1 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
new file mode 100644
index 0000000000..958a25a37b
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
@@ -0,0 +1,42 @@
+From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 11:08:03 +1100
+Subject: [PATCH] refuse fuzzy options when fuzzy not selected
+this prevents a malicious server providing a file to compare to when
+the user has not given the fuzzy option
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/receiver.c b/receiver.c
+index 6b4b369e..2d7f6033 100644
+--- a/receiver.c
+++ b/receiver.c
+@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern filter_rule_list daemon_filter_list;
+ extern OFF_T preallocated_len;
+extern int fuzzy_basis;
+ extern struct name_num_item *xfer_sum_nni;
+ extern int xfer_sum_len;
+@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
+                                fnamecmp = get_backup_name(fname);
+                                break;
+                        case FNAMECMP_FUZZY:
+                               if (fuzzy_basis == 0) {
+                                       rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
+                                       exit_cleanup(RERR_PROTOCOL);
+                               }
+                                if (file->dirname) {
+                                        pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+                                        fnamecmp = fnamecmpbuf;
+--
+2.40.0

diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch new file mode 100644 index 0000000000..958a25a37b --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch
@@ -0,0 +1,42 @@
	1	From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001
	2	From: Andrew Tridgell <andrew@tridgell.net>
	3	Date: Sat, 23 Nov 2024 11:08:03 +1100
	4	Subject: [PATCH] refuse fuzzy options when fuzzy not selected
	5
	6	this prevents a malicious server providing a file to compare to when
	7	the user has not given the fuzzy option
	8
	9	CVE: CVE-2024-12086
	10
	11	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299]
	12
	13	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
	14	---
	15	receiver.c \| 5 +++++
	16	1 file changed, 5 insertions(+)
	17
	18	diff --git a/receiver.c b/receiver.c
	19	index 6b4b369e..2d7f6033 100644
	20	--- a/receiver.c
	21	+++ b/receiver.c
	22	@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
	23	extern struct file_list cur_flist, first_flist, *dir_flist;
	24	extern filter_rule_list daemon_filter_list;
	25	extern OFF_T preallocated_len;
	26	+extern int fuzzy_basis;
	27
	28	extern struct name_num_item *xfer_sum_nni;
	29	extern int xfer_sum_len;
	30	@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
	31	fnamecmp = get_backup_name(fname);
	32	break;
	33	case FNAMECMP_FUZZY:
	34	+ if (fuzzy_basis == 0) {
	35	+ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
	36	+ exit_cleanup(RERR_PROTOCOL);
	37	+ }
	38	if (file->dirname) {
	39	pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
	40	fnamecmp = fnamecmpbuf;
	41	--
	42	2.40.0