OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Thomas Lotterer
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   21-May-2004 18:06:04
  Branch: OPENPKG_1_3_SOLID                Handle: 2004052117060400

  Modified files:           (Branch: OPENPKG_1_3_SOLID)
    openpkg-src/rsync       rsync.patch rsync.spec

  Log:
    SA-2004.025-rsync; CAN-2004-0426

  Summary:
    Revision    Changes     Path
    1.3.2.1.2.2 +75 -0      openpkg-src/rsync/rsync.patch
    1.39.2.3.2.3+1  -1      openpkg-src/rsync/rsync.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/rsync/rsync.patch
  ============================================================================
  $ cvs diff -u -r1.3.2.1.2.1 -r1.3.2.1.2.2 rsync.patch
  --- openpkg-src/rsync/rsync.patch     4 Dec 2003 15:41:42 -0000       1.3.2.1.2.1
  +++ openpkg-src/rsync/rsync.patch     21 May 2004 16:06:04 -0000      1.3.2.1.2.2
  @@ -579,3 +579,78 @@
   +            return malloc(size * num);
   +    return realloc(ptr, size * num);
   +}
  +
  +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
  +    rsync before 2.6.1 does not properly sanitize paths when running
  +    a read/write daemon without using chroot, which allows remote
  +    attackers to write files outside of the module's path.
  +
  +Index: util.c
  +--- util.c.256       2003-01-19 22:37:11.000000000 +0100
  ++++ util.c   2004-05-21 15:16:56.000000000 +0200
  +@@ -699,7 +692,7 @@
  + }
  + 
  + 
  +-static char curr_dir[MAXPATHLEN];
  ++char curr_dir[MAXPATHLEN];
  + 
  + /**
  +  * Like chdir() but can be reversed with pop_dir() if @p save is set.
  +
  +Index: options.c
  +--- options.c.256    2003-01-28 04:11:57.000000000 +0100
  ++++ options.c        2004-05-21 14:40:47.000000000 +0200
  +@@ -21,6 +21,8 @@
  + #include "rsync.h"
  + #include "popt.h"
  + 
  ++extern int sanitize_paths;
  ++extern char curr_dir[MAXPATHLEN];
  + int make_backups = 0;
  + 
  + /**
  +@@ -450,6 +452,7 @@
  + {
  +     int opt;
  +     char *ref = lp_refuse_options(module_id);
  ++    char *arg;
  +         poptContext pc;
  + 
  +         /* TODO: Call poptReadDefaultConfig; handle errors. */
  +@@ -504,11 +507,17 @@
  +                     break;
  + 
  +             case OPT_EXCLUDE_FROM:
  +-                    add_exclude_file(poptGetOptArg(pc), 1, 0);
  ++                    arg = (char *)poptGetOptArg(pc);
  ++                    if (sanitize_paths)
  ++                            sanitize_path(arg, curr_dir);
  ++                    add_exclude_file(arg, 1, 0);
  +                     break;
  + 
  +             case OPT_INCLUDE_FROM:
  +-                    add_exclude_file(poptGetOptArg(pc), 1, 1);
  ++                    arg = (char *)poptGetOptArg(pc);
  ++                    if (sanitize_paths)
  ++                            sanitize_path(arg, curr_dir);
  ++                    add_exclude_file(arg, 1, 1);
  +                     break;
  + 
  +             case OPT_WHOLE_FILE:
  +@@ -637,6 +646,15 @@
  +         else
  +                 *argc = 0;
  + 
  ++    if (sanitize_paths) {
  ++            if (tmpdir)
  ++                    sanitize_path(tmpdir, curr_dir);
  ++            if (compare_dest)
  ++                    sanitize_path(compare_dest, curr_dir);
  ++            if (backup_dir)
  ++                    sanitize_path(backup_dir, curr_dir);
  ++    }
  ++
  +     return 1;
  + }
  + 
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/rsync/rsync.spec
  ============================================================================
  $ cvs diff -u -r1.39.2.3.2.2 -r1.39.2.3.2.3 rsync.spec
  --- openpkg-src/rsync/rsync.spec      4 Dec 2003 15:41:42 -0000       1.39.2.3.2.2
  +++ openpkg-src/rsync/rsync.spec      21 May 2004 16:06:04 -0000      1.39.2.3.2.3
  @@ -33,7 +33,7 @@
   Group:        Filesystem
   License:      GPL
   Version:      2.5.6
  -Release:      1.3.1
  +Release:      1.3.2
   
   #   list of sources
   Source0:      http://rsync.samba.org/ftp/rsync/rsync-%{version}.tar.gz
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to