Re: [PATCH] rsync: Update to version 3.4.0

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5334 bytes --]

Hello Fred,

Thank you for the heads up. Adolf has provided a patch and it was merged into Core Update 191 which is currently available for testing:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=a32de1bbaec84e18a3284015fda0b0467ca60831

-Michael

> On 16 Jan 2025, at 14:05, Kienker, Fred <fred.kienker(a)at4b.com> wrote:
> 
> There are several very significant regressions in rsync 3.4.0 which are 
> fixed in 3.4.1. Highly recommend pushing the newer version.
> 
> Fred Kienker
> fred.kienker(a)at4b.com
> 770.518.6166
> 
> 
> -----Original Message-----
> From: Michael Tremer <michael.tremer(a)ipfire.org> 
> Sent: Thursday, 16 January, 2025 5:21 AM
> To: Adolf Belka <adolf.belka(a)ipfire.org>
> Cc: development(a)lists.ipfire.org
> Subject: Re: [PATCH] rsync: Update to version 3.4.0
> 
> Thank you for this patch. I have merged this straight away back into 
> c190 and pushed the new package out last night.
> 
>> On 15 Jan 2025, at 13:25, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
>> 
>> - Update from version 3.3.0 to 3.4.0
>> - Update of rootfile not required
>> - Changelog
>>   3.4.0
>> Release 3.4.0 is a security release that fixes a number of important 
>> vulnerabilities. For more details on the vulnerabilities please see 
>> the CERT report https://kb.cert.org/vuls/id/952657
>>    PROTOCOL NUMBER:
>> - The protocol number was changed to 32 to make it easier for  
>> administrators to check their servers have been updated
>>    SECURITY FIXES:
>> Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at 
>> Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for 
>> discovering these vulnerabilities and working with the rsync project 
>> to develop and test fixes.
>> - CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
>> - CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats
> ASLR.
>> - CVE-2024-12086 - Server leaks arbitrary client files.
>> - CVE-2024-12087 - Server can make client write files outside of
> destination directory using symbolic links.
>> - CVE-2024-12088 - --safe-links Bypass.
>> - CVE-2024-12747 - symlink race condition.
>>    BUG FIXES:
>> - Fixed the included popt to avoid a memory error on modern gcc
> versions.
>> - Fixed an incorrect extern variable's type that caused an ACL issue
> on macOS.
>> - Fixed IPv6 configure check
>>    INTERNAL:
>> - Updated included popt to version 1.19.
>>    DEVELOPER RELATED:
>> - Various improvements to the release scripts and git setup.
>> - Improved packaging/var-checker to identify variable type issues.
>> - added FreeBSD and Solaris CI builds
>> 
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> lfs/rsync | 20 ++++++++------------
>> 1 file changed, 8 insertions(+), 12 deletions(-)
>> 
>> diff --git a/lfs/rsync b/lfs/rsync
>> index fcbcd0ab9..a680a9cca 100644
>> --- a/lfs/rsync
>> +++ b/lfs/rsync
>> @@ -1,7 +1,7 @@
>> 
> ########################################################################
> #######
>> #                                                                      
>       #
>> # IPFire.org - A linux based firewall                                  
>       #
>> -# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>             
>        #
>> +# Copyright (C) 2007-2025  IPFire Team  <info(a)ipfire.org>             
>        #
>> #                                                                      
>       #
>> # This program is free software: you can redistribute it and/or modify
>       #
>> # it under the terms of the GNU General Public License as published by
>       #
>> @@ -26,7 +26,7 @@ include Config
>> 
>> SUMMARY    = Versatile tool for fast incremental file transfer
>> 
>> -VER        = 3.3.0
>> +VER        = 3.4.0
>> 
>> THISAPP    = rsync-$(VER)
>> DL_FILE    = $(THISAPP).tar.gz
>> @@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
>> DIR_APP    = $(DIR_SRC)/$(THISAPP)
>> TARGET     = $(DIR_INFO)/$(THISAPP)
>> PROG       = rsync
>> -PAK_VER    = 19
>> +PAK_VER    = 20
>> 
>> DEPS       =
>> 
>> @@ -48,7 +48,7 @@ objects = $(DL_FILE)
>> 
>> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>> 
>> -$(DL_FILE)_BLAKE2 = 
>> 75a3cc50452086aebd16f42d7a309c173cbc1ea156227afb10d2106d0b9043e9736769
>> 95b8199d22840775ae3df8db97d1c0de5f3aa58afa130c5b1348c3f825
>> +$(DL_FILE)_BLAKE2 = 
>> +ce88fdbc44cbb4522d48b5f8a11ce70b2d4c794612915390a865b478efd05aa1f17a0
>> +a4e1d4e698a968994b5e47ef4df16315c93e87398b848fdcef9e8dc71a1
>> 
>> install : $(TARGET)
>> 
>> @@ -81,18 +81,14 @@ $(subst %,%_BLAKE2,$(objects)) :
>> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> @$(PREBUILD)
>> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
>> -
>> # Replace shebang in rsync-ssl
>> cd $(DIR_APP) && sed -i -e "s@^#!.*@#!/bin/bash@" rsync-ssl
>> -
>> cd $(DIR_APP) && ./configure \
>> - --prefix=/usr \
>> - --without-included-popt \
>> - --without-included-zlib \
>> - --disable-xxhash
>> -
>> + --prefix=/usr \
>> + --without-included-popt \
>> + --without-included-zlib \
>> + --disable-xxhash
>> cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && 
>> make install
>> -
>> @rm -rf $(DIR_APP)
>> @$(POSTBUILD)
>> --
>> 2.47.1
>> 
> 
> 
>