Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected] Control: affects -1 + src:rsync User: [email protected] Usertags: pu
[ Reason ] The reason is to fix CVE-2025-10158 [1], A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. Bug: #1121442 [ Impact ] The primary impact is Denial of Service (DoS): a malicious client (with read access to an rsync module) can remotely crash the rsync daemon by exploiting an Out-of-Bounds (OOB) heap read. [ Tests ] Verify that the patched rsync daemon does not crash when the client attempts to use the specific protocol sequence that previously led to the negative array index. [ Risks ] The risk of not applying this fix is medium. The vulnerability allows an attacker to cause a denial-of-service (DoS). [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The fix essentially added a security validation check to the file handling logic on the server side (sender.c). The original code failed to verify if the variable holding the parent directory index (cur_flist->parent_ndx) was negative before accessing an array. [ Other info ] The fix has already been sent to stable(trixie) as well. @samueloph has reviewed this backport and will sponsor it. [1] https://security-tracker.debian.org/tracker/CVE-2025-10158 -- Thanks, Polkorny
diff -Nru rsync-3.2.7/debian/changelog rsync-3.2.7/debian/changelog --- rsync-3.2.7/debian/changelog 2025-07-27 11:12:57.000000000 -0300 +++ rsync-3.2.7/debian/changelog 2025-11-27 21:49:27.000000000 -0300 @@ -1,3 +1,14 @@ +rsync (3.2.7-1+deb12u4) bookworm; urgency=medium + + * Team upload. + * d/p/CVE-2025-10158.patch: Import upstream patch to fix CVE-2025-10158 + + A malicious client acting as the receiver of an rsync file transfer + can trigger an out of bounds read of a heap based buffer, + via a negative array index. + + -- Matheus Polkorny <[email protected]> Thu, 27 Nov 2025 21:49:27 -0300 + rsync (3.2.7-1+deb12u3) bookworm; urgency=medium * Team upload. diff -Nru rsync-3.2.7/debian/patches/CVE-2025-10158.patch rsync-3.2.7/debian/patches/CVE-2025-10158.patch --- rsync-3.2.7/debian/patches/CVE-2025-10158.patch 1969-12-31 21:00:00.000000000 -0300 +++ rsync-3.2.7/debian/patches/CVE-2025-10158.patch 2025-11-27 21:49:27.000000000 -0300 @@ -0,0 +1,26 @@ +From: Andrew Tridgell <[email protected]> +Date: Sat, 23 Aug 2025 17:26:53 +1000 +Subject: fixed an invalid access to files array + +this was found by Calum Hutton from Rapid7. It is a real bug, but +analysis shows it can't be leverged into an exploit. Worth fixing +though. + +Many thanks to Calum and Rapid7 for finding and reporting this +--- + sender.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sender.c b/sender.c +index a4d46c3..b1588b7 100644 +--- a/sender.c ++++ b/sender.c +@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out) + + if (ndx - cur_flist->ndx_start >= 0) + file = cur_flist->files[ndx - cur_flist->ndx_start]; ++ else if (cur_flist->parent_ndx < 0) ++ exit_cleanup(RERR_PROTOCOL); + else + file = dir_flist->files[cur_flist->parent_ndx]; + if (F_PATHNAME(file)) { diff -Nru rsync-3.2.7/debian/patches/series rsync-3.2.7/debian/patches/series --- rsync-3.2.7/debian/patches/series 2025-07-27 11:12:57.000000000 -0300 +++ rsync-3.2.7/debian/patches/series 2025-11-27 21:49:27.000000000 -0300 @@ -19,3 +19,4 @@ # Regression from CVE-2024-12087 (#1093052) Fix-FLAG_GOT_DIR_FLIST-collission-with-FLAG_HLINKED.patch Fix_use-after-free_in_generator.patch +CVE-2025-10158.patch
