Your message dated Sat, 10 Jan 2026 11:52:34 +0000
with message-id <[email protected]>
and subject line Released with 13.3
has caused the Debian Bug report #1122068,
regarding trixie-pu: package rsync/3.4.1+ds1-5+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1122068: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1122068
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:rsync
User: [email protected]
Usertags: pu
[ Reason ]
The reason is to fix CVE-2025-10158 [1], A malicious client
acting as the receiver of an rsync file transfer can
trigger an out of bounds read of a heap based buffer,
via a negative array index. Bug: #1121442
[ Impact ]
The primary impact is Denial of Service (DoS): a malicious client
(with read access to an rsync module) can remotely crash the rsync
daemon by exploiting an Out-of-Bounds (OOB) heap read.
[ Tests ]
Verify that the patched rsync daemon does not crash when the
client attempts to use the specific protocol sequence that
previously led to the negative array index.
[ Risks ]
The risk of not applying this fix is medium. The vulnerability
allows an attacker to cause a denial-of-service (DoS).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The fix essentially added a security validation check to the file
handling logic on the server side (sender.c).
The original code failed to verify if the variable holding
the parent directory index (cur_flist->parent_ndx) was
negative before accessing an array.
[ Other info ]
@samueloph has reviewed this backport and will sponsor it.
[1] https://security-tracker.debian.org/tracker/CVE-2025-10158
--
Thanks,
Polkorny
diff -Nru rsync-3.4.1+ds1/debian/changelog rsync-3.4.1+ds1/debian/changelog
--- rsync-3.4.1+ds1/debian/changelog 2025-07-26 06:26:07.000000000 -0300
+++ rsync-3.4.1+ds1/debian/changelog 2025-11-27 21:29:04.000000000 -0300
@@ -1,3 +1,14 @@
+rsync (3.4.1+ds1-5+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * d/p/CVE-2025-10158.patch: Import upstream patch to fix CVE-2025-10158
+
+ A malicious client acting as the receiver of an rsync file transfer
+ can trigger an out of bounds read of a heap based buffer,
+ via a negative array index.
+
+ -- Matheus Polkorny <[email protected]> Thu, 27 Nov 2025 21:29:04 -0300
+
rsync (3.4.1+ds1-5) unstable; urgency=medium
* Team upload.
diff -Nru rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch
rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch
--- rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch 1969-12-31
21:00:00.000000000 -0300
+++ rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch 2025-11-27
21:29:04.000000000 -0300
@@ -0,0 +1,26 @@
+From: Andrew Tridgell <[email protected]>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c3..b1588b7 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+
+ if (ndx - cur_flist->ndx_start >= 0)
+ file = cur_flist->files[ndx - cur_flist->ndx_start];
++ else if (cur_flist->parent_ndx < 0)
++ exit_cleanup(RERR_PROTOCOL);
+ else
+ file = dir_flist->files[cur_flist->parent_ndx];
+ if (F_PATHNAME(file)) {
diff -Nru rsync-3.4.1+ds1/debian/patches/series
rsync-3.4.1+ds1/debian/patches/series
--- rsync-3.4.1+ds1/debian/patches/series 2025-07-26 06:26:07.000000000
-0300
+++ rsync-3.4.1+ds1/debian/patches/series 2025-11-27 21:29:04.000000000
-0300
@@ -3,3 +3,4 @@
env_shebang.patch
fix_rrsync_man_generation.patch
fix-flaky-hardlinks-test.patch
+CVE-2025-10158.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org\nVersion: 13.3\n\nThis update has been released as
part of Debian 13.3.
--- End Message ---
