PKG_NAME:=rsync
PKG_VERSION:=3.2.7
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
--- /dev/null
+From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001
+Date: Tue, 29 Oct 2024 22:55:29 -0700
+Subject: [PATCH] Some checksum buffer fixes.
+
+- Put sum2_array into sum_struct to hold an array of sum2 checksums
+ that are each xfer_sum_len bytes.
+- Remove sum2 buf from sum_buf.
+- Add macro sum2_at() to access each sum2 array element.
+- Throw an error if a sums header has an s2length larger than
+ xfer_sum_len.
+---
+ io.c | 3 ++-
+ match.c | 8 ++++----
+ rsync.c | 5 ++++-
+ rsync.h | 4 +++-
+ sender.c | 4 +++-
+ 5 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/io.c
++++ b/io.c
+@@ -55,6 +55,7 @@ extern int read_batch;
+ extern int compat_flags;
+ extern int protect_args;
+ extern int checksum_seed;
++extern int xfer_sum_len;
+ extern int daemon_connection;
+ extern int protocol_version;
+ extern int remove_source_files;
+@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_str
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f);
+- if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) {
++ if (sum->s2length < 0 || sum->s2length > xfer_sum_len) {
+ rprintf(FERROR, "Invalid checksum length %d [%s]\n",
+ sum->s2length, who_am_i());
+ exit_cleanup(RERR_PROTOCOL);
+--- a/match.c
++++ b/match.c
+@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum
+ done_csum2 = 1;
+ }
+
+- if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {
++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) {
+ false_alarms++;
+ continue;
+ }
+@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum
+ if (i != aligned_i) {
+ if (sum != s->sums[aligned_i].sum1
+ || l != s->sums[aligned_i].len
+- || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)
++ || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0)
+ goto check_want_i;
+ i = aligned_i;
+ }
+@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum
+ if (sum != s->sums[i].sum1)
+ goto check_want_i;
+ get_checksum2((char *)map, l, sum2);
+- if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)
++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0)
+ goto check_want_i;
+ /* OK, we have a re-alignment match. Bump the offset
+ * forward to the new match point. */
+@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum
+ && (!updating_basis_file || s->sums[want_i].offset >= offset
+ || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)
+ && sum == s->sums[want_i].sum1
+- && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {
++ && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) {
+ /* we've found an adjacent match - the RLL coder
+ * will be happy */
+ i = want_i;
+--- a/rsync.c
++++ b/rsync.c
+@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_o
+ */
+ void free_sums(struct sum_struct *s)
+ {
+- if (s->sums) free(s->sums);
++ if (s->sums) {
++ free(s->sums);
++ free(s->sum2_array);
++ }
+ free(s);
+ }
+
+--- a/rsync.h
++++ b/rsync.h
+@@ -958,12 +958,12 @@ struct sum_buf {
+ uint32 sum1; /**< simple checksum */
+ int32 chain; /**< next hash-table collision */
+ short flags; /**< flag bits */
+- char sum2[SUM_LENGTH]; /**< checksum */
+ };
+
+ struct sum_struct {
+ OFF_T flength; /**< total file length */
+ struct sum_buf *sums; /**< points to info for each chunk */
++ char *sum2_array; /**< checksums of length xfer_sum_len */
+ int32 count; /**< how many chunks */
+ int32 blength; /**< block_length */
+ int32 remainder; /**< flength % block_length */
+@@ -982,6 +982,8 @@ struct map_struct {
+ int status; /* first errno from read errors */
+ };
+
++#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
++
+ #define NAME_IS_FILE (0) /* filter name as a file */
+ #define NAME_IS_DIR (1<<0) /* filter name as a dir */
+ #define NAME_IS_XATTR (1<<2) /* filter name as an xattr */
+--- a/sender.c
++++ b/sender.c
+@@ -31,6 +31,7 @@ extern int log_before_transfer;
+ extern int stdout_format_has_i;
+ extern int logfile_format_has_i;
+ extern int want_xattr_optim;
++extern int xfer_sum_len;
+ extern int csum_length;
+ extern int append_mode;
+ extern int copy_links;
+@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(i
+ return(s);
+
+ s->sums = new_array(struct sum_buf, s->count);
++ s->sum2_array = new_array(char, s->count * xfer_sum_len);
+
+ for (i = 0; i < s->count; i++) {
+ s->sums[i].sum1 = read_int(f);
+- read_buf(f, s->sums[i].sum2, s->s2length);
++ read_buf(f, sum2_at(s, i), s->s2length);
+
+ s->sums[i].offset = offset;
+ s->sums[i].flags = 0;
--- /dev/null
+From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001
+Date: Tue, 5 Nov 2024 11:01:03 -0800
+Subject: [PATCH] Another cast when multiplying integers.
+
+---
+ rsync.h | 2 +-
+ sender.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/rsync.h
++++ b/rsync.h
+@@ -982,7 +982,7 @@ struct map_struct {
+ int status; /* first errno from read errors */
+ };
+
+-#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
++#define sum2_at(s, i) ((s)->sum2_array + ((size_t)(i) * xfer_sum_len))
+
+ #define NAME_IS_FILE (0) /* filter name as a file */
+ #define NAME_IS_DIR (1<<0) /* filter name as a dir */
+--- a/sender.c
++++ b/sender.c
+@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(i
+ return(s);
+
+ s->sums = new_array(struct sum_buf, s->count);
+- s->sum2_array = new_array(char, s->count * xfer_sum_len);
++ s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len);
+
+ for (i = 0; i < s->count; i++) {
+ s->sums[i].sum1 = read_int(f);
--- /dev/null
+From 589b0691e59f761ccb05ddb8e1124991440db2c7 Mon Sep 17 00:00:00 2001
+Date: Thu, 14 Nov 2024 09:57:08 +1100
+Subject: [PATCH] prevent information leak off the stack
+
+prevent leak of uninitialised stack data in hash_search
+---
+ match.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/match.c
++++ b/match.c
+@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum
+ int more;
+ schar *map;
+
++ // prevent possible memory leaks
++ memset(sum2, 0, sizeof sum2);
++
+ /* want_i is used to encourage adjacent matches, allowing the RLL
+ * coding of the output to work more efficiently. */
+ want_i = 0;
--- /dev/null
+From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
+Date: Sat, 23 Nov 2024 11:08:03 +1100
+Subject: [PATCH] refuse fuzzy options when fuzzy not selected
+
+this prevents a malicious server providing a file to compare to when
+the user has not given the fuzzy option
+---
+ receiver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/receiver.c
++++ b/receiver.c
+@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_L
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern filter_rule_list daemon_filter_list;
+ extern OFF_T preallocated_len;
++extern int fuzzy_basis;
+
+ extern struct name_num_item *xfer_sum_nni;
+ extern int xfer_sum_len;
+@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char
+ fnamecmp = get_backup_name(fname);
+ break;
+ case FNAMECMP_FUZZY:
++ if (fuzzy_basis == 0) {
++ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
++ exit_cleanup(RERR_PROTOCOL);
++ }
+ if (file->dirname) {
+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+ fnamecmp = fnamecmpbuf;
--- /dev/null
+From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001
+Date: Sat, 23 Nov 2024 12:26:10 +1100
+Subject: [PATCH] added secure_relative_open()
+
+this is an open that enforces no symlink following for all path
+components in a relative path
+---
+ syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+
+--- a/syscall.c
++++ b/syscall.c
+@@ -33,6 +33,8 @@
+ #include <sys/syscall.h>
+ #endif
+
++#include "ifuncs.h"
++
+ extern int dry_run;
+ extern int am_root;
+ extern int am_sender;
+@@ -712,3 +714,75 @@ int do_open_nofollow(const char *pathnam
+
+ return fd;
+ }
++
++/*
++ open a file relative to a base directory. The basedir can be NULL,
++ in which case the current working directory is used. The relpath
++ must be a relative path, and the relpath must not contain any
++ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
++ applies to all path components, not just the last component)
++*/
++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
++{
++ if (!relpath || relpath[0] == '/') {
++ // must be a relative path
++ errno = EINVAL;
++ return -1;
++ }
++
++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
++ // really old system, all we can do is live with the risks
++ if (!basedir) {
++ return open(relpath, flags, mode);
++ }
++ char fullpath[MAXPATHLEN];
++ pathjoin(fullpath, sizeof fullpath, basedir, relpath);
++ return open(fullpath, flags, mode);
++#else
++ int dirfd = AT_FDCWD;
++ if (basedir != NULL) {
++ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
++ if (dirfd == -1) {
++ return -1;
++ }
++ }
++ int retfd = -1;
++
++ char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
++ if (!path_copy) {
++ return -1;
++ }
++
++ for (const char *part = strtok(path_copy, "/");
++ part != NULL;
++ part = strtok(NULL, "/"))
++ {
++ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
++ if (next_fd == -1 && errno == ENOTDIR) {
++ if (strtok(NULL, "/") != NULL) {
++ // this is not the last component of the path
++ errno = ELOOP;
++ goto cleanup;
++ }
++ // this could be the last component of the path, try as a file
++ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
++ goto cleanup;
++ }
++ if (next_fd == -1) {
++ goto cleanup;
++ }
++ if (dirfd != AT_FDCWD) close(dirfd);
++ dirfd = next_fd;
++ }
++
++ // the path must be a directory
++ errno = EINVAL;
++
++cleanup:
++ free(path_copy);
++ if (dirfd != AT_FDCWD) {
++ close(dirfd);
++ }
++ return retfd;
++#endif // O_NOFOLLOW, O_DIRECTORY
++}
--- /dev/null
+From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
+Date: Sat, 23 Nov 2024 12:28:13 +1100
+Subject: [PATCH] receiver: use secure_relative_open() for basis file
+
+this prevents attacks where the basis file is manipulated by a
+malicious sender to gain information about files outside the
+destination tree
+---
+ receiver.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+
+--- a/receiver.c
++++ b/receiver.c
+@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char
+ progress_init();
+
+ while (1) {
++ const char *basedir = NULL;
++
+ cleanup_disable();
+
+ /* This call also sets cur_flist. */
+@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ if (file->dirname) {
+- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+- fnamecmp = fnamecmpbuf;
+- } else
+- fnamecmp = xname;
++ basedir = file->dirname;
++ }
++ fnamecmp = xname;
+ break;
+ default:
+ if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
+ fnamecmp_type -= FNAMECMP_FUZZY + 1;
+ if (file->dirname) {
+- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
+- } else
+- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
++ basedir = fnamecmpbuf;
++ } else {
++ basedir = basis_dir[fnamecmp_type];
++ }
++ fnamecmp = xname;
+ } else if (fnamecmp_type >= basis_dir_cnt) {
+ rprintf(FERROR,
+ "invalid basis_dir index: %d.\n",
+ fnamecmp_type);
+ exit_cleanup(RERR_PROTOCOL);
+- } else
+- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
+- fnamecmp = fnamecmpbuf;
++ } else {
++ basedir = basis_dir[fnamecmp_type];
++ fnamecmp = fname;
++ }
+ break;
+ }
+ if (!fnamecmp || (daemon_filter_list.head
+@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char
+ }
+
+ /* open the file */
+- fd1 = do_open(fnamecmp, O_RDONLY, 0);
++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+
+ if (fd1 == -1 && protocol_version < 29) {
+ if (fnamecmp != fname) {
+@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char
+
+ if (fd1 == -1 && basis_dir[0]) {
+ /* pre-29 allowed only one alternate basis */
+- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+- basis_dir[0], fname);
+- fnamecmp = fnamecmpbuf;
++ basedir = basis_dir[0];
++ fnamecmp = fname;
+ fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
+- fd1 = do_open(fnamecmp, O_RDONLY, 0);
++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+ }
+ }
+
++ if (basedir) {
++ // for the following code we need the full
++ // path name as a single string
++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
++ fnamecmp = fnamecmpbuf;
++ }
++
+ one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
+ updating_basis_or_equiv = one_inplace
+ || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
--- /dev/null
+From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001
+Date: Tue, 26 Nov 2024 09:16:31 +1100
+Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open
+
+---
+ syscall.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/syscall.c
++++ b/syscall.c
+@@ -721,6 +721,8 @@ int do_open_nofollow(const char *pathnam
+ must be a relative path, and the relpath must not contain any
+ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
+ applies to all path components, not just the last component)
++
++ The relpath must also not contain any ../ elements in the path
+ */
+ int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+ {
+@@ -729,6 +731,11 @@ int secure_relative_open(const char *bas
+ errno = EINVAL;
+ return -1;
+ }
++ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
++ // no ../ elements allowed in the relpath
++ errno = EINVAL;
++ return -1;
++ }
+
+ #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
+ // really old system, all we can do is live with the risks
--- /dev/null
+From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
+Date: Thu, 14 Nov 2024 15:46:50 -0800
+Subject: [PATCH] Refuse a duplicate dirlist.
+
+---
+ flist.c | 9 +++++++++
+ rsync.h | 1 +
+ 2 files changed, 10 insertions(+)
+
+--- a/flist.c
++++ b/flist.c
+@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f,
+ init_hard_links();
+ #endif
+
++ if (inc_recurse && dir_ndx >= 0) {
++ struct file_struct *file = dir_flist->files[dir_ndx];
++ if (file->flags & FLAG_GOT_DIR_FLIST) {
++ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
++ exit_cleanup(RERR_PROTOCOL);
++ }
++ file->flags |= FLAG_GOT_DIR_FLIST;
++ }
++
+ flist = flist_new(0, "recv_file_list");
+ flist_expand(flist, FLIST_START_LARGE);
+
+--- a/rsync.h
++++ b/rsync.h
+@@ -84,6 +84,7 @@
+ #define FLAG_DUPLICATE (1<<4) /* sender */
+ #define FLAG_MISSING_DIR (1<<4) /* generator */
+ #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
--- /dev/null
+From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001
+Date: Wed, 15 Jan 2025 15:10:24 +0100
+Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
+
+fixes commit 688f5c379a43 (Refuse a duplicate dirlist.)
+
+Fixes: https://github.com/RsyncProject/rsync/issues/702
+Fixes: https://github.com/RsyncProject/rsync/issues/697
+---
+ rsync.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rsync.h
++++ b/rsync.h
+@@ -84,7 +84,6 @@
+ #define FLAG_DUPLICATE (1<<4) /* sender */
+ #define FLAG_MISSING_DIR (1<<4) /* generator */
+ #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
+-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
+@@ -93,6 +92,7 @@
+ #define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */
+ #define FLAG_TIME_FAILED (1<<11)/* generator */
+ #define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */
++#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
+
+ /* These flags are passed to functions but not stored. */
+
--- /dev/null
+From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001
+Date: Tue, 26 Nov 2024 16:12:45 +1100
+Subject: [PATCH] range check dir_ndx before use
+
+---
+ flist.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/flist.c
++++ b/flist.c
+@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f,
+ #endif
+
+ if (inc_recurse && dir_ndx >= 0) {
++ if (dir_ndx >= dir_flist->used) {
++ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
++ exit_cleanup(RERR_PROTOCOL);
++ }
+ struct file_struct *file = dir_flist->files[dir_ndx];
+ if (file->flags & FLAG_GOT_DIR_FLIST) {
+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
--- /dev/null
+From 407c71c7ce562137230e8ba19149c81ccc47c387 Mon Sep 17 00:00:00 2001
+Date: Sat, 23 Nov 2024 15:15:53 +1100
+Subject: [PATCH] make --safe-links stricter
+
+when --safe-links is used also reject links where a '../' component is
+included in the destination as other than the leading part of the
+filename
+---
+ testsuite/safe-links.test | 55 ++++++++++++++++++++++++++++++++++++
+ testsuite/unsafe-byname.test | 2 +-
+ util1.c | 26 ++++++++++++++++-
+ 3 files changed, 81 insertions(+), 2 deletions(-)
+ create mode 100644 testsuite/safe-links.test
+
+--- /dev/null
++++ b/testsuite/safe-links.test
+@@ -0,0 +1,55 @@
++#!/bin/sh
++
++. "$suitedir/rsync.fns"
++
++test_symlink() {
++ is_a_link "$1" || test_fail "File $1 is not a symlink"
++}
++
++test_regular() {
++ if [ ! -f "$1" ]; then
++ test_fail "File $1 is not regular file or not exists"
++ fi
++}
++
++test_notexist() {
++ if [ -e "$1" ]; then
++ test_fail "File $1 exists"
++ fi
++ if [ -h "$1" ]; then
++ test_fail "File $1 exists as a symlink"
++ fi
++}
++
++cd "$tmpdir"
++
++mkdir from
++
++mkdir "from/safe"
++mkdir "from/unsafe"
++
++mkdir "from/safe/files"
++mkdir "from/safe/links"
++
++touch "from/safe/files/file1"
++touch "from/safe/files/file2"
++touch "from/unsafe/unsafefile"
++
++ln -s ../files/file1 "from/safe/links/"
++ln -s ../files/file2 "from/safe/links/"
++ln -s ../../unsafe/unsafefile "from/safe/links/"
++ln -s a/a/a/../../../unsafe2 "from/safe/links/"
++
++#echo "LISTING FROM"
++#ls -lR from
++
++echo "rsync with relative path and just -a"
++$RSYNC -avv --safe-links from/safe/ to
++
++#echo "LISTING TO"
++#ls -lR to
++
++test_symlink to/links/file1
++test_symlink to/links/file2
++test_notexist to/links/unsafefile
++test_notexist to/links/unsafe2
+--- a/testsuite/unsafe-byname.test
++++ b/testsuite/unsafe-byname.test
+@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir uns
+ test_unsafe .. from/file safe
+ test_unsafe ../.. from/file unsafe
+ test_unsafe ..//.. from//file unsafe
+-test_unsafe dir/.. from safe
++test_unsafe dir/.. from unsafe
+ test_unsafe dir/../.. from unsafe
+ test_unsafe dir/..//.. from unsafe
+
+--- a/util1.c
++++ b/util1.c
+@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname
+ *
+ * "src" is the top source directory currently applicable at the level
+ * of the referenced symlink. This is usually the symlink's full path
+- * (including its name), as referenced from the root of the transfer. */
++ * (including its name), as referenced from the root of the transfer.
++ *
++ * NOTE: this also rejects dest names with a .. component in other
++ * than the first component of the name ie. it rejects names such as
++ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or
++ * 'b' could later be replaced with symlinks such as a link to '.'
++ * resulting in the link being transferred now becoming unsafe
++ */
+ int unsafe_symlink(const char *dest, const char *src)
+ {
+ const char *name, *slash;
+@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, con
+ if (!dest || !*dest || *dest == '/')
+ return 1;
+
++ // reject destinations with /../ in the name other than at the start of the name
++ const char *dest2 = dest;
++ while (strncmp(dest2, "../", 3) == 0) {
++ dest2 += 3;
++ while (*dest2 == '/') {
++ // allow for ..//..///../foo
++ dest2++;
++ }
++ }
++ if (strstr(dest2, "/../"))
++ return 1;
++
++ // reject if the destination ends in /..
++ const size_t dlen = strlen(dest);
++ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0)
++ return 1;
++
+ /* find out what our safety margin is */
+ for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
+ /* ".." segment starts the count over. "." segment is ignored. */
--- /dev/null
+From 0590b09d9a34ae72741b91ec0708a820650198b0 Mon Sep 17 00:00:00 2001
+Date: Wed, 18 Dec 2024 08:59:42 +1100
+Subject: [PATCH] fixed symlink race condition in sender
+
+when we open a file that we don't expect to be a symlink use
+O_NOFOLLOW to prevent a race condition where an attacker could change
+a file between being a normal file and a symlink
+---
+ checksum.c | 2 +-
+ flist.c | 2 +-
+ generator.c | 4 ++--
+ receiver.c | 2 +-
+ sender.c | 2 +-
+ syscall.c | 20 ++++++++++++++++++++
+ t_unsafe.c | 3 +++
+ tls.c | 3 +++
+ trimslash.c | 2 ++
+ util1.c | 2 +-
+ 10 files changed, 35 insertions(+), 7 deletions(-)
+
+--- a/checksum.c
++++ b/checksum.c
+@@ -405,7 +405,7 @@ void file_checksum(const char *fname, co
+ int32 remainder;
+ int fd;
+
+- fd = do_open(fname, O_RDONLY, 0);
++ fd = do_open_checklinks(fname);
+ if (fd == -1) {
+ memset(sum, 0, file_sum_len);
+ return;
+--- a/flist.c
++++ b/flist.c
+@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char
+
+ if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) {
+ if (st.st_size == 0) {
+- int fd = do_open(fname, O_RDONLY, 0);
++ int fd = do_open_checklinks(fname);
+ if (fd >= 0) {
+ st.st_size = get_device_size(fd, fname);
+ close(fd);
+--- a/generator.c
++++ b/generator.c
+@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname,
+
+ if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) {
+ /* This early open into fd skips the regular open below. */
+- if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0)
++ if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0)
+ real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp);
+ }
+
+@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname,
+ }
+
+ /* open the file */
+- if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) {
++ if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) {
+ rsyserr(FERROR, errno, "failed to open %s, continuing",
+ full_fname(fnamecmp));
+ pretend_missing:
+--- a/receiver.c
++++ b/receiver.c
+@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char
+ if (fnamecmp != fname) {
+ fnamecmp = fname;
+ fnamecmp_type = FNAMECMP_FNAME;
+- fd1 = do_open(fnamecmp, O_RDONLY, 0);
++ fd1 = do_open_nofollow(fnamecmp, O_RDONLY);
+ }
+
+ if (fd1 == -1 && basis_dir[0]) {
+--- a/sender.c
++++ b/sender.c
+@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out)
+ exit_cleanup(RERR_PROTOCOL);
+ }
+
+- fd = do_open(fname, O_RDONLY, 0);
++ fd = do_open_checklinks(fname);
+ if (fd == -1) {
+ if (errno == ENOENT) {
+ enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING;
+--- a/syscall.c
++++ b/syscall.c
+@@ -45,6 +45,8 @@ extern int preallocate_files;
+ extern int preserve_perms;
+ extern int preserve_executability;
+ extern int open_noatime;
++extern int copy_links;
++extern int copy_unsafe_links;
+
+ #ifndef S_BLKSIZE
+ # if defined hpux || defined __hpux__ || defined __hpux
+@@ -793,3 +795,21 @@ cleanup:
+ return retfd;
+ #endif // O_NOFOLLOW, O_DIRECTORY
+ }
++
++/*
++ varient of do_open/do_open_nofollow which does do_open() if the
++ copy_links or copy_unsafe_links options are set and does
++ do_open_nofollow() otherwise
++
++ This is used to prevent a race condition where an attacker could be
++ switching a file between being a symlink and being a normal file
++
++ The open is always done with O_RDONLY flags
++ */
++int do_open_checklinks(const char *pathname)
++{
++ if (copy_links || copy_unsafe_links) {
++ return do_open(pathname, O_RDONLY, 0);
++ }
++ return do_open_nofollow(pathname, O_RDONLY);
++}
+--- a/t_unsafe.c
++++ b/t_unsafe.c
+@@ -28,6 +28,9 @@ int am_root = 0;
+ int am_sender = 1;
+ int read_only = 0;
+ int list_only = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
++
+ short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
+
+ int
+--- a/tls.c
++++ b/tls.c
+@@ -49,6 +49,9 @@ int list_only = 0;
+ int link_times = 0;
+ int link_owner = 0;
+ int nsec_times = 0;
++int safe_symlinks = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
+
+ #ifdef SUPPORT_XATTRS
+
+--- a/trimslash.c
++++ b/trimslash.c
+@@ -26,6 +26,8 @@ int am_root = 0;
+ int am_sender = 1;
+ int read_only = 1;
+ int list_only = 0;
++int copy_links = 0;
++int copy_unsafe_links = 0;
+
+ int
+ main(int argc, char **argv)
+--- a/util1.c
++++ b/util1.c
+@@ -365,7 +365,7 @@ int copy_file(const char *source, const
+ int len; /* Number of bytes read into `buf'. */
+ OFF_T prealloc_len = 0, offset = 0;
+
+- if ((ifd = do_open(source, O_RDONLY, 0)) < 0) {
++ if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) {
+ int save_errno = errno;
+ rsyserr(FERROR_XFER, errno, "open %s", full_fname(source));
+ errno = save_errno;
--- /dev/null
+From 536ae3f4efbcd95bee1f9794bbeceb50ba5f0dba Mon Sep 17 00:00:00 2001
+Date: Tue, 10 Dec 2024 13:34:01 +1100
+Subject: [PATCH] raise protocol version to 32
+
+make it easier to spot unpatched servers
+---
+ rsync.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rsync.h
++++ b/rsync.h
+@@ -111,7 +111,7 @@
+
+ /* Update this if you make incompatible changes and ALSO update the
+ * SUBPROTOCOL_VERSION if it is not a final (official) release. */
+-#define PROTOCOL_VERSION 31
++#define PROTOCOL_VERSION 32
+
+ /* This is used when working on a new protocol version or for any unofficial
+ * protocol tweaks. It should be a non-zero value for each pre-release repo
--- /dev/null
+From 81ead9e70c7b9ee1bf3d1df09ace7df95934c5b8 Mon Sep 17 00:00:00 2001
+Date: Wed, 15 Jan 2025 15:48:04 +0100
+Subject: [PATCH] Fix use-after-free in generator
+
+full_fname() will free the return value in the next call so we need to
+duplicate it before passing it to rsyserr.
+
+Fixes: https://github.com/RsyncProject/rsync/issues/704
+---
+ generator.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/generator.c
++++ b/generator.c
+@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *fi
+
+ if (!skip_atomic) {
+ if (do_rename(tmpname, fname) < 0) {
++ char *full_tmpname = strdup(full_fname(tmpname));
++ if (full_tmpname == NULL)
++ out_of_memory("atomic_create");
+ rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed",
+- full_fname(tmpname), full_fname(fname));
++ full_tmpname, full_fname(fname));
++ free(full_tmpname);
+ do_unlink(tmpname);
+ return 0;
+ }
projects / feed / packages.git / commitdiff