On Wed Jul 8, 2026 at 7:02 AM CEST, Ashishkumar Parmar X (asparmar - E 
INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <[email protected]>
>
> This patch backports the upstream rsync v3.4.3 symlink-race fix chain
> for CVE-2026-43619. The upstream NEWS entry describes this CVE as
> symlink races on path-based system calls in "use chroot = no" daemon
> mode, generalizing CVE-2026-29518 beyond the receiver's open() path.
>
> The backported commits form the following linear upstream chain:
>
> - [1] closes the receiver-side do_chmod() path.
> - [2] closes the daemon-no-chroot change_dir() escape.
> - [3] adds the remaining symlink-race-safe do_*_at() wrappers and
>   migrates the affected path-based syscall users.
> - [4] closes adjacent bare-path copy/open surfaces. Upstream titles this
>   commit "defence-in-depth", but it is in the same linear v3.4.3
>   symlink-race fix chain and Debian's rsync 3.4.1+ds1-5+deb13u3
>   security update carries it as part of the CVE-2026-43619 patch train.
>
> The v3.4.3 security train also has portability and functional follow-ups
> that were released in v3.4.4, so this CVE-scoped backport includes them
> under CVE-2026-43619:
>
> - [5] adds the mknodat()/mkfifoat() configure fallback used by the new
>   do_mknod_at() path.
> - [6] gates <linux/openat2.h> and openat2() use behind configure/runtime
>   checks so systems without the header or usable syscall fall back safely.
>
> The upstream fixed security release is referenced in [7], the v3.4.4
> follow-up release is referenced in [8], and the public advisory is
> referenced in [9]. The Debian tracker entry is referenced in [10].
> Individual backported commit links are also recorded in the embedded
> patch headers.
>
> [1] 
> https://github.com/RsyncProject/rsync/commit/862fe4eeaf82178324c66e504bf2c6c2e4038f99
> [2] 
> https://github.com/RsyncProject/rsync/commit/15d296425609a997f56eb8f9017ff73922f99b20
> [3] 
> https://github.com/RsyncProject/rsync/commit/30656c5e358b1c6033f4caf24f3e11b29d25c9f4
> [4] 
> https://github.com/RsyncProject/rsync/commit/3cc6a9e8cdcffb637ecdd41dae47833096dca317
> [5] 
> https://github.com/RsyncProject/rsync/commit/f3757a470ad3defdb2c4c6ad334e3839f3c7f1ae
> [6] 
> https://github.com/RsyncProject/rsync/commit/c14e2258b59a3f16a99c6e83a28660ba438a73e9
> [7] https://github.com/RsyncProject/rsync/releases/tag/v3.4.3
> [8] https://github.com/RsyncProject/rsync/releases/tag/v3.4.4
> [9] 
> https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735
> [10] https://security-tracker.debian.org/tracker/CVE-2026-43619
>
> Signed-off-by: Ashishkumar Parmar <[email protected]>
> ---
>  .../rsync/files/CVE-2026-43619_p1.patch       |  471 +++++
>  .../rsync/files/CVE-2026-43619_p2.patch       |  205 ++
>  .../rsync/files/CVE-2026-43619_p3.patch       | 1783 +++++++++++++++++
>  .../rsync/files/CVE-2026-43619_p4.patch       |  568 ++++++
>  .../rsync/files/CVE-2026-43619_p5.patch       |   69 +
>  .../rsync/files/CVE-2026-43619_p6.patch       |  242 +++
>  meta/recipes-devtools/rsync/rsync_3.4.1.bb    |    6 +
>  7 files changed, 3344 insertions(+)
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p1.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p2.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p3.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p4.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p5.patch
>  create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-43619_p6.patch
>
> [...]
>
> diff --git a/meta/recipes-devtools/rsync/files/CVE-2026-43619_p6.patch 
> b/meta/recipes-devtools/rsync/files/CVE-2026-43619_p6.patch
> new file mode 100644
> index 0000000000..52a0bd47d9
> --- /dev/null
> +++ b/meta/recipes-devtools/rsync/files/CVE-2026-43619_p6.patch
> @@ -0,0 +1,242 @@
> +From 94e63a8632a3c3bc10ac630a53a99ed01a82f9de Mon Sep 17 00:00:00 2001
> +From: Andrew Tridgell <[email protected]>
> +Date: Wed, 1 Jul 2026 02:40:00 -0700
> +Subject: [PATCH] build: openat2 autodetect + android probe
> +
> +configure now probes for <linux/openat2.h> + SYS_openat2 and defines
> +HAVE_OPENAT2 only when both are present. syscall.c gates the openat2
> +include and the openat2(RESOLVE_BENEATH) tier on HAVE_OPENAT2, so the
> +build no longer fails on kernels/headers that lack the openat2 header.
> +
> +The Android helper probes openat2 usability behind a SIGSYS handler so
> +the Android/Termux seccomp sandbox falls back to the portable resolver
> +instead of killing the process.
> +
> +CVE: CVE-2026-43619
> +Upstream-Status: Backport 
> [https://github.com/RsyncProject/rsync/commit/c14e2258b59a3f16a99c6e83a28660ba438a73e9]
> +
> +Backport Changes:
> +Resolved syscall.c context against Wrynose's existing
> +secure_relative_open() hardening while preserving the upstream
> +HAVE_OPENAT2 gate and runtime fallback behavior.
> +Omitted upstream explanatory comment-only additions in android.c
> +and syscall.c. No functional source changes were omitted.

Hello,

This patch was changed more that the above "Backport Changes:" section:
* Title and message were reworded.
* Thanks line removed
* Comments in added code are not in this patch
* Also, why "Omitted upstream explanatory comment-only additions in
  android.c and syscall.c"?

> +
> +(cherry picked from commit c14e2258b59a3f16a99c6e83a28660ba438a73e9)
> +Signed-off-by: Ashishkumar Parmar <[email protected]>
> +---
> + Makefile.in  | 12 +++++-----
> + android.c    | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++
> + configure.ac | 22 +++++++++++++++++
> + syscall.c    | 19 +++++++++++----
> + 4 files changed, 110 insertions(+), 11 deletions(-)
> + create mode 100644 android.c
> +
> [...]
> +diff --git a/configure.ac b/configure.ac
> +index 1d9b3713..123480e1 100644
> +--- a/configure.ac
> ++++ b/configure.ac
> +@@ -331,6 +331,28 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ ]], [[return 
> 0;]])],
> + CFLAGS="$OLD_CFLAGS"
> + AC_SUBST(NOEXECSTACK)
> + 
> ++dnl Only define HAVE_OPENAT2 when both the <linux/openat2.h> header and the
> ++dnl SYS_openat2 syscall number are present. syscall.c uses 
> openat2(RESOLVE_BENEATH)
As an example, here----------------------------^ upstream added 2
spaces, not one... Why the change?

> ++dnl for the secure resolver on Linux 5.6+; defining it unconditionally 
> broke the
> ++dnl build on older kernels/headers that lack the header (#924, #905, #900).

This series being quite big, I'll hold it until you confirm to me that
you checked upstream patch coherence for every patches added by this
series.

Finally, are you aware of our AI generated patch acceptance rules?
https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#acceptance-of-ai-generated-code

Regards,
-- 
Yoann Congal
Smile ECS
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240624): 
https://lists.openembedded.org/g/openembedded-core/message/240624
Mute This Topic: https://lists.openembedded.org/mt/120169243/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
      • ... Yoann Congal via lists.openembedded.org

Reply via email to