Version in base suite: 3.2.7-1 Version in overlay suite: 3.2.7-1+deb12u1 Base version: rsync_3.2.7-1+deb12u1 Target version: rsync_3.2.7-1+deb12u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rsync/rsync_3.2.7-1+deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rsync/rsync_3.2.7-1+deb12u2.dsc changelog | 11 ++ patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch | 40 ++++++++++ patches/Fix_use-after-free_in_generator.patch | 31 +++++++ patches/series | 3 4 files changed, 85 insertions(+) Unrecognised file line in .dsc: -----BEGIN PGP SIGNATURE----- diff -Nru rsync-3.2.7/debian/changelog rsync-3.2.7/debian/changelog --- rsync-3.2.7/debian/changelog 2024-12-18 16:11:25.000000000 +0000 +++ rsync-3.2.7/debian/changelog 2025-01-15 18:47:12.000000000 +0000 @@ -1,3 +1,14 @@ +rsync (3.2.7-1+deb12u2) bookworm-security; urgency=high + + [ Salvatore Bonaccorso ] + * Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED + (Closes: #1093089, #1093052) + + [ Samuel Henrique ] + * d/p/Fix_use-after-free_in_generator: New patch to fix UAF + + -- Samuel Henrique Wed, 15 Jan 2025 18:47:12 +0000 + rsync (3.2.7-1+deb12u1) bookworm-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru rsync-3.2.7/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch rsync-3.2.7/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch --- rsync-3.2.7/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch 1970-01-01 00:00:00.000000000 +0000 +++ rsync-3.2.7/debian/patches/Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch 2025-01-15 18:47:12.000000000 +0000 @@ -0,0 +1,40 @@ +From: Natanael Copa +Date: Wed, 15 Jan 2025 15:10:24 +0100 +Subject: Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED +Origin: https://github.com/ncopa/rsync/commit/efb85fd8db9e8f74eb3ab91ebf44f6ed35e3da5b +Bug: https://github.com/RsyncProject/rsync/issues/697 +Bug-Debian: https://bugs.debian.org/1093089 +Bug-Debian: https://bugs.debian.org/1093052 +Bug: https://github.com/RsyncProject/rsync/issues/702 + +fixes commit 688f5c379a43 (Refuse a duplicate dirlist.) + +Fixes: https://github.com/RsyncProject/rsync/issues/702 +Fixes: https://github.com/RsyncProject/rsync/issues/697 +--- + rsync.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync.h b/rsync.h +index 9be1297bdd29..479ac4848991 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -84,7 +84,6 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ +-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +@@ -93,6 +92,7 @@ + #define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */ + #define FLAG_TIME_FAILED (1<<11)/* generator */ + #define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */ ++#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */ + + /* These flags are passed to functions but not stored. */ + +-- +2.47.1 + diff -Nru rsync-3.2.7/debian/patches/Fix_use-after-free_in_generator.patch rsync-3.2.7/debian/patches/Fix_use-after-free_in_generator.patch --- rsync-3.2.7/debian/patches/Fix_use-after-free_in_generator.patch 1970-01-01 00:00:00.000000000 +0000 +++ rsync-3.2.7/debian/patches/Fix_use-after-free_in_generator.patch 2025-01-15 18:47:12.000000000 +0000 @@ -0,0 +1,31 @@ +From f923b19fd85039a2b0e908391074872334646d51 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Wed, 15 Jan 2025 15:48:04 +0100 +Subject: [PATCH] Fix use-after-free in generator + +full_fname() will free the return value in the next call so we need to +duplicate it before passing it to rsyserr. + +Fixes: https://github.com/RsyncProject/rsync/issues/704 +--- + generator.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/generator.c b/generator.c +index 3f13bb95..b56fa569 100644 +--- a/generator.c ++++ b/generator.c +@@ -2041,8 +2041,12 @@ int atomic_create(struct file_struct *file, char *fname, const char *slnk, const + + if (!skip_atomic) { + if (do_rename(tmpname, fname) < 0) { ++ char *full_tmpname = strdup(full_fname(tmpname)); ++ if (full_tmpname == NULL) ++ out_of_memory("atomic_create"); + rsyserr(FERROR_XFER, errno, "rename %s -> \"%s\" failed", +- full_fname(tmpname), full_fname(fname)); ++ full_tmpname, full_fname(fname)); ++ free(full_tmpname); + do_unlink(tmpname); + return 0; + } diff -Nru rsync-3.2.7/debian/patches/series rsync-3.2.7/debian/patches/series --- rsync-3.2.7/debian/patches/series 2024-12-18 16:11:25.000000000 +0000 +++ rsync-3.2.7/debian/patches/series 2025-01-15 18:47:12.000000000 +0000 @@ -16,3 +16,6 @@ CVE-2024-12088/0001-make-safe-links-stricter.patch CVE-2024-12747/0001-fixed-symlink-race-condition-in-sender.patch raise-protocol-version-to-32.patch +# Regression from CVE-2024-12087 (#1093052) +Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch +Fix_use-after-free_in_generator.patch