rsync might create the destination path of a missing arg.
   - Fixed an issue where hard-linked devices could cause the rdev_major value to get out of sync between the sender and the receiver.
   - Rsync now complains about a missing --temp-dir before starting any file transfers.
   - A completely empty source arg is now a fatal error.

  See full changelog: https://download.samba.org/pub/rsync/NEWS#3.2.3

  Also, fix build issue with ACL option (patch is not required anymore)

  PR:		248318 247795

Changes:
  head/net/rsync/Makefile
  head/net/rsync/distinfo
  head/net/rsync/files/extrapatch-acl
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2020-08-17 04:03:57 UTC
^Triage: Pending VuXML entry and MFH
Comment 9 Rodrigo Osorio freebsd_committer freebsd_triage 2020-08-17 07:48:25 UTC
@kuubs: VUXML done in r545126. MFH is ready to land.

Can I do the MFH based on r545124 who fix issues introduces by rsync 3.2.2 ?
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2020-08-17 08:02:18 UTC
(In reply to Rodrigo Osorio from comment #9)

3.2.2 (ports r543580) fixed a CVE & bugs and was tagged to be MFH, but it looks like its still 3.1.3 is still in quarterly (2020Q3)

Since we want to merge 3.2.3, you'll need to merge all the intervening commit revisions too
Comment 11 Rodrigo Osorio freebsd_committer freebsd_triage 2020-08-17 09:22:47 UTC
(In reply to Kubilay Kocak from comment #10)

@koobs, Yes that's it. Should I merge each change one by one or just take the r545124 who draws the intermediary changes ?
Comment 12 Jochen Neumeister freebsd_committer freebsd_triage 2020-08-17 09:52:23 UTC
Approved for 2020Q3

Please use for Quaterly Branch the MFH option in the commit line
Comment 13 Rodrigo Osorio freebsd_committer freebsd_triage 2020-08-17 10:00:47 UTC
(In reply to Jochen Neumeister from comment #12)
@joneum: Thanks, but to be completely sure
         '${PORTSDIR}/Tools/scripts/mfh 2020Q3 545124' is OK for you ?
Comment 14 Jochen Neumeister freebsd_committer freebsd_triage 2020-08-17 10:13:55 UTC
(In reply to Rodrigo Osorio from comment #13)

yes, this is the correct syntax :-)
Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2020-08-17 10:37:07 UTC
^Triage: Leave merge-quarterly flag open (?) until merged
Comment 16 commit-hook freebsd_committer freebsd_triage 2020-08-20 07:18:32 UTC
A commit references this bug:

Author: rodrigo
Date: Thu Aug 20 07:17:52 UTC 2020
New revision: 545504
URL: https://svnweb.freebsd.org/changeset/ports/545504

Log:
  MFH: r543580 r543582 r543637 r544331 r545124

  net/rsync upgrade to 3.2.2

  Major changes and bugfixes:
   3.1.3 -> 3.2.0
   * Avoid potential out-of-bounds read in daemon mode
   * Fix defaul list list of skip-compress files for non-daemon transfers
   * Fix xattr filter rules losing an 'x' attribute in a non-local transfer
   * zlib fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840
   * Fixed a crash in the --iconv code
   * Checksum enhancements, including the addition of xxhash
   * The checksum preference order of the negotiation can be customized or forced
   * Compression enhancements, including the addition of zstd and lz4 compression algorithms
   * Added openssl & preliminary gnutls support to the rsync-ssl script
   * Added the proxy protocol daemon parameter that allows your rsyncd to know the real remote
     IP when it is setup behind a proxy

   3.2.0 -> 3.2.1
   * Fix potential issue with MD5 assembly-language code
   * option --backup-dir=STR now implies --backup

   3.2.1 -> 3.2.2
   * Avoid a crash when a daemon module enables transfer logging without setting a log format value

  Full release message: https://download.samba.org/pub/rsync/NEWS#3.2.2

  Security: CVE-2016-9843 CVE-2016-9842 CVE-2016-9841 CVE-2016-9840
  MFH after: 2 weeks

  rsync: Unbreak fetch

  rsync: Unbreak and fix depends

  rsync now depends on stuff in LOCALBASE. Previously, clang only needed to know
  about LOCALBASE if POPT or ICONV was enabled. When those options are off, xxhash
  and zstd were not found by configure.

  Also, a depend on libssl was missing, and there were some noop reinplaces.

  With hat: portmgr

  - Fix fetch
  - Fix license and add LICENSE_FILE
  - Add missing dependency on liblz4
  - Whitespace fixes
  - Switch to options helpers

  Approved by:	portmgr blanket

  net/rsync upgrade to 3.2.3

  major changes:
   - Fix multiple bugs in xattr code.
   - Restored the ability to use --bwlimit=0 to specify no bandwidth limit.
   - Fix a bug when combining --delete-missing-args with --no-implied-dirs & -R where rsync might create the destination path of a missing arg.
   - Fixed an issue where hard-linked devices could cause the rdev_major value to get out of sync between the sender and the receiver.
   - Rsync now complains about a missing --temp-dir before starting any file transfers.
   - A completely empty source arg is now a fatal error.

  See full changelog: https://download.samba.org/pub/rsync/NEWS#3.2.3

  Also, fix build issue with ACL option (patch is not required anymore)

  PR:		248318 247795

  Approved by:	ports-secteam (joenum)

Changes:
_U  branches/2020Q3/
  branches/2020Q3/net/rsync/Makefile
  branches/2020Q3/net/rsync/distinfo
  branches/2020Q3/net/rsync/files/extrapatch-acl
  branches/2020Q3/net/rsync/files/patch-siginfo
  branches/2020Q3/net/rsync/pkg-plist
Comment 17 Rodrigo Osorio freebsd_committer freebsd_triage 2020-08-20 07:19:49 UTC
MFC committed, we can now close this PR