Version in base suite: 3.4.1+ds1-5

Base version: rsync_3.4.1+ds1-5
Target version: rsync_3.4.1+ds1-5+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/r/rsync/rsync_3.4.1+ds1-5.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/r/rsync/rsync_3.4.1+ds1-5+deb13u1.dsc

 changelog                    |   11 +++++++++++
 patches/CVE-2025-10158.patch |   26 ++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 38 insertions(+)

diff -Nru rsync-3.4.1+ds1/debian/changelog rsync-3.4.1+ds1/debian/changelog
--- rsync-3.4.1+ds1/debian/changelog	2025-07-26 09:26:07.000000000 +0000
+++ rsync-3.4.1+ds1/debian/changelog	2025-11-28 00:29:04.000000000 +0000
@@ -1,3 +1,14 @@
+rsync (3.4.1+ds1-5+deb13u1) trixie; urgency=medium
+
+  * Team upload.
+  * d/p/CVE-2025-10158.patch: Import upstream patch to fix CVE-2025-10158
+
+    A malicious client acting as the receiver of an rsync file transfer
+    can trigger an out of bounds read of a heap based buffer,
+    via a negative array index.
+
+ -- Matheus Polkorny <mpolkorny@gmail.com>  Thu, 27 Nov 2025 21:29:04 -0300
+
 rsync (3.4.1+ds1-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch
--- rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch	1970-01-01 00:00:00.000000000 +0000
+++ rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch	2025-11-28 00:29:04.000000000 +0000
@@ -0,0 +1,26 @@
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c3..b1588b7 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+ 		if (ndx - cur_flist->ndx_start >= 0)
+ 			file = cur_flist->files[ndx - cur_flist->ndx_start];
++		else if (cur_flist->parent_ndx < 0)
++			exit_cleanup(RERR_PROTOCOL);
+ 		else
+ 			file = dir_flist->files[cur_flist->parent_ndx];
+ 		if (F_PATHNAME(file)) {
diff -Nru rsync-3.4.1+ds1/debian/patches/series rsync-3.4.1+ds1/debian/patches/series
--- rsync-3.4.1+ds1/debian/patches/series	2025-07-26 09:26:07.000000000 +0000
+++ rsync-3.4.1+ds1/debian/patches/series	2025-11-28 00:29:04.000000000 +0000
@@ -3,3 +3,4 @@
 env_shebang.patch
 fix_rrsync_man_generation.patch
 fix-flaky-hardlinks-test.patch
+CVE-2025-10158.patch