Control: tags -1 + moreinfo Hi
On Sun, May 31, 2026 at 06:15:57PM -0300, Aquila Macedo wrote: > Package: release.debian.org > Control: affects -1 + src:rsync > X-Debbugs-Cc: [email protected] > User: [email protected] > Usertags: pu > Tags: bookworm > X-Debbugs-Cc: [email protected] > Severity: normal > > [ Reason ] > This update fixes CVE-2026-45232, a minor/no-dsa client-side issue in > RSYNC_PROXY handling. > > When rsync connects through an HTTP proxy using RSYNC_PROXY, an overlong > proxy response line could trigger a one-byte out-of-bounds stack write. The > write is a fixed NUL byte, so the practical impact is limited, but the > vulnerable code is present in bookworm. > > [ Impact ] > Clients using RSYNC_PROXY could crash or misbehave when receiving an > overlong HTTP proxy response line from a malicious proxy or MITM. > > [ Tests ] > The package built successfully in Salsa CI: > > https://salsa.debian.org/aquila/rsync/-/pipelines/1098495 > > The targeted upstream regression test added by this patch also passed: > > PASS proxy-response-line-too-long > > See: https://salsa.debian.org/aquila/rsync/-/jobs/9693182#L3264 > > The change was also reviewed and approved on Salsa by Samuel Henrique, one > of the rsync maintainers. > > [ Risks ] > Low. The patch is small, comes from upstream's v3.2.7 security patch branch, > and only rejects an invalid overlong HTTP proxy response line. > > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > [ Changes ] > Import the upstream v3.2.7-sec-patches fix to reject overlong HTTP proxy > response lines. > > No upstream version bump and no unrelated fixes are included. > diff -Nru rsync-3.2.7-1+deb12u5/debian/changelog > rsync-3.2.7-1+deb12u6/debian/changelog > --- rsync-3.2.7-1+deb12u5/debian/changelog 2026-05-20 02:10:17.000000000 > -0400 > +++ rsync-3.2.7-1+deb12u6/debian/changelog 2026-05-24 17:23:41.000000000 > -0400 > @@ -1,3 +1,12 @@ > +rsync (3.2.7-1+deb12u6) bookworm; urgency=medium > + > + * Non-maintainer upload. > + * Import upstream patch to reject overlong HTTP proxy response lines, > + avoiding a one byte out of bounds stack write when using RSYNC_PROXY. > + (CVE-2026-45232). > + > + -- Aquila Macedo Costa <[email protected]> Sun, 24 May 2026 18:23:41 -0300 Why are you fixing this for bookworm while there is no update for trixie-pu, and have you coordinates this with the maintainer? I'm asking this because of a similar approach done for libsdl2-image, cf. #1134510. So at the very minimum before having a bookworm update there should be a similar update as well for trixie. Regards, Salvatore
