1 files changed, 108 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
new file mode 100644
index 0000000000..de1747adf2
--- /dev/null
+++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
@@ -0,0 +1,108 @@
+From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Nov 2024 12:28:13 +1100
+Subject: [PATCH] receiver: use secure_relative_open() for basis file
+this prevents attacks where the basis file is manipulated by a
+malicious sender to gain information about files outside the
+destination tree
+CVE: CVE-2024-12086
+Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ receiver.c | 42 ++++++++++++++++++++++++++----------------
+ 1 file changed, 26 insertions(+), 16 deletions(-)
+diff --git a/receiver.c b/receiver.c
+index 2d7f6033..8031b8f4 100644
+--- a/receiver.c
+++ b/receiver.c
+@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
+        progress_init();
+        while (1) {
+               const char *basedir = NULL;
+
+                cleanup_disable();
+                /* This call also sets cur_flist. */
+@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
+                                        exit_cleanup(RERR_PROTOCOL);
+                                }
+                                if (file->dirname) {
+-                                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
+-                                       fnamecmp = fnamecmpbuf;
+-                               } else
+-                                       fnamecmp = xname;
+                                       basedir = file->dirname;
+                               }
+                               fnamecmp = xname;
+                                break;
+                        default:
+                                if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
+                                        fnamecmp_type -= FNAMECMP_FUZZY + 1;
+                                        if (file->dirname) {
+-                                               stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-                                                          basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
+-                                       } else
+-                                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
+                                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
+                                               basedir = fnamecmpbuf;
+                                       } else {
+                                               basedir = basis_dir[fnamecmp_type];
+                                       }
+                                       fnamecmp = xname;
+                                } else if (fnamecmp_type >= basis_dir_cnt) {
+                                        rprintf(FERROR,
+                                                "invalid basis_dir index: %d.\n",
+                                                fnamecmp_type);
+                                        exit_cleanup(RERR_PROTOCOL);
+-                               } else
+-                                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
+-                               fnamecmp = fnamecmpbuf;
+                               } else {
+                                       basedir = basis_dir[fnamecmp_type];
+                                       fnamecmp = fname;
+                               }
+                                break;
+                        }
+                        if (!fnamecmp || (daemon_filter_list.head
+@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+                }
+                /* open the file */
+-               fd1 = do_open(fnamecmp, O_RDONLY, 0);
+               fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+                if (fd1 == -1 && protocol_version < 29) {
+                        if (fnamecmp != fname) {
+@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
+                        if (fd1 == -1 && basis_dir[0]) {
+                                /* pre-29 allowed only one alternate basis */
+-                               pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
+-                                        basis_dir[0], fname);
+-                               fnamecmp = fnamecmpbuf;
+                               basedir = basis_dir[0];
+                               fnamecmp = fname;
+                                fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
+-                               fd1 = do_open(fnamecmp, O_RDONLY, 0);
+                               fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
+                        }
+                }
+               if (basedir) {
+                       // for the following code we need the full
+                       // path name as a single string
+                       pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
+                       fnamecmp = fnamecmpbuf;
+               }
+
+                one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
+                updating_basis_or_equiv = one_inplace
+                    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
+--
+2.40.0

diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch new file mode 100644 index 0000000000..de1747adf2 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch
@@ -0,0 +1,108 @@
	1	From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001
	2	From: Andrew Tridgell <andrew@tridgell.net>
	3	Date: Sat, 23 Nov 2024 12:28:13 +1100
	4	Subject: [PATCH] receiver: use secure_relative_open() for basis file
	5
	6	this prevents attacks where the basis file is manipulated by a
	7	malicious sender to gain information about files outside the
	8	destination tree
	9
	10	CVE: CVE-2024-12086
	11
	12	Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7]
	13
	14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
	15	---
	16	receiver.c \| 42 ++++++++++++++++++++++++++----------------
	17	1 file changed, 26 insertions(+), 16 deletions(-)
	18
	19	diff --git a/receiver.c b/receiver.c
	20	index 2d7f6033..8031b8f4 100644
	21	--- a/receiver.c
	22	+++ b/receiver.c
	23	@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
	24	progress_init();
	25
	26	while (1) {
	27	+ const char *basedir = NULL;
	28	+
	29	cleanup_disable();
	30
	31	/* This call also sets cur_flist. */
	32	@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
	33	exit_cleanup(RERR_PROTOCOL);
	34	}
	35	if (file->dirname) {
	36	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
	37	- fnamecmp = fnamecmpbuf;
	38	- } else
	39	- fnamecmp = xname;
	40	+ basedir = file->dirname;
	41	+ }
	42	+ fnamecmp = xname;
	43	break;
	44	default:
	45	if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
	46	fnamecmp_type -= FNAMECMP_FUZZY + 1;
	47	if (file->dirname) {
	48	- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
	49	- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
	50	- } else
	51	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
	52	+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
	53	+ basedir = fnamecmpbuf;
	54	+ } else {
	55	+ basedir = basis_dir[fnamecmp_type];
	56	+ }
	57	+ fnamecmp = xname;
	58	} else if (fnamecmp_type >= basis_dir_cnt) {
	59	rprintf(FERROR,
	60	"invalid basis_dir index: %d.\n",
	61	fnamecmp_type);
	62	exit_cleanup(RERR_PROTOCOL);
	63	- } else
	64	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
	65	- fnamecmp = fnamecmpbuf;
	66	+ } else {
	67	+ basedir = basis_dir[fnamecmp_type];
	68	+ fnamecmp = fname;
	69	+ }
	70	break;
	71	}
	72	if (!fnamecmp \|\| (daemon_filter_list.head
	73	@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
	74	}
	75
	76	/* open the file */
	77	- fd1 = do_open(fnamecmp, O_RDONLY, 0);
	78	+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
	79
	80	if (fd1 == -1 && protocol_version < 29) {
	81	if (fnamecmp != fname) {
	82	@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
	83
	84	if (fd1 == -1 && basis_dir[0]) {
	85	/* pre-29 allowed only one alternate basis */
	86	- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
	87	- basis_dir[0], fname);
	88	- fnamecmp = fnamecmpbuf;
	89	+ basedir = basis_dir[0];
	90	+ fnamecmp = fname;
	91	fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
	92	- fd1 = do_open(fnamecmp, O_RDONLY, 0);
	93	+ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
	94	}
	95	}
	96
	97	+ if (basedir) {
	98	+ // for the following code we need the full
	99	+ // path name as a single string
	100	+ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
	101	+ fnamecmp = fnamecmpbuf;
	102	+ }
	103	+
	104	one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
	105	updating_basis_or_equiv = one_inplace
	106	\|\| (inplace && (fnamecmp == fname \|\| fnamecmp_type == FNAMECMP_BACKUP));
	107	--
	108	2.40.0