rsync: fix CVE-2024-12087

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client. (From OE-Core rev: c34cbef572e18c60bb7600fda370d6c46688c7b3) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-01-16 15:15:07 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-01-25 06:20:37 -0800
commit: 61587111989252119cce4c1c26503e986f9efd7a (patch)
tree: 9f9012054a1dc4351e25d03922b9f2b179248109 /meta/recipes-devtools
parent: dfbd3aac89fe9344d752ff8e77f0afe25bcd6866 (diff)
download: poky-61587111989252119cce4c1c26503e986f9efd7a.tar.gz
4 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch
new file mode 100644
index 0000000000..67abc64a62
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch
@@ -0,0 +1,49 @@
+From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Thu, 14 Nov 2024 15:46:50 -0800
+Subject: [PATCH] Refuse a duplicate dirlist.
+CVE: CVE-2024-12087
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=688f5c379a433038bde36897a156d589be373a98]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ flist.c | 9 +++++++++
+ rsync.h | 1 +
+ 2 files changed, 10 insertions(+)
+diff --git a/flist.c b/flist.c
+index 464d556e..847b1054 100644
+--- a/flist.c
+++ b/flist.c
+@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx)
+                init_hard_links();
+ #endif
+       if (inc_recurse && dir_ndx >= 0) {
+               struct file_struct *file = dir_flist->files[dir_ndx];
+               if (file->flags & FLAG_GOT_DIR_FLIST) {
+                       rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+                       exit_cleanup(RERR_PROTOCOL);
+               }
+               file->flags |= FLAG_GOT_DIR_FLIST;
+       }
+
+        flist = flist_new(0, "recv_file_list");
+        flist_expand(flist, FLIST_START_LARGE);
+diff --git a/rsync.h b/rsync.h
+index 0f9e277f..b9a7101a 100644
+--- a/rsync.h
+++ b/rsync.h
+@@ -84,6 +84,7 @@
+ #define FLAG_DUPLICATE (1<<4)  /* sender */
+ #define FLAG_MISSING_DIR (1<<4)        /* generator */
+ #define FLAG_HLINKED (1<<5)    /* receiver/generator (checked on all types) */
+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6)        /* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6)        /* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch
new file mode 100644
index 0000000000..8a22e0c371
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch
@@ -0,0 +1,31 @@
+From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Tue, 26 Nov 2024 16:12:45 +1100
+Subject: [PATCH] range check dir_ndx before use
+CVE: CVE-2024-12087
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ flist.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/flist.c b/flist.c
+index 847b1054..087f9da6 100644
+--- a/flist.c
+++ b/flist.c
+@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx)
+ #endif
+        if (inc_recurse && dir_ndx >= 0) {
+               if (dir_ndx >= dir_flist->used) {
+                       rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
+                       exit_cleanup(RERR_PROTOCOL);
+               }
+                struct file_struct *file = dir_flist->files[dir_ndx];
+                if (file->flags & FLAG_GOT_DIR_FLIST) {
+                        rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch
new file mode 100644
index 0000000000..0ece69c4e7
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch
@@ -0,0 +1,40 @@
+From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Wed, 15 Jan 2025 15:10:24 +0100
+Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
+fixes commit 688f5c379a43 (Refuse a duplicate dirlist.)
+Fixes: https://github.com/RsyncProject/rsync/issues/702
+Fixes: https://github.com/RsyncProject/rsync/issues/697
+CVE: CVE-2024-12087
+Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/996af4a79f9afe4d7158ecdd87c78cee382c6b39]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ rsync.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/rsync.h b/rsync.h
+index 9be1297b..479ac484 100644
+--- a/rsync.h
+++ b/rsync.h
+@@ -84,7 +84,6 @@
+ #define FLAG_DUPLICATE (1<<4)  /* sender */
+ #define FLAG_MISSING_DIR (1<<4)        /* generator */
+ #define FLAG_HLINKED (1<<5)    /* receiver/generator (checked on all types) */
+-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
+ #define FLAG_HLINK_FIRST (1<<6)        /* receiver/generator (w/FLAG_HLINKED) */
+ #define FLAG_IMPLIED_DIR (1<<6)        /* sender/receiver/generator (dirs only) */
+ #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
+@@ -93,6 +92,7 @@
+ #define FLAG_SKIP_GROUP (1<<10)        /* receiver/generator */
+ #define FLAG_TIME_FAILED (1<<11)/* generator */
+ #define FLAG_MOD_NSEC (1<<12)  /* sender/receiver/generator */
+#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
+ /* These flags are passed to functions but not stored. */
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 0bde73aad2..d6942dc595 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -22,6 +22,9 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           file://CVE-2024-12086-0002.patch \
           file://CVE-2024-12086-0003.patch \
           file://CVE-2024-12086-0004.patch \
+           file://CVE-2024-12087-0001.patch \
+           file://CVE-2024-12087-0002.patch \
+           file://CVE-2024-12087-0003.patch \
           "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-01-16 15:15:07 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-01-25 06:20:37 -0800
commit	61587111989252119cce4c1c26503e986f9efd7a (patch)
tree	9f9012054a1dc4351e25d03922b9f2b179248109 /meta/recipes-devtools
parent	dfbd3aac89fe9344d752ff8e77f0afe25bcd6866 (diff)
download	poky-61587111989252119cce4c1c26503e986f9efd7a.tar.gz

diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch new file mode 100644 index 0000000000..67abc64a62 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch
@@ -0,0 +1,49 @@
		1	From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
		2	From: Wayne Davison <wayne@opencoder.net>
		3	Date: Thu, 14 Nov 2024 15:46:50 -0800
		4	Subject: [PATCH] Refuse a duplicate dirlist.
		5
		6	CVE: CVE-2024-12087
		7
		8	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=688f5c379a433038bde36897a156d589be373a98]
		9
		10	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		11	---
		12	flist.c \| 9 +++++++++
		13	rsync.h \| 1 +
		14	2 files changed, 10 insertions(+)
		15
		16	diff --git a/flist.c b/flist.c
		17	index 464d556e..847b1054 100644
		18	--- a/flist.c
		19	+++ b/flist.c
		20	@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx)
		21	init_hard_links();
		22	#endif
		23
		24	+ if (inc_recurse && dir_ndx >= 0) {
		25	+ struct file_struct *file = dir_flist->files[dir_ndx];
		26	+ if (file->flags & FLAG_GOT_DIR_FLIST) {
		27	+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
		28	+ exit_cleanup(RERR_PROTOCOL);
		29	+ }
		30	+ file->flags \|= FLAG_GOT_DIR_FLIST;
		31	+ }
		32	+
		33	flist = flist_new(0, "recv_file_list");
		34	flist_expand(flist, FLIST_START_LARGE);
		35
		36	diff --git a/rsync.h b/rsync.h
		37	index 0f9e277f..b9a7101a 100644
		38	--- a/rsync.h
		39	+++ b/rsync.h
		40	@@ -84,6 +84,7 @@
		41	#define FLAG_DUPLICATE (1<<4) /* sender */
		42	#define FLAG_MISSING_DIR (1<<4) /* generator */
		43	#define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
		44	+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
		45	#define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
		46	#define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
		47	#define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
		48	--
		49	2.40.0


diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch new file mode 100644 index 0000000000..8a22e0c371 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch
@@ -0,0 +1,31 @@
		1	From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Tue, 26 Nov 2024 16:12:45 +1100
		4	Subject: [PATCH] range check dir_ndx before use
		5
		6	CVE: CVE-2024-12087
		7
		8	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93]
		9
		10	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		11	---
		12	flist.c \| 4 ++++
		13	1 file changed, 4 insertions(+)
		14
		15	diff --git a/flist.c b/flist.c
		16	index 847b1054..087f9da6 100644
		17	--- a/flist.c
		18	+++ b/flist.c
		19	@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx)
		20	#endif
		21
		22	if (inc_recurse && dir_ndx >= 0) {
		23	+ if (dir_ndx >= dir_flist->used) {
		24	+ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
		25	+ exit_cleanup(RERR_PROTOCOL);
		26	+ }
		27	struct file_struct *file = dir_flist->files[dir_ndx];
		28	if (file->flags & FLAG_GOT_DIR_FLIST) {
		29	rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
		30	--
		31	2.40.0


diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch new file mode 100644 index 0000000000..0ece69c4e7 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch
@@ -0,0 +1,40 @@
		1	From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001
		2	From: Natanael Copa <ncopa@alpinelinux.org>
		3	Date: Wed, 15 Jan 2025 15:10:24 +0100
		4	Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
		5
		6	fixes commit 688f5c379a43 (Refuse a duplicate dirlist.)
		7
		8	Fixes: https://github.com/RsyncProject/rsync/issues/702
		9	Fixes: https://github.com/RsyncProject/rsync/issues/697
		10	CVE: CVE-2024-12087
		11
		12	Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/996af4a79f9afe4d7158ecdd87c78cee382c6b39]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	rsync.h \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/rsync.h b/rsync.h
		20	index 9be1297b..479ac484 100644
		21	--- a/rsync.h
		22	+++ b/rsync.h
		23	@@ -84,7 +84,6 @@
		24	#define FLAG_DUPLICATE (1<<4) /* sender */
		25	#define FLAG_MISSING_DIR (1<<4) /* generator */
		26	#define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
		27	-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
		28	#define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
		29	#define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
		30	#define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
		31	@@ -93,6 +92,7 @@
		32	#define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */
		33	#define FLAG_TIME_FAILED (1<<11)/* generator */
		34	#define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */
		35	+#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
		36
		37	/* These flags are passed to functions but not stored. */
		38
		39	--
		40	2.40.0


diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 0bde73aad2..d6942dc595 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -22,6 +22,9 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
22	file://CVE-2024-12086-0002.patch \	22	file://CVE-2024-12086-0002.patch \
23	file://CVE-2024-12086-0003.patch \	23	file://CVE-2024-12086-0003.patch \
24	file://CVE-2024-12086-0004.patch \	24	file://CVE-2024-12086-0004.patch \
		25	file://CVE-2024-12087-0001.patch \
		26	file://CVE-2024-12087-0002.patch \
		27	file://CVE-2024-12087-0003.patch \
25	"	28	"
26	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"	29	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
27		30