rsync: fix CVE-2025-10158

Fix an out-of-bounds read triggered by a malicious rsync client acting as a receiver. The issue can be exploited with read access to an rsync module. CVE: CVE-2025-10158 (From OE-Core rev: 110933506d7a1177d1a074866d08fe0b0da612d7) Signed-off-by: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech> 2025-12-16 17:11:39 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-12-31 07:49:31 -0800
commit: 997f8de24cef166a3d0877d97fecccef7acc68ec (patch)
tree: 38746c6c08b1d6045fa2f9cea34c266c16a52b41
parent: 85e5f0fa1e4a1fa1549d9544f69ae3afbc747266 (diff)
download: poky-997f8de24cef166a3d0877d97fecccef7acc68ec.tar.gz
2 files changed, 37 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
new file mode 100644
index 0000000000..a19cc15107
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
@@ -0,0 +1,36 @@
+From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: [PATCH] fixed an invalid access to files array
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+Many thanks to Calum and Rapid7 for finding and reporting this
+CVE: CVE-2025-10158
+Upstream-Status: Backport
+[https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f]
+Signed-off-by: Adarsh Jagadish Kamini<adarsh.jagadish.kamini@est.tech>
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/sender.c b/sender.c
+index 2bbff2fa..5528071e 100644
+--- a/sender.c
+++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+ 
+                if (ndx - cur_flist->ndx_start >= 0)
+                        file = cur_flist->files[ndx - cur_flist->ndx_start];
+               else if (cur_flist->parent_ndx < 0)
+                       exit_cleanup(RERR_PROTOCOL);
+                else
+                        file = dir_flist->files[cur_flist->parent_ndx];
+                if (F_PATHNAME(file)) {
+-- 
+2.44.1
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index d0796d3c12..14beafb681 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           file://CVE-2024-12087-0003.patch \
           file://CVE-2024-12088.patch \
           file://CVE-2024-12747.patch \
+           file://CVE-2025-10158.patch \
           "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
author	Adarsh Jagadish Kamini <adarsh.jagadish.kamini@est.tech>	2025-12-16 17:11:39 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-12-31 07:49:31 -0800
commit	997f8de24cef166a3d0877d97fecccef7acc68ec (patch)
tree	38746c6c08b1d6045fa2f9cea34c266c16a52b41
parent	85e5f0fa1e4a1fa1549d9544f69ae3afbc747266 (diff)
download	poky-997f8de24cef166a3d0877d97fecccef7acc68ec.tar.gz

diff --git a/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch new file mode 100644 index 0000000000..a19cc15107 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch
@@ -0,0 +1,36 @@
		1	From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Sat, 23 Aug 2025 17:26:53 +1000
		4	Subject: [PATCH] fixed an invalid access to files array
		5
		6
		7	this was found by Calum Hutton from Rapid7. It is a real bug, but
		8	analysis shows it can't be leverged into an exploit. Worth fixing
		9	though.
		10
		11	Many thanks to Calum and Rapid7 for finding and reporting this
		12
		13	CVE: CVE-2025-10158
		14	Upstream-Status: Backport
		15	[https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f]
		16	Signed-off-by: Adarsh Jagadish Kamini<adarsh.jagadish.kamini@est.tech>
		17	---
		18	sender.c \| 2 ++
		19	1 file changed, 2 insertions(+)
		20
		21	diff --git a/sender.c b/sender.c
		22	index 2bbff2fa..5528071e 100644
		23	--- a/sender.c
		24	+++ b/sender.c
		25	@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
		26
		27	if (ndx - cur_flist->ndx_start >= 0)
		28	file = cur_flist->files[ndx - cur_flist->ndx_start];
		29	+ else if (cur_flist->parent_ndx < 0)
		30	+ exit_cleanup(RERR_PROTOCOL);
		31	else
		32	file = dir_flist->files[cur_flist->parent_ndx];
		33	if (F_PATHNAME(file)) {
		34	--
		35	2.44.1
		36


diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index d0796d3c12..14beafb681 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -27,6 +27,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
27	file://CVE-2024-12087-0003.patch \	27	file://CVE-2024-12087-0003.patch \
28	file://CVE-2024-12088.patch \	28	file://CVE-2024-12088.patch \
29	file://CVE-2024-12747.patch \	29	file://CVE-2024-12747.patch \
		30	file://CVE-2025-10158.patch \
30	"	31	"
31	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"	32	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
32		33