openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-22 01:44:32 +04:00
Code Issues Packages Projects Releases Wiki Activity
Files
01338963f9b122bfcaeda24a07fdff525b033306
packages/net/rsync/patches/008-Refuse-a-duplicate-dirlist.patch
Tianling Shen 01338963f9 rsync: backport bug fixes 
Including CVE fixes for:
CVE-2024-12084
CVE-2024-12085
CVE-2024-12086
CVE-2024-12087
CVE-2024-12088
CVE-2024-12747

The patch list is based on rsync_3.2.7-1+deb12u2 from Debian.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2025-03-11 02:58:02 +08:00

39 lines
1.3 KiB
Diff
Raw Blame History

From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Thu, 14 Nov 2024 15:46:50 -0800
Subject: [PATCH] Refuse a duplicate dirlist.
---
flist.c | 9 +++++++++
rsync.h | 1 +
2 files changed, 10 insertions(+)
--- a/flist.c
+++ b/flist.c
@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f,
init_hard_links();
#endif
+ if (inc_recurse && dir_ndx >= 0) {
+ struct file_struct *file = dir_flist->files[dir_ndx];
+ if (file->flags & FLAG_GOT_DIR_FLIST) {
+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ file->flags |= FLAG_GOT_DIR_FLIST;
+ }
+
flist = flist_new(0, "recv_file_list");
flist_expand(flist, FLIST_START_LARGE);
--- a/rsync.h
+++ b/rsync.h
@@ -84,6 +84,7 @@
#define FLAG_DUPLICATE (1<<4) /* sender */
#define FLAG_MISSING_DIR (1<<4) /* generator */
#define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
#define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
#define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
#define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
Reference in New Issue View Git Blame Copy Permalink