rpms/rsync
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 3.4.1 [release 3.4.1-1mamba;Wed Jan 22 2025]

Browse Source
This commit is contained in:
Silvan Calarco 2025-01-22 22:30:48 +01:00
parent 4ecdc65e51
commit 72e0b03dbe
3 changed files with 8 additions and 415 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
rsync-2.6.9-cve_2007_4091.patch
View File

@ -1,60 +0,0 @@
--- rsync-2.6.9.orig/sender.c 2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c 2007-07-25 15:33:05.000000000 +0200
@@ -123,6 +123,7 @@
char fname[MAXPATHLEN];
struct file_struct *file;
unsigned int offset;
+ size_t l = 0;
if (ndx < 0 || ndx >= the_file_list->count)
return;
@@ -133,6 +134,20 @@
file->dir.root, "/", NULL);
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
f_name(file, fname + offset);
if (remove_source_files) {
if (do_unlink(fname) == 0) {
@@ -224,6 +239,7 @@
enum logcode log_code = log_before_transfer ? FLOG : FINFO;
int f_xfer = write_batch < 0 ? batch_fd : f_out;
int i, j;
+ size_t l = 0;
if (verbose > 2)
rprintf(FINFO, "send_files starting\n");
@@ -259,6 +275,20 @@
fname[offset++] = '/';
} else
offset = 0;
+
+ l = offset + 1;
+ if (file) {
+ if (file->dirname)
+ l += strlen(file->dirname);
+ if (file->basename)
+ l += strlen(file->basename);
+ }
+
+ if (l >= sizeof(fname)) {
+ rprintf(FERROR, "Overlong pathname\n");
+ exit_cleanup(RERR_FILESELECT);
+ }
+
fname2 = f_name(file, fname + offset);
if (verbose > 2)

340
rsync-2.6.9-munge-symlinks.patch
View File

@ -1,340 +0,0 @@
--- rsync-2.6.9/clientserver.c 2006-10-23 17:36:42.000000000 -0700
+++ ./clientserver.c 2007-11-26 21:32:53.000000000 -0800
@@ -55,6 +55,7 @@ extern struct filter_list_struct server_
char *auth_user;
int read_only = 0;
int module_id = -1;
+int munge_symlinks = 0;
struct chmod_mode_struct *daemon_chmod_modes;
/* Length of lp_path() string when in daemon mode & not chrooted, else 0. */
@@ -524,6 +525,18 @@ static int rsync_module(int f_in, int f_
sanitize_paths = 1;
}
+ if ((munge_symlinks = lp_munge_symlinks(i)) < 0)
+ munge_symlinks = !use_chroot;
+ if (munge_symlinks) {
+ STRUCT_STAT st;
+ if (stat(SYMLINK_PREFIX, &st) == 0 && S_ISDIR(st.st_mode)) {
+ rprintf(FLOG, "Symlink munging is unsupported when a %s directory exists.\n",
+ SYMLINK_PREFIX);
+ io_printf(f_out, "@ERROR: daemon security issue -- contact admin\n", name);
+ exit_cleanup(RERR_UNSUPPORTED);
+ }
+ }
+
if (am_root) {
/* XXXX: You could argue that if the daemon is started
* by a non-root user and they explicitly specify a
--- rsync-2.6.9/flist.c 2006-10-13 18:17:36.000000000 -0700
+++ ./flist.c 2007-11-27 12:56:25.000000000 -0800
@@ -53,6 +53,7 @@ extern int copy_links;
extern int copy_unsafe_links;
extern int protocol_version;
extern int sanitize_paths;
+extern int munge_symlinks;
extern struct stats stats;
extern struct file_list *the_file_list;
@@ -174,6 +175,11 @@ static int readlink_stat(const char *pat
}
return do_stat(path, stp);
}
+ if (munge_symlinks && am_sender && llen > SYMLINK_PREFIX_LEN
+ && strncmp(linkbuf, SYMLINK_PREFIX, SYMLINK_PREFIX_LEN) == 0) {
+ memmove(linkbuf, linkbuf + SYMLINK_PREFIX_LEN,
+ llen - SYMLINK_PREFIX_LEN + 1);
+ }
}
return 0;
#else
@@ -591,6 +597,8 @@ static struct file_struct *receive_file_
linkname_len - 1);
overflow_exit("receive_file_entry");
}
+ if (munge_symlinks)
+ linkname_len += SYMLINK_PREFIX_LEN;
}
else
#endif
@@ -658,10 +666,17 @@ static struct file_struct *receive_file_
#ifdef SUPPORT_LINKS
if (linkname_len) {
file->u.link = bp;
+ if (munge_symlinks) {
+ strlcpy(bp, SYMLINK_PREFIX, linkname_len);
+ bp += SYMLINK_PREFIX_LEN;
+ linkname_len -= SYMLINK_PREFIX_LEN;
+ }
read_sbuf(f, bp, linkname_len - 1);
- if (sanitize_paths)
+ if (sanitize_paths && !munge_symlinks) {
sanitize_path(bp, bp, "", lastdir_depth, NULL);
- bp += linkname_len;
+ bp += strlen(bp) + 1;
+ } else
+ bp += linkname_len;
}
#endif
--- rsync-2.6.9/loadparm.c 2006-10-12 23:49:44.000000000 -0700
+++ ./loadparm.c 2007-11-26 11:46:46.000000000 -0800
@@ -153,6 +153,7 @@ typedef struct
BOOL ignore_errors;
BOOL ignore_nonreadable;
BOOL list;
+ BOOL munge_symlinks;
BOOL read_only;
BOOL strict_modes;
BOOL transfer_logging;
@@ -200,6 +201,7 @@ static service sDefault =
/* ignore_errors; */ False,
/* ignore_nonreadable; */ False,
/* list; */ True,
+ /* munge_symlinks; */ (BOOL)-1,
/* read_only; */ True,
/* strict_modes; */ True,
/* transfer_logging; */ False,
@@ -313,6 +315,7 @@ static struct parm_struct parm_table[] =
{"log format", P_STRING, P_LOCAL, &sDefault.log_format, NULL,0},
{"max connections", P_INTEGER,P_LOCAL, &sDefault.max_connections, NULL,0},
{"max verbosity", P_INTEGER,P_LOCAL, &sDefault.max_verbosity, NULL,0},
+ {"munge symlinks", P_BOOL, P_LOCAL, &sDefault.munge_symlinks, NULL,0},
{"name", P_STRING, P_LOCAL, &sDefault.name, NULL,0},
{"outgoing chmod", P_STRING, P_LOCAL, &sDefault.outgoing_chmod, NULL,0},
{"path", P_PATH, P_LOCAL, &sDefault.path, NULL,0},
@@ -415,6 +418,7 @@ FN_LOCAL_INTEGER(lp_timeout, timeout)
FN_LOCAL_BOOL(lp_ignore_errors, ignore_errors)
FN_LOCAL_BOOL(lp_ignore_nonreadable, ignore_nonreadable)
FN_LOCAL_BOOL(lp_list, list)
+FN_LOCAL_BOOL(lp_munge_symlinks, munge_symlinks)
FN_LOCAL_BOOL(lp_read_only, read_only)
FN_LOCAL_BOOL(lp_strict_modes, strict_modes)
FN_LOCAL_BOOL(lp_transfer_logging, transfer_logging)
--- rsync-2.6.9/proto.h 2006-11-06 20:39:47.000000000 -0800
+++ ./proto.h 2007-11-27 13:15:23.000000000 -0800
@@ -176,6 +176,7 @@ int lp_timeout(int );
BOOL lp_ignore_errors(int );
BOOL lp_ignore_nonreadable(int );
BOOL lp_list(int );
+BOOL lp_munge_symlinks(int );
BOOL lp_read_only(int );
BOOL lp_strict_modes(int );
BOOL lp_transfer_logging(int );
--- rsync-2.6.9/rsync.h 2006-10-23 20:31:30.000000000 -0700
+++ ./rsync.h 2007-11-26 21:34:11.000000000 -0800
@@ -33,6 +33,9 @@
#define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
#define URL_PREFIX "rsync://"
+#define SYMLINK_PREFIX "/rsyncd-munged/"
+#define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1)
+
#define BACKUP_SUFFIX "~"
/* a non-zero CHAR_OFFSET makes the rolling sum stronger, but is
--- rsync-2.6.9/rsyncd.conf.5 2006-11-06 20:39:52.000000000 -0800
+++ ./rsyncd.conf.5 2007-11-27 13:15:23.000000000 -0800
@@ -145,12 +145,15 @@ the advantage of extra protection agains
holes, but it has the disadvantages of requiring super-user privileges,
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of usernames and groups
-(see below)\&. When "use chroot" is false, for security reasons,
-symlinks may only be relative paths pointing to other files within the root
-path, and leading slashes are removed from most absolute paths (options
-such as \fB\-\-backup\-dir\fP, \fB\-\-compare\-dest\fP, etc\&. interpret an absolute path as
-rooted in the module\&'s "path" dir, just as if chroot was specified)\&.
-The default for "use chroot" is true\&.
+(see below)\&. When "use chroot" is false, rsync will: (1) munge symlinks by
+default for security reasons (see "munge symlinks" for a way to turn this
+off, but only if you trust your users), (2) substitute leading slashes in
+absolute paths with the module\&'s path (so that options such as
+\fB\-\-backup\-dir\fP, \fB\-\-compare\-dest\fP, etc\&. interpret an absolute path as
+rooted in the module\&'s "path" dir), and (3) trim "\&.\&." path elements from
+args if rsync believes they would escape the chroot\&.
+The default for "use chroot" is true, and is the safer choice (especially
+if the module is not read-only)\&.
.IP
In order to preserve usernames and groupnames, rsync needs to be able to
use the standard library functions for looking up names and IDs (i\&.e\&.
@@ -181,6 +184,41 @@ access to some of the excluded files ins
do this automatically, but you might as well specify both to be extra
sure)\&.
.IP
+.IP "\fBmunge symlinks\fP"
+The "munge symlinks" option tells rsync to modify
+all incoming symlinks in a way that makes them unusable but recoverable
+(see below)\&. This should help protect your files from user trickery when
+your daemon module is writable\&. The default is disabled when "use chroot"
+is on and enabled when "use chroot" is off\&.
+.IP
+If you disable this option on a daemon that is not read-only, there
+are tricks that a user can play with uploaded symlinks to access
+daemon-excluded items (if your module has any), and, if "use chroot"
+is off, rsync can even be tricked into showing or changing data that
+is outside the module\&'s path (as access-permissions allow)\&.
+.IP
+The way rsync disables the use of symlinks is to prefix each one with
+the string "/rsyncd-munged/"\&. This prevents the links from being used
+as long as that directory does not exist\&. When this option is enabled,
+rsync will refuse to run if that path is a directory or a symlink to
+a directory\&. When using the "munge symlinks" option in a chroot area,
+you should add this path to the exclude setting for the module so that
+the user can\&'t try to create it\&.
+.IP
+Note: rsync makes no attempt to verify that any pre-existing symlinks in
+the hierarchy are as safe as you want them to be\&. If you setup an rsync
+daemon on a new area or locally add symlinks, you can manually protect your
+symlinks from being abused by prefixing "/rsyncd-munged/" to the start of
+every symlink\&'s value\&. There is a perl script in the support directory
+of the source code named "munge-symlinks" that can be used to add or remove
+this prefix from your symlinks\&.
+.IP
+When this option is disabled on a writable module and "use chroot" is off,
+incoming symlinks will be modified to drop a leading slash and to remove "\&.\&."
+path elements that rsync believes will allow a symlink to escape the module\&'s
+hierarchy\&. There are tricky ways to work around this, though, so you had
+better trust your users if you choose this combination of options\&.
+.IP
.IP "\fBmax connections\fP"
The "max connections" option allows you to
specify the maximum number of simultaneous connections you will allow\&.
--- rsync-2.6.9/rsyncd.conf.yo 2006-11-06 20:39:47.000000000 -0800
+++ ./rsyncd.conf.yo 2007-11-27 13:14:07.000000000 -0800
@@ -129,12 +129,15 @@ the advantage of extra protection agains
holes, but it has the disadvantages of requiring super-user privileges,
of not being able to follow symbolic links that are either absolute or outside
of the new root path, and of complicating the preservation of usernames and groups
-(see below). When "use chroot" is false, for security reasons,
-symlinks may only be relative paths pointing to other files within the root
-path, and leading slashes are removed from most absolute paths (options
-such as bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
-rooted in the module's "path" dir, just as if chroot was specified).
-The default for "use chroot" is true.
+(see below). When "use chroot" is false, rsync will: (1) munge symlinks by
+default for security reasons (see "munge symlinks" for a way to turn this
+off, but only if you trust your users), (2) substitute leading slashes in
+absolute paths with the module's path (so that options such as
+bf(--backup-dir), bf(--compare-dest), etc. interpret an absolute path as
+rooted in the module's "path" dir), and (3) trim ".." path elements from
+args if rsync believes they would escape the chroot.
+The default for "use chroot" is true, and is the safer choice (especially
+if the module is not read-only).
In order to preserve usernames and groupnames, rsync needs to be able to
use the standard library functions for looking up names and IDs (i.e.
@@ -158,6 +161,40 @@ access to some of the excluded files ins
do this automatically, but you might as well specify both to be extra
sure).
+dit(bf(munge symlinks)) The "munge symlinks" option tells rsync to modify
+all incoming symlinks in a way that makes them unusable but recoverable
+(see below). This should help protect your files from user trickery when
+your daemon module is writable. The default is disabled when "use chroot"
+is on and enabled when "use chroot" is off.
+
+If you disable this option on a daemon that is not read-only, there
+are tricks that a user can play with uploaded symlinks to access
+daemon-excluded items (if your module has any), and, if "use chroot"
+is off, rsync can even be tricked into showing or changing data that
+is outside the module's path (as access-permissions allow).
+
+The way rsync disables the use of symlinks is to prefix each one with
+the string "/rsyncd-munged/". This prevents the links from being used
+as long as that directory does not exist. When this option is enabled,
+rsync will refuse to run if that path is a directory or a symlink to
+a directory. When using the "munge symlinks" option in a chroot area,
+you should add this path to the exclude setting for the module so that
+the user can't try to create it.
+
+Note: rsync makes no attempt to verify that any pre-existing symlinks in
+the hierarchy are as safe as you want them to be. If you setup an rsync
+daemon on a new area or locally add symlinks, you can manually protect your
+symlinks from being abused by prefixing "/rsyncd-munged/" to the start of
+every symlink's value. There is a perl script in the support directory
+of the source code named "munge-symlinks" that can be used to add or remove
+this prefix from your symlinks.
+
+When this option is disabled on a writable module and "use chroot" is off,
+incoming symlinks will be modified to drop a leading slash and to remove ".."
+path elements that rsync believes will allow a symlink to escape the module's
+hierarchy. There are tricky ways to work around this, though, so you had
+better trust your users if you choose this combination of options.
+
dit(bf(max connections)) The "max connections" option allows you to
specify the maximum number of simultaneous connections you will allow.
Any clients connecting when the maximum has been reached will receive a
--- rsync-2.6.9/support/munge-symlinks 1969-12-31 16:00:00.000000000 -0800
+++ ./support/munge-symlinks 2007-11-26 22:04:26.000000000 -0800
@@ -0,0 +1,60 @@
+#!/usr/bin/perl
+# This script will either prefix all symlink values with the string
+# "/rsyncd-munged/" or remove that prefix.
+
+use strict;
+use Getopt::Long;
+
+my $SYMLINK_PREFIX = '/rsyncd-munged/';
+
+my $munge_opt;
+
+&GetOptions(
+ 'munge' => sub { $munge_opt = 1 },
+ 'unmunge' => sub { $munge_opt = 0 },
+ 'all' => \( my $all_opt ),
+ 'help|h' => \( my $help_opt ),
+) or &usage;
+
+&usage if $help_opt || !defined $munge_opt;
+
+my $munged_re = $all_opt ? qr/^($SYMLINK_PREFIX)+(?=.)/ : qr/^$SYMLINK_PREFIX(?=.)/;
+
+push(@ARGV, '.') unless @ARGV;
+
+open(PIPE, '-|', 'find', @ARGV, '-type', 'l') or die $!;
+
+while (<PIPE>) {
+ chomp;
+ my $lnk = readlink($_) or next;
+ if ($munge_opt) {
+ next if !$all_opt && $lnk =~ /$munged_re/;
+ $lnk =~ s/^/$SYMLINK_PREFIX/;
+ } else {
+ next unless $lnk =~ s/$munged_re//;
+ }
+ if (!unlink($_)) {
+ warn "Unable to unlink symlink: $_ ($!)\n";
+ } elsif (!symlink($lnk, $_)) {
+ warn "Unable to recreate symlink: $_ -> $lnk ($!)\n";
+ } else {
+ print "$_ -> $lnk\n";
+ }
+}
+
+close PIPE;
+exit;
+
+sub usage
+{
+ die <<EOT;
+Usage: munge-symlinks --munge|--unmunge [--all] [DIR|SYMLINK...]
+
+--munge Add the $SYMLINK_PREFIX prefix to symlinks if not already
+ present, or always when combined with --all.
+--unmunge Remove one $SYMLINK_PREFIX prefix from symlinks or all
+ such prefixes with --all.
+
+See the "munge symlinks" option in the rsyncd.conf manpage for more details.
+EOT
+}
--- rsync-2.6.9/testsuite/rsync.fns 2006-05-30 11:26:17.000000000 -0700
+++ ./testsuite/rsync.fns 2007-11-26 11:49:35.000000000 -0800
@@ -231,6 +231,7 @@ build_rsyncd_conf() {
pid file = $pidfile
use chroot = no
+munge symlinks = no
hosts allow = localhost 127.0.0.1 $hostname
log file = $logfile
log format = %i %h [%a] %m (%u) %l %f%L

23
rsync.spec
View File

@ -1,5 +1,5 @@
Name: rsync
Version: 3.3.0
Version: 3.4.1
Release: 1mamba
Summary: An utility that provides fast incremental file transfer
Group: Network/File Transfer
@ -14,8 +14,6 @@ Source3: rsync-rsyncd_conf
Source4: rsyncd-logrotate
Source5: rsyncd.socket
Source6: rsyncd@.service
Patch: %{name}-2.6.9-cve_2007_4091.patch
Patch1: %{name}-2.6.9-munge-symlinks.patch
License: GPL
## AUTOBUILDREQ-BEGIN
BuildRequires: glibc-devel
@ -27,7 +25,6 @@ BuildRequires: libpopt-devel
BuildRequires: libxxhash-devel
BuildRequires: libzstd-devel
## AUTOBUILDREQ-END
BuildRequires: libxxhash-devel
%description
rsync is a file transfer program for Unix systems.
@ -42,18 +39,11 @@ Some features of rsync include:
- can use rsh, ssh or direct sockets as the transport
- supports anonymous rsync which is ideal for mirroring
%debug_package
%prep
%setup -q
#%patch -p1
#%patch1 -p1
%build
%configure
# FIXME: this is because lutimes is a kernel >= 2.6.22 call, this workaround
# should be removed in rsync 3.0
sed -i 's/#define HAVE_LUTIMES 1/#undef HAVE_LUTIMES/g' config.h
%make
@ -65,8 +55,8 @@ sed -i 's/#define HAVE_LUTIMES 1/#undef HAVE_LUTIMES/g' config.h
install -D -m 644 %{S:2} %{buildroot}%{_sysconfdir}/rsync.conf
install -D -m 644 %{S:3} %{buildroot}%{_sysconfdir}/rsyncd.conf
install -D -m 644 %{S:4} %{buildroot}%{_sysconfdir}/logrotate.d/rsyncd
install -D -m0644 %{S:5} %{buildroot}/lib/systemd/system/rsyncd.socket
install -D -m0644 %{S:6} %{buildroot}/lib/systemd/system/rsyncd@.service
install -D -m0644 %{S:5} %{buildroot}%{_unitdir}/rsyncd.socket
install -D -m0644 %{S:6} %{buildroot}%{_unitdir}/rsyncd@.service
%clean
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
@ -82,15 +72,18 @@ systemctl -q daemon-reload
%config(noreplace) %{_sysconfdir}/logrotate.d/rsyncd
%{_bindir}/rsync
%{_bindir}/rsync-ssl
%{_unitdir}/rsyncd.socket
%{_unitdir}/rsyncd@.service
%{_mandir}/man1/rsync.1*
%{_mandir}/man1/rsync-ssl.1*
%{_mandir}/man5/rsyncd.conf.5*
/lib/systemd/system/rsyncd.socket
/lib/systemd/system/rsyncd@.service
%doc COPYING
#NEWS README TODO
%changelog
* Wed Jan 22 2025 Silvan Calarco <silvan.calarco@mambasoft.it> 3.4.1-1mamba
- update to 3.4.1
* Mon Apr 08 2024 Automatic Build System <autodist@openmamba.org> 3.3.0-1mamba
- automatic version update by autodist