From: Liyin Zhang <[email protected]> CVE-2025-10158: A malicious client acting as the receiver of an rsync file transfer can trigger an out of bounds read of a heap based buffer, via a negative array index. The malicious rsync client requires at least read access to the remote rsync module in order to trigger the issue.
Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-10158] Upstream patch: [https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f] Signed-off-by: Liyin Zhang <[email protected]> --- .../rsync/files/CVE-2025-10158.patch | 36 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.4.1.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2025-10158.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch new file mode 100644 index 0000000000..1c5661d35b --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2025-10158.patch @@ -0,0 +1,36 @@ +From c2ff1647b1d9a0b92b73af106ce133490306e886 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <[email protected]> +Date: Sat, 23 Aug 2025 17:26:53 +1000 +Subject: [PATCH] fixed an invalid access to files array + +this was found by Calum Hutton from Rapid7. It is a real bug, but +analysis shows it can't be leverged into an exploit. Worth fixing +though. + +Many thanks to Calum and Rapid7 for finding and reporting this + +CVE: CVE-2025-10158 + +Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f] + +Signed-off-by: Liyin Zhang <[email protected]> +--- + sender.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sender.c b/sender.c +index a4d46c39..b1588b70 100644 +--- a/sender.c ++++ b/sender.c +@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out) + + if (ndx - cur_flist->ndx_start >= 0) + file = cur_flist->files[ndx - cur_flist->ndx_start]; ++ else if (cur_flist->parent_ndx < 0) ++ exit_cleanup(RERR_PROTOCOL); + else + file = dir_flist->files[cur_flist->parent_ndx]; + if (F_PATHNAME(file)) { +-- +2.51.2 + diff --git a/meta/recipes-devtools/rsync/rsync_3.4.1.bb b/meta/recipes-devtools/rsync/rsync_3.4.1.bb index 2cf87d379a..6de30d337d 100644 --- a/meta/recipes-devtools/rsync/rsync_3.4.1.bb +++ b/meta/recipes-devtools/rsync/rsync_3.4.1.bb @@ -15,6 +15,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://makefile-no-rebuild.patch \ file://determism.patch \ file://0001-Add-missing-prototypes-to-function-declarations.patch \ + file://CVE-2025-10158.patch \ " SRC_URI[sha256sum] = "2924bcb3a1ed8b551fc101f740b9f0fe0a202b115027647cf69850d65fd88c52" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#228093): https://lists.openembedded.org/g/openembedded-core/message/228093 Mute This Topic: https://lists.openembedded.org/mt/116839412/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
