diff options
author | Khem Raj <raj.khem@gmail.com> | 2022-08-14 15:20:32 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-08-16 14:57:58 +0100 |
commit | 61929f05d78553b9759d15f88ba8fda5accafd1b (patch) | |
tree | a52c04bdc247a3392d66dc2a74e9be133036e0e5 /meta/recipes-devtools/rsync | |
parent | 6baf9b07a8571c7b0a0b3f5635873059b92059ed (diff) | |
download | poky-61929f05d78553b9759d15f88ba8fda5accafd1b.tar.gz |
rsync: Upgrade to 3.2.5
Changlog is here [1]
[1] https://download.samba.org/pub/rsync/NEWS#3.2.5
(From OE-Core rev: 937a28a2a83abc3923cf2793eb79b0a1f770cd54)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/rsync')
-rw-r--r-- | meta/recipes-devtools/rsync/files/CVE-2022-29154.patch | 372 | ||||
-rw-r--r-- | meta/recipes-devtools/rsync/rsync_3.2.5.bb (renamed from meta/recipes-devtools/rsync/rsync_3.2.4.bb) | 4 |
2 files changed, 1 insertions, 375 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch b/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch deleted file mode 100644 index e43b092ea8..0000000000 --- a/meta/recipes-devtools/rsync/files/CVE-2022-29154.patch +++ /dev/null | |||
@@ -1,372 +0,0 @@ | |||
1 | From b7231c7d02cfb65d291af74ff66e7d8c507ee871 Mon Sep 17 00:00:00 2001 | ||
2 | From: Wayne Davison <wayne@opencoder.net> | ||
3 | Date: Sun, 31 Jul 2022 16:55:34 -0700 | ||
4 | Subject: [PATCH] Some extra file-list safety checks. | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/WayneD/rsync/commit/b7231c7d02cfb65d291af74ff66e7d8c507ee871] | ||
7 | CVE: CVE-2022-29154 | ||
8 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
9 | --- | ||
10 | exclude.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
11 | flist.c | 17 ++++++- | ||
12 | io.c | 4 ++ | ||
13 | main.c | 7 ++- | ||
14 | receiver.c | 11 +++-- | ||
15 | rsync.1.md | 44 ++++++++++++++++-- | ||
16 | 6 files changed, 202 insertions(+), 11 deletions(-) | ||
17 | |||
18 | --- a/exclude.c | ||
19 | +++ b/exclude.c | ||
20 | @@ -27,16 +27,22 @@ extern int am_server; | ||
21 | extern int am_sender; | ||
22 | extern int eol_nulls; | ||
23 | extern int io_error; | ||
24 | +extern int xfer_dirs; | ||
25 | +extern int recurse; | ||
26 | extern int local_server; | ||
27 | extern int prune_empty_dirs; | ||
28 | extern int ignore_perishable; | ||
29 | +extern int old_style_args; | ||
30 | +extern int relative_paths; | ||
31 | extern int delete_mode; | ||
32 | extern int delete_excluded; | ||
33 | extern int cvs_exclude; | ||
34 | extern int sanitize_paths; | ||
35 | extern int protocol_version; | ||
36 | +extern int list_only; | ||
37 | extern int module_id; | ||
38 | |||
39 | +extern char *filesfrom_host; | ||
40 | extern char curr_dir[MAXPATHLEN]; | ||
41 | extern unsigned int curr_dir_len; | ||
42 | extern unsigned int module_dirlen; | ||
43 | @@ -44,8 +50,10 @@ extern unsigned int module_dirlen; | ||
44 | filter_rule_list filter_list = { .debug_type = "" }; | ||
45 | filter_rule_list cvs_filter_list = { .debug_type = " [global CVS]" }; | ||
46 | filter_rule_list daemon_filter_list = { .debug_type = " [daemon]" }; | ||
47 | +filter_rule_list implied_filter_list = { .debug_type = " [implied]" }; | ||
48 | |||
49 | int saw_xattr_filter = 0; | ||
50 | +int trust_sender_filter = 0; | ||
51 | |||
52 | /* Need room enough for ":MODS " prefix plus some room to grow. */ | ||
53 | #define MAX_RULE_PREFIX (16) | ||
54 | @@ -292,6 +300,125 @@ static void add_rule(filter_rule_list *l | ||
55 | } | ||
56 | } | ||
57 | |||
58 | +/* Each arg the client sends to the remote sender turns into an implied include | ||
59 | + * that the receiver uses to validate the file list from the sender. */ | ||
60 | +void add_implied_include(const char *arg) | ||
61 | +{ | ||
62 | + filter_rule *rule; | ||
63 | + int arg_len, saw_wild = 0, backslash_cnt = 0; | ||
64 | + int slash_cnt = 1; /* We know we're adding a leading slash. */ | ||
65 | + const char *cp; | ||
66 | + char *p; | ||
67 | + if (old_style_args || list_only || filesfrom_host != NULL) | ||
68 | + return; | ||
69 | + if (relative_paths) { | ||
70 | + cp = strstr(arg, "/./"); | ||
71 | + if (cp) | ||
72 | + arg = cp+3; | ||
73 | + } else { | ||
74 | + if ((cp = strrchr(arg, '/')) != NULL) | ||
75 | + arg = cp + 1; | ||
76 | + } | ||
77 | + arg_len = strlen(arg); | ||
78 | + if (arg_len) { | ||
79 | + if (strpbrk(arg, "*[?")) { | ||
80 | + /* We need to add room to escape backslashes if wildcard chars are present. */ | ||
81 | + cp = arg; | ||
82 | + while ((cp = strchr(cp, '\\')) != NULL) { | ||
83 | + arg_len++; | ||
84 | + cp++; | ||
85 | + } | ||
86 | + saw_wild = 1; | ||
87 | + } | ||
88 | + arg_len++; /* Leave room for the prefixed slash */ | ||
89 | + rule = new0(filter_rule); | ||
90 | + if (!implied_filter_list.head) | ||
91 | + implied_filter_list.head = implied_filter_list.tail = rule; | ||
92 | + else { | ||
93 | + rule->next = implied_filter_list.head; | ||
94 | + implied_filter_list.head = rule; | ||
95 | + } | ||
96 | + rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0); | ||
97 | + p = rule->pattern = new_array(char, arg_len + 1); | ||
98 | + *p++ = '/'; | ||
99 | + cp = arg; | ||
100 | + while (*cp) { | ||
101 | + switch (*cp) { | ||
102 | + case '\\': | ||
103 | + backslash_cnt++; | ||
104 | + if (saw_wild) | ||
105 | + *p++ = '\\'; | ||
106 | + *p++ = *cp++; | ||
107 | + break; | ||
108 | + case '/': | ||
109 | + if (p[-1] == '/') /* This is safe because of the initial slash. */ | ||
110 | + break; | ||
111 | + if (relative_paths) { | ||
112 | + filter_rule const *ent; | ||
113 | + int found = 0; | ||
114 | + *p = '\0'; | ||
115 | + for (ent = implied_filter_list.head; ent; ent = ent->next) { | ||
116 | + if (ent != rule && strcmp(ent->pattern, rule->pattern) == 0) | ||
117 | + found = 1; | ||
118 | + } | ||
119 | + if (!found) { | ||
120 | + filter_rule *R_rule = new0(filter_rule); | ||
121 | + R_rule->rflags = FILTRULE_INCLUDE + (saw_wild ? FILTRULE_WILD : 0); | ||
122 | + R_rule->pattern = strdup(rule->pattern); | ||
123 | + R_rule->u.slash_cnt = slash_cnt; | ||
124 | + R_rule->next = implied_filter_list.head; | ||
125 | + implied_filter_list.head = R_rule; | ||
126 | + } | ||
127 | + } | ||
128 | + slash_cnt++; | ||
129 | + *p++ = *cp++; | ||
130 | + break; | ||
131 | + default: | ||
132 | + *p++ = *cp++; | ||
133 | + break; | ||
134 | + } | ||
135 | + } | ||
136 | + *p = '\0'; | ||
137 | + rule->u.slash_cnt = slash_cnt; | ||
138 | + arg = (const char *)rule->pattern; | ||
139 | + } | ||
140 | + | ||
141 | + if (recurse || xfer_dirs) { | ||
142 | + /* Now create a rule with an added "/" & "**" or "*" at the end */ | ||
143 | + rule = new0(filter_rule); | ||
144 | + if (recurse) | ||
145 | + rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD | FILTRULE_WILD2; | ||
146 | + else | ||
147 | + rule->rflags = FILTRULE_INCLUDE | FILTRULE_WILD; | ||
148 | + /* A +4 in the len leaves enough room for / * * \0 or / * \0 \0 */ | ||
149 | + if (!saw_wild && backslash_cnt) { | ||
150 | + /* We are appending a wildcard, so now the backslashes need to be escaped. */ | ||
151 | + p = rule->pattern = new_array(char, arg_len + backslash_cnt + 3 + 1); | ||
152 | + cp = arg; | ||
153 | + while (*cp) { | ||
154 | + if (*cp == '\\') | ||
155 | + *p++ = '\\'; | ||
156 | + *p++ = *cp++; | ||
157 | + } | ||
158 | + } else { | ||
159 | + p = rule->pattern = new_array(char, arg_len + 3 + 1); | ||
160 | + if (arg_len) { | ||
161 | + memcpy(p, arg, arg_len); | ||
162 | + p += arg_len; | ||
163 | + } | ||
164 | + } | ||
165 | + if (p[-1] != '/') | ||
166 | + *p++ = '/'; | ||
167 | + *p++ = '*'; | ||
168 | + if (recurse) | ||
169 | + *p++ = '*'; | ||
170 | + *p = '\0'; | ||
171 | + rule->u.slash_cnt = slash_cnt + 1; | ||
172 | + rule->next = implied_filter_list.head; | ||
173 | + implied_filter_list.head = rule; | ||
174 | + } | ||
175 | +} | ||
176 | + | ||
177 | /* This frees any non-inherited items, leaving just inherited items on the list. */ | ||
178 | static void pop_filter_list(filter_rule_list *listp) | ||
179 | { | ||
180 | @@ -718,7 +845,7 @@ static void report_filter_result(enum lo | ||
181 | : name_flags & NAME_IS_DIR ? "directory" | ||
182 | : "file"; | ||
183 | rprintf(code, "[%s] %sing %s %s because of pattern %s%s%s\n", | ||
184 | - w, actions[*w!='s'][!(ent->rflags & FILTRULE_INCLUDE)], | ||
185 | + w, actions[*w=='g'][!(ent->rflags & FILTRULE_INCLUDE)], | ||
186 | t, name, ent->pattern, | ||
187 | ent->rflags & FILTRULE_DIRECTORY ? "/" : "", type); | ||
188 | } | ||
189 | @@ -890,6 +1017,7 @@ static filter_rule *parse_rule_tok(const | ||
190 | } | ||
191 | switch (ch) { | ||
192 | case ':': | ||
193 | + trust_sender_filter = 1; | ||
194 | rule->rflags |= FILTRULE_PERDIR_MERGE | ||
195 | | FILTRULE_FINISH_SETUP; | ||
196 | /* FALL THROUGH */ | ||
197 | --- a/flist.c | ||
198 | +++ b/flist.c | ||
199 | @@ -73,6 +73,7 @@ extern int need_unsorted_flist; | ||
200 | extern int sender_symlink_iconv; | ||
201 | extern int output_needs_newline; | ||
202 | extern int sender_keeps_checksum; | ||
203 | +extern int trust_sender_filter; | ||
204 | extern int unsort_ndx; | ||
205 | extern uid_t our_uid; | ||
206 | extern struct stats stats; | ||
207 | @@ -83,8 +84,7 @@ extern char curr_dir[MAXPATHLEN]; | ||
208 | |||
209 | extern struct chmod_mode_struct *chmod_modes; | ||
210 | |||
211 | -extern filter_rule_list filter_list; | ||
212 | -extern filter_rule_list daemon_filter_list; | ||
213 | +extern filter_rule_list filter_list, implied_filter_list, daemon_filter_list; | ||
214 | |||
215 | #ifdef ICONV_OPTION | ||
216 | extern int filesfrom_convert; | ||
217 | @@ -986,6 +986,19 @@ static struct file_struct *recv_file_ent | ||
218 | exit_cleanup(RERR_UNSUPPORTED); | ||
219 | } | ||
220 | |||
221 | + if (*thisname != '.' || thisname[1] != '\0') { | ||
222 | + int filt_flags = S_ISDIR(mode) ? NAME_IS_DIR : NAME_IS_FILE; | ||
223 | + if (!trust_sender_filter /* a per-dir filter rule means we must trust the sender's filtering */ | ||
224 | + && filter_list.head && check_filter(&filter_list, FINFO, thisname, filt_flags) < 0) { | ||
225 | + rprintf(FERROR, "ERROR: rejecting excluded file-list name: %s\n", thisname); | ||
226 | + exit_cleanup(RERR_PROTOCOL); | ||
227 | + } | ||
228 | + if (implied_filter_list.head && check_filter(&implied_filter_list, FINFO, thisname, filt_flags) <= 0) { | ||
229 | + rprintf(FERROR, "ERROR: rejecting unrequested file-list name: %s\n", thisname); | ||
230 | + exit_cleanup(RERR_PROTOCOL); | ||
231 | + } | ||
232 | + } | ||
233 | + | ||
234 | if (inc_recurse && S_ISDIR(mode)) { | ||
235 | if (one_file_system) { | ||
236 | /* Room to save the dir's device for -x */ | ||
237 | --- a/io.c | ||
238 | +++ b/io.c | ||
239 | @@ -419,6 +419,7 @@ static void forward_filesfrom_data(void) | ||
240 | while (s != eob) { | ||
241 | if (*s++ == '\0') { | ||
242 | ff_xb.len = s - sob - 1; | ||
243 | + add_implied_include(sob); | ||
244 | if (iconvbufs(ic_send, &ff_xb, &iobuf.out, flags) < 0) | ||
245 | exit_cleanup(RERR_PROTOCOL); /* impossible? */ | ||
246 | write_buf(iobuf.out_fd, s-1, 1); /* Send the '\0'. */ | ||
247 | @@ -450,9 +451,12 @@ static void forward_filesfrom_data(void) | ||
248 | char *f = ff_xb.buf + ff_xb.pos; | ||
249 | char *t = ff_xb.buf; | ||
250 | char *eob = f + len; | ||
251 | + char *cur = t; | ||
252 | /* Eliminate any multi-'\0' runs. */ | ||
253 | while (f != eob) { | ||
254 | if (!(*t++ = *f++)) { | ||
255 | + add_implied_include(cur); | ||
256 | + cur = t; | ||
257 | while (f != eob && *f == '\0') | ||
258 | f++; | ||
259 | } | ||
260 | --- a/main.c | ||
261 | +++ b/main.c | ||
262 | @@ -89,6 +89,7 @@ extern int backup_dir_len; | ||
263 | extern int basis_dir_cnt; | ||
264 | extern int default_af_hint; | ||
265 | extern int stdout_format_has_i; | ||
266 | +extern int trust_sender_filter; | ||
267 | extern struct stats stats; | ||
268 | extern char *stdout_format; | ||
269 | extern char *logfile_format; | ||
270 | @@ -104,7 +105,7 @@ extern char curr_dir[MAXPATHLEN]; | ||
271 | extern char backup_dir_buf[MAXPATHLEN]; | ||
272 | extern char *basis_dir[MAX_BASIS_DIRS+1]; | ||
273 | extern struct file_list *first_flist; | ||
274 | -extern filter_rule_list daemon_filter_list; | ||
275 | +extern filter_rule_list daemon_filter_list, implied_filter_list; | ||
276 | |||
277 | uid_t our_uid; | ||
278 | gid_t our_gid; | ||
279 | @@ -635,6 +636,7 @@ static pid_t do_cmd(char *cmd, char *mac | ||
280 | #ifdef ICONV_CONST | ||
281 | setup_iconv(); | ||
282 | #endif | ||
283 | + trust_sender_filter = 1; | ||
284 | } else if (local_server) { | ||
285 | /* If the user didn't request --[no-]whole-file, force | ||
286 | * it on, but only if we're not batch processing. */ | ||
287 | @@ -1500,6 +1502,8 @@ static int start_client(int argc, char * | ||
288 | char *dummy_host; | ||
289 | int dummy_port = rsync_port; | ||
290 | int i; | ||
291 | + if (filesfrom_fd < 0) | ||
292 | + add_implied_include(remote_argv[0]); | ||
293 | /* For remote source, any extra source args must have either | ||
294 | * the same hostname or an empty hostname. */ | ||
295 | for (i = 1; i < remote_argc; i++) { | ||
296 | @@ -1523,6 +1527,7 @@ static int start_client(int argc, char * | ||
297 | if (!rsync_port && !*arg) /* Turn an empty arg into a dot dir. */ | ||
298 | arg = "."; | ||
299 | remote_argv[i] = arg; | ||
300 | + add_implied_include(arg); | ||
301 | } | ||
302 | } | ||
303 | |||
304 | --- a/receiver.c | ||
305 | +++ b/receiver.c | ||
306 | @@ -593,10 +593,13 @@ int recv_files(int f_in, int f_out, char | ||
307 | if (DEBUG_GTE(RECV, 1)) | ||
308 | rprintf(FINFO, "recv_files(%s)\n", fname); | ||
309 | |||
310 | - if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0') | ||
311 | - && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) { | ||
312 | - rprintf(FERROR, "attempt to hack rsync failed.\n"); | ||
313 | - exit_cleanup(RERR_PROTOCOL); | ||
314 | + if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')) { | ||
315 | + int filt_flags = S_ISDIR(file->mode) ? NAME_IS_DIR : NAME_IS_FILE; | ||
316 | + if (check_filter(&daemon_filter_list, FLOG, fname, filt_flags) < 0) { | ||
317 | + rprintf(FERROR, "ERROR: rejecting file transfer request for daemon excluded file: %s\n", | ||
318 | + fname); | ||
319 | + exit_cleanup(RERR_PROTOCOL); | ||
320 | + } | ||
321 | } | ||
322 | |||
323 | #ifdef SUPPORT_XATTRS | ||
324 | --- a/rsync.1.md | ||
325 | +++ b/rsync.1.md | ||
326 | @@ -154,6 +154,33 @@ rsync daemon by leaving off the module n | ||
327 | |||
328 | See the following section for more details. | ||
329 | |||
330 | +## MULTI-HOST SECURITY | ||
331 | + | ||
332 | +Rsync takes steps to ensure that the file requests that are shared in a | ||
333 | +transfer are protected against various security issues. Most of the potential | ||
334 | +problems arise on the receiving side where rsync takes steps to ensure that the | ||
335 | +list of files being transferred remains within the bounds of what was | ||
336 | +requested. | ||
337 | + | ||
338 | +Toward this end, rsync 3.1.2 and later have aborted when a file list contains | ||
339 | +an absolute or relative path that tries to escape out of the top of the | ||
340 | +transfer. Also, beginning with version 3.2.5, rsync does two more safety | ||
341 | +checks of the file list to (1) ensure that no extra source arguments were added | ||
342 | +into the transfer other than those that the client requested and (2) ensure | ||
343 | +that the file list obeys the exclude rules that we sent to the sender. | ||
344 | + | ||
345 | +For those that don't yet have a 3.2.5 client rsync, it is safest to do a copy | ||
346 | +into a dedicated destination directory for the remote files rather than | ||
347 | +requesting the remote content get mixed in with other local content. For | ||
348 | +example, doing an rsync copy into your home directory is potentially unsafe on | ||
349 | +an older rsync if the remote rsync is being controlled by a bad actor: | ||
350 | + | ||
351 | +> rsync -aiv host1:dir1 ~ | ||
352 | + | ||
353 | +A safer command would be: | ||
354 | + | ||
355 | +> rsync -aiv host1:dir1 ~/host1-files | ||
356 | + | ||
357 | ## ADVANCED USAGE | ||
358 | |||
359 | The syntax for requesting multiple files from a remote host is done by | ||
360 | @@ -2323,6 +2350,12 @@ your home directory (remove the '=' for | ||
361 | behavior. The environment is always overridden by manually specified | ||
362 | positive or negative options (the negative is `--no-old-args`). | ||
363 | |||
364 | + Note that this option also disables the extra safety check added in 3.2.5 | ||
365 | + that ensures that a remote sender isn't including extra top-level items in | ||
366 | + the file-list that you didn't request. This side-effect is necessary | ||
367 | + because we can't know for sure what names to expect when the remote shell | ||
368 | + is interpreting the args. | ||
369 | + | ||
370 | This option conflicts with the [`--protect-args`](#opt) option. | ||
371 | |||
372 | 0. `--protect-args`, `-s` | ||
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.4.bb b/meta/recipes-devtools/rsync/rsync_3.2.5.bb index 711e97002d..a1ba5ea44d 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.4.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.5.bb | |||
@@ -14,10 +14,8 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ | |||
14 | file://rsyncd.conf \ | 14 | file://rsyncd.conf \ |
15 | file://makefile-no-rebuild.patch \ | 15 | file://makefile-no-rebuild.patch \ |
16 | file://determism.patch \ | 16 | file://determism.patch \ |
17 | file://CVE-2022-29154.patch \ | ||
18 | " | 17 | " |
19 | 18 | SRC_URI[sha256sum] = "2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba" | |
20 | SRC_URI[sha256sum] = "6f761838d08052b0b6579cf7f6737d93e47f01f4da04c5d24d3447b7f2a5fad1" | ||
21 | 19 | ||
22 | # -16548 required for v3.1.3pre1. Already in v3.1.3. | 20 | # -16548 required for v3.1.3pre1. Already in v3.1.3. |
23 | CVE_CHECK_IGNORE += " CVE-2017-16548 " | 21 | CVE_CHECK_IGNORE += " CVE-2017-16548 " |