mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-17 18:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

rsync: fix CVE-2024-12087

Browse Source 
A path traversal vulnerability exists in rsync. It stems from behavior enabled
by the `--inc-recursive` option, a default-enabled option for many client options
and can be enabled by the server even if not explicitly enabled by the client.
When using the `--inc-recursive` option, a lack of proper symlink verification
coupled with deduplication checks occurring on a per-file-list basis could allow
a server to write files outside of the client's intended destination directory.
A malicious server could write malicious files to arbitrary locations named after
valid directories/paths on the client.

(From OE-Core rev: 12328df8dfcdc73ef70af299e9ebdc1d8ae73f37)

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
2025-01-16 15:51:17 +00:00
committed by Steve Sakoman
parent 1e04a4df0a
commit 2aebe10959
4 changed files with 123 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch Normal file
View File

@@ -0,0 +1,49 @@
From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001
From: Wayne Davison <wayne@opencoder.net>
Date: Thu, 14 Nov 2024 15:46:50 -0800
Subject: [PATCH] Refuse a duplicate dirlist.
CVE: CVE-2024-12087
Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=688f5c379a433038bde36897a156d589be373a98]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
flist.c | 9 +++++++++
rsync.h | 1 +
2 files changed, 10 insertions(+)
diff --git a/flist.c b/flist.c
index 464d556e..847b1054 100644
--- a/flist.c
+++ b/flist.c
@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx)
init_hard_links();
#endif
+ if (inc_recurse && dir_ndx >= 0) {
+ struct file_struct *file = dir_flist->files[dir_ndx];
+ if (file->flags & FLAG_GOT_DIR_FLIST) {
+ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
+ exit_cleanup(RERR_PROTOCOL);
+ }
+ file->flags |= FLAG_GOT_DIR_FLIST;
+ }
+
flist = flist_new(0, "recv_file_list");
flist_expand(flist, FLIST_START_LARGE);
diff --git a/rsync.h b/rsync.h
index 0f9e277f..b9a7101a 100644
--- a/rsync.h
+++ b/rsync.h
@@ -84,6 +84,7 @@
#define FLAG_DUPLICATE (1<<4) /* sender */
#define FLAG_MISSING_DIR (1<<4) /* generator */
#define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
#define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
#define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
#define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
--
2.40.0

31
meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch Normal file
View File

@@ -0,0 +1,31 @@
From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 26 Nov 2024 16:12:45 +1100
Subject: [PATCH] range check dir_ndx before use
CVE: CVE-2024-12087
Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
flist.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/flist.c b/flist.c
index 847b1054..087f9da6 100644
--- a/flist.c
+++ b/flist.c
@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx)
#endif
if (inc_recurse && dir_ndx >= 0) {
+ if (dir_ndx >= dir_flist->used) {
+ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
+ exit_cleanup(RERR_PROTOCOL);
+ }
struct file_struct *file = dir_flist->files[dir_ndx];
if (file->flags & FLAG_GOT_DIR_FLIST) {
rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
--
2.40.0

40
meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch Normal file
View File

@@ -0,0 +1,40 @@
From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 15 Jan 2025 15:10:24 +0100
Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
fixes commit 688f5c379a43 (Refuse a duplicate dirlist.)
Fixes: https://github.com/RsyncProject/rsync/issues/702
Fixes: https://github.com/RsyncProject/rsync/issues/697
CVE: CVE-2024-12087
Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/996af4a79f9afe4d7158ecdd87c78cee382c6b39]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
rsync.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rsync.h b/rsync.h
index 9be1297b..479ac484 100644
--- a/rsync.h
+++ b/rsync.h
@@ -84,7 +84,6 @@
#define FLAG_DUPLICATE (1<<4) /* sender */
#define FLAG_MISSING_DIR (1<<4) /* generator */
#define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */
-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
#define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */
#define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */
#define FLAG_HLINK_LAST (1<<7) /* receiver/generator */
@@ -93,6 +92,7 @@
#define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */
#define FLAG_TIME_FAILED (1<<11)/* generator */
#define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */
+#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */
/* These flags are passed to functions but not stored. */
--
2.40.0

3
meta/recipes-devtools/rsync/rsync_3.2.7.bb
View File

@@ -22,6 +22,9 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://CVE-2024-12086-0002.patch \
file://CVE-2024-12086-0003.patch \
file://CVE-2024-12086-0004.patch \
file://CVE-2024-12087-0001.patch \
file://CVE-2024-12087-0002.patch \
file://CVE-2024-12087-0003.patch \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"