diff options
| author | Archana Polampalli <archana.polampalli@windriver.com> | 2025-01-16 15:15:07 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2025-01-25 06:20:37 -0800 |
| commit | 61587111989252119cce4c1c26503e986f9efd7a (patch) | |
| tree | 9f9012054a1dc4351e25d03922b9f2b179248109 /meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch | |
| parent | dfbd3aac89fe9344d752ff8e77f0afe25bcd6866 (diff) | |
| download | poky-61587111989252119cce4c1c26503e986f9efd7a.tar.gz | |
rsync: fix CVE-2024-12087
A path traversal vulnerability exists in rsync. It stems from behavior enabled
by the `--inc-recursive` option, a default-enabled option for many client options
and can be enabled by the server even if not explicitly enabled by the client.
When using the `--inc-recursive` option, a lack of proper symlink verification
coupled with deduplication checks occurring on a per-file-list basis could allow
a server to write files outside of the client's intended destination directory.
A malicious server could write malicious files to arbitrary locations named after
valid directories/paths on the client.
(From OE-Core rev: c34cbef572e18c60bb7600fda370d6c46688c7b3)
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch')
| -rw-r--r-- | meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch new file mode 100644 index 0000000000..8a22e0c371 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch | |||
| @@ -0,0 +1,31 @@ | |||
| 1 | From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Andrew Tridgell <andrew@tridgell.net> | ||
| 3 | Date: Tue, 26 Nov 2024 16:12:45 +1100 | ||
| 4 | Subject: [PATCH] range check dir_ndx before use | ||
| 5 | |||
| 6 | CVE: CVE-2024-12087 | ||
| 7 | |||
| 8 | Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93] | ||
| 9 | |||
| 10 | Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> | ||
| 11 | --- | ||
| 12 | flist.c | 4 ++++ | ||
| 13 | 1 file changed, 4 insertions(+) | ||
| 14 | |||
| 15 | diff --git a/flist.c b/flist.c | ||
| 16 | index 847b1054..087f9da6 100644 | ||
| 17 | --- a/flist.c | ||
| 18 | +++ b/flist.c | ||
| 19 | @@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx) | ||
| 20 | #endif | ||
| 21 | |||
| 22 | if (inc_recurse && dir_ndx >= 0) { | ||
| 23 | + if (dir_ndx >= dir_flist->used) { | ||
| 24 | + rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used); | ||
| 25 | + exit_cleanup(RERR_PROTOCOL); | ||
| 26 | + } | ||
| 27 | struct file_struct *file = dir_flist->files[dir_ndx]; | ||
| 28 | if (file->flags & FLAG_GOT_DIR_FLIST) { | ||
| 29 | rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); | ||
| 30 | -- | ||
| 31 | 2.40.0 | ||