commit: 029532544d5edfe5fc70413a827831932e3c0b21 Author: Varsha Teratipally <teratipally <AT> google <DOT> com> AuthorDate: Wed Nov 17 17:30:16 2021 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Thu Nov 18 02:30:46 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=02953254
net-misc/rsync: fix CVE-2020-14387 Bug: https://bugs.gentoo.org/792576 Signed-off-by: Varsha Teratipally <teratipally <AT> google.com> Closes: https://github.com/gentoo/gentoo/pull/22981 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/rsync-3.2.3-verify-certificate.patch | 26 +++++ net-misc/rsync/rsync-3.2.3-r5.ebuild | 124 +++++++++++++++++++++ 2 files changed, 150 insertions(+) diff --git a/net-misc/rsync/files/rsync-3.2.3-verify-certificate.patch b/net-misc/rsync/files/rsync-3.2.3-verify-certificate.patch new file mode 100644 index 000000000000..9b462a1df721 --- /dev/null +++ b/net-misc/rsync/files/rsync-3.2.3-verify-certificate.patch @@ -0,0 +1,26 @@ +From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001 +From: Matt McCutchen <m...@mattmccutchen.net> +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975a..46701af1 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.25.1 + diff --git a/net-misc/rsync/rsync-3.2.3-r5.ebuild b/net-misc/rsync/rsync-3.2.3-r5.ebuild new file mode 100644 index 000000000000..826911b13641 --- /dev/null +++ b/net-misc/rsync/rsync-3.2.3-r5.ebuild @@ -0,0 +1,124 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +if [[ ${PV} != 3.2.3 ]]; then + # Make sure we revert the autotools hackery applied in 3.2.3. + die "Please use rsync-9999.ebuild as a basis for version bumps" +fi + +WANT_LIBTOOL=none + +inherit autotools prefix systemd + +DESCRIPTION="File transfer program to keep remote files into sync" +HOMEPAGE="https://rsync.samba.org/" +SRC_DIR="src" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris" +SRC_URI="https://rsync.samba.org/ftp/rsync/${SRC_DIR}/${P/_/}.tar.gz" +S="${WORKDIR}/${P/_/}" + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl examples iconv ipv6 lz4 ssl stunnel system-zlib xattr xxhash zstd" + +RDEPEND="acl? ( virtual/acl ) + lz4? ( app-arch/lz4 ) + ssl? ( dev-libs/openssl:0= ) + system-zlib? ( sys-libs/zlib ) + xattr? ( kernel_linux? ( sys-apps/attr ) ) + xxhash? ( dev-libs/xxhash ) + zstd? ( >=app-arch/zstd-1.4 ) + >=dev-libs/popt-1.5 + iconv? ( virtual/libiconv )" +DEPEND="${RDEPEND}" + +src_prepare() { + local PATCHES=( + "${FILESDIR}/${P}-glibc-lchmod.patch" + "${FILESDIR}/${P}-cross.patch" + # Fix for (CVE-2020-14387) - net-misc/rsync: improper TLS validation in rsync-ssl script + "${FILESDIR}/${P}-verify-certificate.patch" + ) + default + eautoconf -o configure.sh + touch config.h.in || die +} + +src_configure() { + local myeconfargs=( + --with-rsyncd-conf="${EPREFIX}"/etc/rsyncd.conf + --without-included-popt + $(use_enable acl acl-support) + $(use_enable iconv) + $(use_enable ipv6) + $(use_enable lz4) + $(use_enable ssl openssl) + $(use_with !system-zlib included-zlib) + $(use_enable xattr xattr-support) + $(use_enable xxhash) + $(use_enable zstd) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + emake DESTDIR="${D}" install + + newconfd "${FILESDIR}"/rsyncd.conf.d rsyncd + newinitd "${FILESDIR}"/rsyncd.init.d-r1 rsyncd + + dodoc NEWS.md README.md TODO tech_report.tex + + insinto /etc + newins "${FILESDIR}"/rsyncd.conf-3.0.9-r1 rsyncd.conf + + insinto /etc/logrotate.d + newins "${FILESDIR}"/rsyncd.logrotate rsyncd + + insinto /etc/xinetd.d + newins "${FILESDIR}"/rsyncd.xinetd-3.0.9-r1 rsyncd + + # Install stunnel helpers + if use stunnel ; then + emake DESTDIR="${D}" install-ssl-daemon + fi + + # Install the useful contrib scripts + if use examples ; then + exeinto /usr/share/rsync + doexe support/* + rm -f "${ED}"/usr/share/rsync/{Makefile*,*.c} + fi + + eprefixify "${ED}"/etc/{,xinetd.d}/rsyncd* + + systemd_newunit "packaging/systemd/rsync.service" "rsyncd.service" +} + +pkg_postinst() { + if grep -Eqis '^[[:space:]]use chroot[[:space:]]*=[[:space:]]*(no|0|false)' \ + "${EROOT}"/etc/rsyncd.conf "${EROOT}"/etc/rsync/rsyncd.conf ; then + ewarn "You have disabled chroot support in your rsyncd.conf. This" + ewarn "is a security risk which you should fix. Please check your" + ewarn "/etc/rsyncd.conf file and fix the setting 'use chroot'." + fi + if use stunnel ; then + einfo "Please install \">=net-misc/stunnel-4\" in order to use stunnel feature." + einfo + einfo "You maybe have to update the certificates configured in" + einfo "${EROOT}/etc/stunnel/rsync.conf" + fi + if use system-zlib ; then + ewarn "Using system-zlib is incompatible with <rsync-3.1.1 when" + ewarn "using the --compress option." + ewarn + ewarn "When syncing with >=rsync-3.1.1 built with bundled zlib," + ewarn "and the --compress option, add --new-compress (-zz)." + ewarn + ewarn "For syncing the portage tree, add:" + ewarn "PORTAGE_RSYNC_EXTRA_OPTS=\"--new-compress\" to make.conf" + fi +}