rsync: fix CVE-2024-12088

A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. (From OE-Core rev: dad4a83c011310872cce07fc4141e66a98439cb1) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-01-16 15:15:08 +0000
committer: Steve Sakoman <steve@sakoman.com> 2025-01-25 06:20:37 -0800
commit: 78e33c0f8b9e1160d23d95fe0fa006ca59d72217 (patch)
tree: 89fb6595338504f17c6e282a72f89e713f9fdbd9 /meta/recipes-devtools
parent: 61587111989252119cce4c1c26503e986f9efd7a (diff)
download: poky-78e33c0f8b9e1160d23d95fe0fa006ca59d72217.tar.gz
2 files changed, 142 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch
new file mode 100644
index 0000000000..b2a3a86e1a
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch
@@ -0,0 +1,141 @@
+From 407c71c7ce562137230e8ba19149c81ccc47c387 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 15:15:53 +1100
+Subject: [PATCH] make --safe-links stricter
+when --safe-links is used also reject links where a '../' component is
+included in the destination as other than the leading part of the
+filename
+CVE: CVE-2024-12088
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=407c71c7ce562137230e8ba19149c81ccc47c387]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ testsuite/safe-links.test    | 55 ++++++++++++++++++++++++++++++++++++
+ testsuite/unsafe-byname.test |  2 +-
+ util1.c                      | 26 ++++++++++++++++-
+ 3 files changed, 81 insertions(+), 2 deletions(-)
+ create mode 100644 testsuite/safe-links.test
+diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test
+new file mode 100644
+index 00000000..6e95a4b9
+--- /dev/null
+++ b/testsuite/safe-links.test
+@@ -0,0 +1,55 @@
+#!/bin/sh
+
+. "$suitedir/rsync.fns"
+
+test_symlink() {
+       is_a_link "$1" || test_fail "File $1 is not a symlink"
+}
+
+test_regular() {
+       if [ ! -f "$1" ]; then
+               test_fail "File $1 is not regular file or not exists"
+       fi
+}
+
+test_notexist() {
+        if [ -e "$1" ]; then
+                test_fail "File $1 exists"
+       fi
+        if [ -h "$1" ]; then
+                test_fail "File $1 exists as a symlink"
+       fi
+}
+
+cd "$tmpdir"
+
+mkdir from
+
+mkdir "from/safe"
+mkdir "from/unsafe"
+
+mkdir "from/safe/files"
+mkdir "from/safe/links"
+
+touch "from/safe/files/file1"
+touch "from/safe/files/file2"
+touch "from/unsafe/unsafefile"
+
+ln -s ../files/file1 "from/safe/links/"
+ln -s ../files/file2 "from/safe/links/"
+ln -s ../../unsafe/unsafefile "from/safe/links/"
+ln -s a/a/a/../../../unsafe2 "from/safe/links/"
+
+#echo "LISTING FROM"
+#ls -lR from
+
+echo "rsync with relative path and just -a"
+$RSYNC -avv --safe-links from/safe/ to
+
+#echo "LISTING TO"
+#ls -lR to
+
+test_symlink to/links/file1
+test_symlink to/links/file2
+test_notexist to/links/unsafefile
+test_notexist to/links/unsafe2
+diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test
+index 75e72014..d2e318ef 100644
+--- a/testsuite/unsafe-byname.test
+++ b/testsuite/unsafe-byname.test
+@@ -40,7 +40,7 @@ test_unsafe ..//../dest               from/dir                        unsafe
+ test_unsafe ..                         from/file                       safe
+ test_unsafe ../..                      from/file                       unsafe
+ test_unsafe ..//..                     from//file                      unsafe
+-test_unsafe dir/..                     from                            safe
+test_unsafe dir/..                     from                            unsafe
+ test_unsafe dir/../..                  from                            unsafe
+ test_unsafe dir/..//..                 from                            unsafe
+diff --git a/util1.c b/util1.c
+index da50ff1e..f260d398 100644
+--- a/util1.c
+++ b/util1.c
+@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create)
+  *
+  * "src" is the top source directory currently applicable at the level
+  * of the referenced symlink.  This is usually the symlink's full path
+- * (including its name), as referenced from the root of the transfer. */
+ * (including its name), as referenced from the root of the transfer.
+ *
+ * NOTE: this also rejects dest names with a .. component in other
+ * than the first component of the name ie. it rejects names such as
+ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or
+ * 'b' could later be replaced with symlinks such as a link to '.'
+ * resulting in the link being transferred now becoming unsafe
+ */
+ int unsafe_symlink(const char *dest, const char *src)
+ {
+        const char *name, *slash;
+@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src)
+        if (!dest || !*dest || *dest == '/')
+                return 1;
+       // reject destinations with /../ in the name other than at the start of the name
+       const char *dest2 = dest;
+       while (strncmp(dest2, "../", 3) == 0) {
+           dest2 += 3;
+           while (*dest2 == '/') {
+               // allow for ..//..///../foo
+               dest2++;
+           }
+       }
+       if (strstr(dest2, "/../"))
+           return 1;
+
+       // reject if the destination ends in /..
+       const size_t dlen = strlen(dest);
+       if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0)
+           return 1;
+
+        /* find out what our safety margin is */
+        for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
+                /* ".." segment starts the count over.  "." segment is ignored. */
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index d6942dc595..169650fe91 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           file://CVE-2024-12087-0001.patch \
           file://CVE-2024-12087-0002.patch \
           file://CVE-2024-12087-0003.patch \
+           file://CVE-2024-12088.patch \
           "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-01-16 15:15:08 +0000
committer	Steve Sakoman <steve@sakoman.com>	2025-01-25 06:20:37 -0800
commit	78e33c0f8b9e1160d23d95fe0fa006ca59d72217 (patch)
tree	89fb6595338504f17c6e282a72f89e713f9fdbd9 /meta/recipes-devtools
parent	61587111989252119cce4c1c26503e986f9efd7a (diff)
download	poky-78e33c0f8b9e1160d23d95fe0fa006ca59d72217.tar.gz

diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch new file mode 100644 index 0000000000..b2a3a86e1a --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch
@@ -0,0 +1,141 @@
		1	From 407c71c7ce562137230e8ba19149c81ccc47c387 Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Sat, 23 Nov 2024 15:15:53 +1100
		4	Subject: [PATCH] make --safe-links stricter
		5
		6	when --safe-links is used also reject links where a '../' component is
		7	included in the destination as other than the leading part of the
		8	filename
		9
		10	CVE: CVE-2024-12088
		11
		12	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=407c71c7ce562137230e8ba19149c81ccc47c387]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	testsuite/safe-links.test \| 55 ++++++++++++++++++++++++++++++++++++
		17	testsuite/unsafe-byname.test \| 2 +-
		18	util1.c \| 26 ++++++++++++++++-
		19	3 files changed, 81 insertions(+), 2 deletions(-)
		20	create mode 100644 testsuite/safe-links.test
		21
		22	diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test
		23	new file mode 100644
		24	index 00000000..6e95a4b9
		25	--- /dev/null
		26	+++ b/testsuite/safe-links.test
		27	@@ -0,0 +1,55 @@
		28	+#!/bin/sh
		29	+
		30	+. "$suitedir/rsync.fns"
		31	+
		32	+test_symlink() {
		33	+ is_a_link "$1" \|\| test_fail "File $1 is not a symlink"
		34	+}
		35	+
		36	+test_regular() {
		37	+ if [ ! -f "$1" ]; then
		38	+ test_fail "File $1 is not regular file or not exists"
		39	+ fi
		40	+}
		41	+
		42	+test_notexist() {
		43	+ if [ -e "$1" ]; then
		44	+ test_fail "File $1 exists"
		45	+ fi
		46	+ if [ -h "$1" ]; then
		47	+ test_fail "File $1 exists as a symlink"
		48	+ fi
		49	+}
		50	+
		51	+cd "$tmpdir"
		52	+
		53	+mkdir from
		54	+
		55	+mkdir "from/safe"
		56	+mkdir "from/unsafe"
		57	+
		58	+mkdir "from/safe/files"
		59	+mkdir "from/safe/links"
		60	+
		61	+touch "from/safe/files/file1"
		62	+touch "from/safe/files/file2"
		63	+touch "from/unsafe/unsafefile"
		64	+
		65	+ln -s ../files/file1 "from/safe/links/"
		66	+ln -s ../files/file2 "from/safe/links/"
		67	+ln -s ../../unsafe/unsafefile "from/safe/links/"
		68	+ln -s a/a/a/../../../unsafe2 "from/safe/links/"
		69	+
		70	+#echo "LISTING FROM"
		71	+#ls -lR from
		72	+
		73	+echo "rsync with relative path and just -a"
		74	+$RSYNC -avv --safe-links from/safe/ to
		75	+
		76	+#echo "LISTING TO"
		77	+#ls -lR to
		78	+
		79	+test_symlink to/links/file1
		80	+test_symlink to/links/file2
		81	+test_notexist to/links/unsafefile
		82	+test_notexist to/links/unsafe2
		83	diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test
		84	index 75e72014..d2e318ef 100644
		85	--- a/testsuite/unsafe-byname.test
		86	+++ b/testsuite/unsafe-byname.test
		87	@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir unsafe
		88	test_unsafe .. from/file safe
		89	test_unsafe ../.. from/file unsafe
		90	test_unsafe ..//.. from//file unsafe
		91	-test_unsafe dir/.. from safe
		92	+test_unsafe dir/.. from unsafe
		93	test_unsafe dir/../.. from unsafe
		94	test_unsafe dir/..//.. from unsafe
		95
		96	diff --git a/util1.c b/util1.c
		97	index da50ff1e..f260d398 100644
		98	--- a/util1.c
		99	+++ b/util1.c
		100	@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create)
		101	*
		102	* "src" is the top source directory currently applicable at the level
		103	* of the referenced symlink. This is usually the symlink's full path
		104	- * (including its name), as referenced from the root of the transfer. */
		105	+ * (including its name), as referenced from the root of the transfer.
		106	+ *
		107	+ * NOTE: this also rejects dest names with a .. component in other
		108	+ * than the first component of the name ie. it rejects names such as
		109	+ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or
		110	+ * 'b' could later be replaced with symlinks such as a link to '.'
		111	+ * resulting in the link being transferred now becoming unsafe
		112	+ */
		113	int unsafe_symlink(const char dest, const char src)
		114	{
		115	const char name, slash;
		116	@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char dest, const char src)
		117	if (!dest \|\| !dest \|\| dest == '/')
		118	return 1;
		119
		120	+ // reject destinations with /../ in the name other than at the start of the name
		121	+ const char *dest2 = dest;
		122	+ while (strncmp(dest2, "../", 3) == 0) {
		123	+ dest2 += 3;
		124	+ while (*dest2 == '/') {
		125	+ // allow for ..//..///../foo
		126	+ dest2++;
		127	+ }
		128	+ }
		129	+ if (strstr(dest2, "/../"))
		130	+ return 1;
		131	+
		132	+ // reject if the destination ends in /..
		133	+ const size_t dlen = strlen(dest);
		134	+ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0)
		135	+ return 1;
		136	+
		137	/* find out what our safety margin is */
		138	for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
		139	/* ".." segment starts the count over. "." segment is ignored. */
		140	--
		141	2.40.0


diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index d6942dc595..169650fe91 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -25,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
25	file://CVE-2024-12087-0001.patch \	25	file://CVE-2024-12087-0001.patch \
26	file://CVE-2024-12087-0002.patch \	26	file://CVE-2024-12087-0002.patch \
27	file://CVE-2024-12087-0003.patch \	27	file://CVE-2024-12087-0003.patch \
		28	file://CVE-2024-12088.patch \
28	"	29	"
29	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"	30	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
30		31