From: Hitendra Prajapati <[email protected]> Pick patch from [1] also mentioned at Debian report in [2]
[1] https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c [2] https://security-tracker.debian.org/tracker/CVE-2026-41035 [3] https://nvd.nist.gov/vuln/detail/CVE-2026-41035 Signed-off-by: Hitendra Prajapati <[email protected]> Signed-off-by: Fabien Thomas <[email protected]> --- .../rsync/files/CVE-2026-41035.patch | 39 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-41035.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch new file mode 100644 index 0000000000..66b1b93672 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2026-41035.patch @@ -0,0 +1,39 @@ +From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell <[email protected]> +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. + +CVE: CVE-2026-41035 +Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c] +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 26e50a6..65166ee 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.50.1 + diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 14beafb681..2a1c3d9d56 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -28,6 +28,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12088.patch \ file://CVE-2024-12747.patch \ file://CVE-2025-10158.patch \ + file://CVE-2026-41035.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236502): https://lists.openembedded.org/g/openembedded-core/message/236502 Mute This Topic: https://lists.openembedded.org/mt/119164889/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
