5 files changed, 303 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
new file mode 100644
index 0000000000..958a25a37b
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
@@ -0,0 +1,42 @@
+From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 11:08:03 +1100
+Subject: [PATCH] refuse fuzzy options when fuzzy not selected
+this prevents a malicious server providing a file to compare to when
+the user has not given the fuzzy option
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/receiver.c b/receiver.c
+index 6b4b369e..2d7f6033 100644
+--- a/receiver.c
+++ b/receiver.c
+@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern filter_rule_list daemon_filter_list;
+ extern OFF_T preallocated_len;
+extern int fuzzy_basis;
+ extern struct name_num_item *xfer_sum_nni;
+ extern int xfer_sum_len;
+@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
+                                fnamecmp = get_backup_name(fname);
+                                break;
+                        case FNAMECMP_FUZZY:
+                               if (fuzzy_basis == 0) {
+                                       rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
+                                       exit_cleanup(RERR_PROTOCOL);
+                               }
+                                if (file->dirname) {
+                                        pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+                                        fnamecmp = fnamecmpbuf;
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch
new file mode 100644
index 0000000000..5d25f12dd8
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch
@@ -0,0 +1,108 @@
+From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 12:26:10 +1100
+Subject: [PATCH] added secure_relative_open()
+this is an open that enforces no symlink following for all path
+components in a relative path
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 74 insertions(+)
+diff --git a/syscall.c b/syscall.c
+index b4b0f1f1..cffc814b 100644
+--- a/syscall.c
+++ b/syscall.c
+@@ -33,6 +33,8 @@
+ #include <sys/syscall.h>
+ #endif
+#include "ifuncs.h"
+
+ extern int dry_run;
+ extern int am_root;
+ extern int am_sender;
+@@ -707,3 +709,75 @@ int do_open_nofollow(const char *pathname, int flags)
+        return fd;
+ }
+
+/*
+  open a file relative to a base directory. The basedir can be NULL,
+  in which case the current working directory is used. The relpath
+  must be a relative path, and the relpath must not contain any
+  elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
+  applies to all path components, not just the last component)
+*/
+int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+{
+       if (!relpath || relpath[0] == '/') {
+               // must be a relative path
+               errno = EINVAL;
+               return -1;
+       }
+
+#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
+       // really old system, all we can do is live with the risks
+       if (!basedir) {
+               return open(relpath, flags, mode);
+       }
+       char fullpath[MAXPATHLEN];
+       pathjoin(fullpath, sizeof fullpath, basedir, relpath);
+       return open(fullpath, flags, mode);
+#else
+       int dirfd = AT_FDCWD;
+       if (basedir != NULL) {
+               dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
+               if (dirfd == -1) {
+                       return -1;
+               }
+       }
+       int retfd = -1;
+
+       char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
+       if (!path_copy) {
+               return -1;
+       }
+
+       for (const char *part = strtok(path_copy, "/");
+            part != NULL;
+            part = strtok(NULL, "/"))
+       {
+               int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
+               if (next_fd == -1 && errno == ENOTDIR) {
+                       if (strtok(NULL, "/") != NULL) {
+                               // this is not the last component of the path
+                               errno = ELOOP;
+                               goto cleanup;
+                       }
+                       // this could be the last component of the path, try as a file
+                       retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
+                       goto cleanup;
+               }
+               if (next_fd == -1) {
+                       goto cleanup;
+               }
+               if (dirfd != AT_FDCWD) close(dirfd);
+               dirfd = next_fd;
+       }
+
+       // the path must be a directory
+       errno = EINVAL;
+
+cleanup:
+       free(path_copy);
+       if (dirfd != AT_FDCWD) {
+               close(dirfd);
+       }
+       return retfd;
+#endif // O_NOFOLLOW, O_DIRECTORY
+}
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
new file mode 100644
index 0000000000..de1747adf2
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
@@ -0,0 +1,108 @@
+From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 12:28:13 +1100
+Subject: [PATCH] receiver: use secure_relative_open() for basis file
+this prevents attacks where the basis file is manipulated by a
+malicious sender to gain information about files outside the
+destination tree
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+diff --git a/receiver.c b/receiver.c
+index 2d7f6033..8031b8f4 100644
+--- a/receiver.c
+++ b/receiver.c
+@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
+        progress_init();
+        while (1) {
+               const char *basedir = NULL;
+
+                cleanup_disable();
+                /* This call also sets cur_flist. */
+@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
+                                        exit_cleanup(RERR_PROTOCOL);
+                                }
+                                if (file->dirname) {
+-                                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+-                                       fnamecmp = fnamecmpbuf;
+-                               } else
+-                                       fnamecmp = xname;
+                                       basedir = file->dirname;
+                               }
+                               fnamecmp = xname;
+                                break;
+                        default:
+                                if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
+                                        fnamecmp_type -= FNAMECMP_FUZZY + 1;
+                                        if (file->dirname) {
+-                                               stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-                                                          basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
+-                                       } else
+-                                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
+                                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
+                                               basedir = fnamecmpbuf;
+                                       } else {
+                                               basedir = basis_dir[fnamecmp_type];
+                                       }
+                                       fnamecmp = xname;
+                                } else if (fnamecmp_type >= basis_dir_cnt) {
+                                        rprintf(FERROR,
+                                                "invalid basis_dir index: %d.\n",
+                                                fnamecmp_type);
+                                        exit_cleanup(RERR_PROTOCOL);
+-                               } else
+-                                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
+-                               fnamecmp = fnamecmpbuf;
+                               } else {
+                                       basedir = basis_dir[fnamecmp_type];
+                                       fnamecmp = fname;
+                               }
+                                break;
+                        }
+                        if (!fnamecmp || (daemon_filter_list.head
+@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+                }
+                /* open the file */
+-               fd1 = do_open(fnamecmp, O_RDONLY, 0);
+               fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+                if (fd1 == -1 && protocol_version < 29) {
+                        if (fnamecmp != fname) {
+@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
+                        if (fd1 == -1 && basis_dir[0]) {
+                                /* pre-29 allowed only one alternate basis */
+-                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-                                        basis_dir[0], fname);
+-                               fnamecmp = fnamecmpbuf;
+                               basedir = basis_dir[0];
+                               fnamecmp = fname;
+                                fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
+-                               fd1 = do_open(fnamecmp, O_RDONLY, 0);
+                               fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+                        }
+                }
+               if (basedir) {
+                       // for the following code we need the full
+                       // path name as a single string
+                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
+                       fnamecmp = fnamecmpbuf;
+               }
+
+                one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
+                updating_basis_or_equiv = one_inplace
+                    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch
new file mode 100644
index 0000000000..b85e1dfae4
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch
@@ -0,0 +1,41 @@
+From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Tue, 26 Nov 2024 09:16:31 +1100
+Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ syscall.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/syscall.c b/syscall.c
+index cffc814b..081357bb 100644
+--- a/syscall.c
+++ b/syscall.c
+@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
+   must be a relative path, and the relpath must not contain any
+   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
+   applies to all path components, not just the last component)
+
+  The relpath must also not contain any ../ elements in the path
+ */
+ int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
+ {
+@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
+                errno = EINVAL;
+                return -1;
+        }
+       if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+               // no ../ elements allowed in the relpath
+               errno = EINVAL;
+               return -1;
+       }
+ #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
+        // really old system, all we can do is live with the risks
+--
+2.40.0
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 0d9c68a915..0bde73aad2 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,6 +18,10 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           file://CVE-2024-12084-0001.patch \
           file://CVE-2024-12084-0002.patch \
           file://CVE-2024-12085.patch \
+           file://CVE-2024-12086-0001.patch \
+           file://CVE-2024-12086-0002.patch \
+           file://CVE-2024-12086-0003.patch \
+           file://CVE-2024-12086-0004.patch \
           "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"

diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch new file mode 100644 index 0000000000..958a25a37b --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
@@ -0,0 +1,42 @@
		1	From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Sat, 23 Nov 2024 11:08:03 +1100
		4	Subject: [PATCH] refuse fuzzy options when fuzzy not selected
		5
		6	this prevents a malicious server providing a file to compare to when
		7	the user has not given the fuzzy option
		8
		9	CVE: CVE-2024-12086
		10
		11	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299]
		12
		13	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		14	---
		15	receiver.c \| 5 +++++
		16	1 file changed, 5 insertions(+)
		17
		18	diff --git a/receiver.c b/receiver.c
		19	index 6b4b369e..2d7f6033 100644
		20	--- a/receiver.c
		21	+++ b/receiver.c
		22	@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
		23	extern struct file_list cur_flist, first_flist, *dir_flist;
		24	extern filter_rule_list daemon_filter_list;
		25	extern OFF_T preallocated_len;
		26	+extern int fuzzy_basis;
		27
		28	extern struct name_num_item *xfer_sum_nni;
		29	extern int xfer_sum_len;
		30	@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
		31	fnamecmp = get_backup_name(fname);
		32	break;
		33	case FNAMECMP_FUZZY:
		34	+ if (fuzzy_basis == 0) {
		35	+ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
		36	+ exit_cleanup(RERR_PROTOCOL);
		37	+ }
		38	if (file->dirname) {
		39	pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
		40	fnamecmp = fnamecmpbuf;
		41	--
		42	2.40.0


diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch new file mode 100644 index 0000000000..5d25f12dd8 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch
@@ -0,0 +1,108 @@
		1	From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Sat, 23 Nov 2024 12:26:10 +1100
		4	Subject: [PATCH] added secure_relative_open()
		5
		6	this is an open that enforces no symlink following for all path
		7	components in a relative path
		8
		9	CVE: CVE-2024-12086
		10
		11	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff]
		12
		13	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		14	---
		15	syscall.c \| 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
		16	1 file changed, 74 insertions(+)
		17
		18	diff --git a/syscall.c b/syscall.c
		19	index b4b0f1f1..cffc814b 100644
		20	--- a/syscall.c
		21	+++ b/syscall.c
		22	@@ -33,6 +33,8 @@
		23	#include <sys/syscall.h>
		24	#endif
		25
		26	+#include "ifuncs.h"
		27	+
		28	extern int dry_run;
		29	extern int am_root;
		30	extern int am_sender;
		31	@@ -707,3 +709,75 @@ int do_open_nofollow(const char *pathname, int flags)
		32
		33	return fd;
		34	}
		35	+
		36	+/*
		37	+ open a file relative to a base directory. The basedir can be NULL,
		38	+ in which case the current working directory is used. The relpath
		39	+ must be a relative path, and the relpath must not contain any
		40	+ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
		41	+ applies to all path components, not just the last component)
		42	+*/
		43	+int secure_relative_open(const char basedir, const char relpath, int flags, mode_t mode)
		44	+{
		45	+ if (!relpath \|\| relpath[0] == '/') {
		46	+ // must be a relative path
		47	+ errno = EINVAL;
		48	+ return -1;
		49	+ }
		50	+
		51	+#if !defined(O_NOFOLLOW) \|\| !defined(O_DIRECTORY)
		52	+ // really old system, all we can do is live with the risks
		53	+ if (!basedir) {
		54	+ return open(relpath, flags, mode);
		55	+ }
		56	+ char fullpath[MAXPATHLEN];
		57	+ pathjoin(fullpath, sizeof fullpath, basedir, relpath);
		58	+ return open(fullpath, flags, mode);
		59	+#else
		60	+ int dirfd = AT_FDCWD;
		61	+ if (basedir != NULL) {
		62	+ dirfd = openat(AT_FDCWD, basedir, O_RDONLY \| O_DIRECTORY);
		63	+ if (dirfd == -1) {
		64	+ return -1;
		65	+ }
		66	+ }
		67	+ int retfd = -1;
		68	+
		69	+ char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
		70	+ if (!path_copy) {
		71	+ return -1;
		72	+ }
		73	+
		74	+ for (const char *part = strtok(path_copy, "/");
		75	+ part != NULL;
		76	+ part = strtok(NULL, "/"))
		77	+ {
		78	+ int next_fd = openat(dirfd, part, O_RDONLY \| O_DIRECTORY \| O_NOFOLLOW);
		79	+ if (next_fd == -1 && errno == ENOTDIR) {
		80	+ if (strtok(NULL, "/") != NULL) {
		81	+ // this is not the last component of the path
		82	+ errno = ELOOP;
		83	+ goto cleanup;
		84	+ }
		85	+ // this could be the last component of the path, try as a file
		86	+ retfd = openat(dirfd, part, flags \| O_NOFOLLOW, mode);
		87	+ goto cleanup;
		88	+ }
		89	+ if (next_fd == -1) {
		90	+ goto cleanup;
		91	+ }
		92	+ if (dirfd != AT_FDCWD) close(dirfd);
		93	+ dirfd = next_fd;
		94	+ }
		95	+
		96	+ // the path must be a directory
		97	+ errno = EINVAL;
		98	+
		99	+cleanup:
		100	+ free(path_copy);
		101	+ if (dirfd != AT_FDCWD) {
		102	+ close(dirfd);
		103	+ }
		104	+ return retfd;
		105	+#endif // O_NOFOLLOW, O_DIRECTORY
		106	+}
		107	--
		108	2.40.0


diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch new file mode 100644 index 0000000000..de1747adf2 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
@@ -0,0 +1,108 @@
		1	From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Sat, 23 Nov 2024 12:28:13 +1100
		4	Subject: [PATCH] receiver: use secure_relative_open() for basis file
		5
		6	this prevents attacks where the basis file is manipulated by a
		7	malicious sender to gain information about files outside the
		8	destination tree
		9
		10	CVE: CVE-2024-12086
		11
		12	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	receiver.c \| 42 ++++++++++++++++++++++++++----------------
		17	1 file changed, 26 insertions(+), 16 deletions(-)
		18
		19	diff --git a/receiver.c b/receiver.c
		20	index 2d7f6033..8031b8f4 100644
		21	--- a/receiver.c
		22	+++ b/receiver.c
		23	@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
		24	progress_init();
		25
		26	while (1) {
		27	+ const char *basedir = NULL;
		28	+
		29	cleanup_disable();
		30
		31	/* This call also sets cur_flist. */
		32	@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
		33	exit_cleanup(RERR_PROTOCOL);
		34	}
		35	if (file->dirname) {
		36	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
		37	- fnamecmp = fnamecmpbuf;
		38	- } else
		39	- fnamecmp = xname;
		40	+ basedir = file->dirname;
		41	+ }
		42	+ fnamecmp = xname;
		43	break;
		44	default:
		45	if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
		46	fnamecmp_type -= FNAMECMP_FUZZY + 1;
		47	if (file->dirname) {
		48	- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
		49	- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
		50	- } else
		51	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
		52	+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
		53	+ basedir = fnamecmpbuf;
		54	+ } else {
		55	+ basedir = basis_dir[fnamecmp_type];
		56	+ }
		57	+ fnamecmp = xname;
		58	} else if (fnamecmp_type >= basis_dir_cnt) {
		59	rprintf(FERROR,
		60	"invalid basis_dir index: %d.\n",
		61	fnamecmp_type);
		62	exit_cleanup(RERR_PROTOCOL);
		63	- } else
		64	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
		65	- fnamecmp = fnamecmpbuf;
		66	+ } else {
		67	+ basedir = basis_dir[fnamecmp_type];
		68	+ fnamecmp = fname;
		69	+ }
		70	break;
		71	}
		72	if (!fnamecmp \|\| (daemon_filter_list.head
		73	@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
		74	}
		75
		76	/* open the file */
		77	- fd1 = do_open(fnamecmp, O_RDONLY, 0);
		78	+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
		79
		80	if (fd1 == -1 && protocol_version < 29) {
		81	if (fnamecmp != fname) {
		82	@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
		83
		84	if (fd1 == -1 && basis_dir[0]) {
		85	/* pre-29 allowed only one alternate basis */
		86	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
		87	- basis_dir[0], fname);
		88	- fnamecmp = fnamecmpbuf;
		89	+ basedir = basis_dir[0];
		90	+ fnamecmp = fname;
		91	fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
		92	- fd1 = do_open(fnamecmp, O_RDONLY, 0);
		93	+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
		94	}
		95	}
		96
		97	+ if (basedir) {
		98	+ // for the following code we need the full
		99	+ // path name as a single string
		100	+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
		101	+ fnamecmp = fnamecmpbuf;
		102	+ }
		103	+
		104	one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
		105	updating_basis_or_equiv = one_inplace
		106	\|\| (inplace && (fnamecmp == fname \|\| fnamecmp_type == FNAMECMP_BACKUP));
		107	--
		108	2.40.0


diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch new file mode 100644 index 0000000000..b85e1dfae4 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch
@@ -0,0 +1,41 @@
		1	From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001
		2	From: Andrew Tridgell <andrew@tridgell.net>
		3	Date: Tue, 26 Nov 2024 09:16:31 +1100
		4	Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open
		5
		6	CVE: CVE-2024-12086
		7
		8	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa]
		9
		10	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		11	---
		12	syscall.c \| 7 +++++++
		13	1 file changed, 7 insertions(+)
		14
		15	diff --git a/syscall.c b/syscall.c
		16	index cffc814b..081357bb 100644
		17	--- a/syscall.c
		18	+++ b/syscall.c
		19	@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
		20	must be a relative path, and the relpath must not contain any
		21	elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
		22	applies to all path components, not just the last component)
		23	+
		24	+ The relpath must also not contain any ../ elements in the path
		25	*/
		26	int secure_relative_open(const char basedir, const char relpath, int flags, mode_t mode)
		27	{
		28	@@ -724,6 +726,11 @@ int secure_relative_open(const char basedir, const char relpath, int flags, mo
		29	errno = EINVAL;
		30	return -1;
		31	}
		32	+ if (strncmp(relpath, "../", 3) == 0 \|\| strstr(relpath, "/../")) {
		33	+ // no ../ elements allowed in the relpath
		34	+ errno = EINVAL;
		35	+ return -1;
		36	+ }
		37
		38	#if !defined(O_NOFOLLOW) \|\| !defined(O_DIRECTORY)
		39	// really old system, all we can do is live with the risks
		40	--
		41	2.40.0


diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 0d9c68a915..0bde73aad2 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,6 +18,10 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
18	file://CVE-2024-12084-0001.patch \	18	file://CVE-2024-12084-0001.patch \
19	file://CVE-2024-12084-0002.patch \	19	file://CVE-2024-12084-0002.patch \
20	file://CVE-2024-12085.patch \	20	file://CVE-2024-12085.patch \
		21	file://CVE-2024-12086-0001.patch \
		22	file://CVE-2024-12086-0002.patch \
		23	file://CVE-2024-12086-0003.patch \
		24	file://CVE-2024-12086-0004.patch \
21	"	25	"
22	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"	26	SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
23		27