Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rsync for openSUSE:Factory checked in at 2026-05-13 17:19:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rsync (Old) and /work/SRC/openSUSE:Factory/.rsync.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rsync" Wed May 13 17:19:34 2026 rev:96 rq:1352557 version:3.4.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rsync/rsync.changes 2025-12-18 18:31:01.724546875 +0100 +++ /work/SRC/openSUSE:Factory/.rsync.new.1966/rsync.changes 2026-05-13 17:20:50.395033475 +0200 @@ -1,0 +2,7 @@ +Tue May 07 16:06:15 UTC 2026 - David Anes <[email protected]> + +- Security update (CVE-2026-41035, bsc#1262223): rsync: count of + entries mismatch can lead to a use-after-free + - Add rsync-CVE-2026-41035.patch + +------------------------------------------------------------------- New: ---- rsync-CVE-2026-41035.patch ----------(New B)---------- New: entries mismatch can lead to a use-after-free - Add rsync-CVE-2026-41035.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rsync.spec ++++++ --- /var/tmp/diff_new_pack.HjtFFZ/_old 2026-05-13 17:20:52.455118583 +0200 +++ /var/tmp/diff_new_pack.HjtFFZ/_new 2026-05-13 17:20:52.471119244 +0200 @@ -1,7 +1,7 @@ # # spec file for package rsync # -# Copyright (c) 2025 SUSE LLC and contributors +# Copyright (c) 2026 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -64,6 +64,9 @@ # bsc#1254441, CVE-2025-10158: rsync: Out of bounds array access via negative index # https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f Patch7: rsync-CVE-2025-10158.patch +# bsc#1262223, CVE-2026-41035: rsync: count of entries mismatch can lead to a use-after-free +# https://github.com/RsyncProject/rsync/pull/875 +Patch8: rsync-CVE-2026-41035.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: c++_compiler ++++++ rsync-CVE-2026-41035.patch ++++++ >From 6aa7ee6ba1bd71b1b7bac7dbb351ed05c065e93d Mon Sep 17 00:00:00 2001 From: Andrew Tridgell <[email protected]> Date: Wed, 22 Apr 2026 09:57:45 +1000 Subject: [PATCH] xattrs: fixed count in qsort this fixes the count passed to the sort of the xattr list. This issue was reported here: https://www.openwall.com/lists/oss-security/2026/04/16/2 the bug is not exploitable due to the fork-per-connection design of rsync, the attack is the equivalent of the user closing the socket themselves. --- xattrs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xattrs.c b/xattrs.c index 26e50a6f9..65166eed9 100644 --- a/xattrs.c +++ b/xattrs.c @@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) rxa->num = num; } - if (need_sort && count > 1) - qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); + if (need_sort && temp_xattr.count > 1) + qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
