[CVS] OpenPKG: openpkg-src/rsync/ rsync.patch rsync.spec

Sun, 15 Aug 2004 02:53:17 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-src                      Date:   15-Aug-2004 11:53:21
  Branch: HEAD                             Handle: 2004081510532100

  Modified files:
    openpkg-src/rsync       rsync.patch rsync.spec

  Log:
    apply security fix

  Summary:
    Revision    Changes     Path
    1.10        +27 -0      openpkg-src/rsync/rsync.patch
    1.68        +1  -1      openpkg-src/rsync/rsync.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/rsync/rsync.patch
  ============================================================================
  $ cvs diff -u -r1.9 -r1.10 rsync.patch
  --- openpkg-src/rsync/rsync.patch     3 May 2004 14:13:25 -0000       1.9
  +++ openpkg-src/rsync/rsync.patch     15 Aug 2004 09:53:21 -0000      1.10
  @@ -40,3 +40,30 @@
                lastdir_len = -1;
    
        if (strlcpy(thisname, fname, sizeof thisname)
  +
  +=============================================================================
  +
  +Security Fix:
  +
  +There is a path-sanitizing bug that affects daemon mode in all recent
  +rsync versions (including 2.6.2) but only if chroot is disabled. It
  +does NOT affect the normal send/receive filenames that specify what
  +files should be transferred (this is because these names happen to get
  +sanitized twice, and thus the second call removes any lingering leading
  +slash(es) that the first call left behind). It does affect certain
  +option paths that cause auxilliary files to be read or written. One
  +potential fix that doesn't require recompiling rsync is to set "use
  +chroot = true" for all the modules in the rsyncd.conf file.
  +
  +Index: util.c
  +--- util.c.orig      2004-04-27 21:59:37 +0200
  ++++ util.c   2004-08-15 11:45:47 +0200
  +@@ -743,7 +743,7 @@
  +                             allowdotdot = 1;
  +                     } else {
  +                             p += 2;
  +-                            if (*p == '/')
  ++                            while (*p == '/')
  +                                     p++;
  +                             if (sanp != start) {
  +                                     /* back up sanp one level */
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/rsync/rsync.spec
  ============================================================================
  $ cvs diff -u -r1.67 -r1.68 rsync.spec
  --- openpkg-src/rsync/rsync.spec      6 Jul 2004 11:18:28 -0000       1.67
  +++ openpkg-src/rsync/rsync.spec      15 Aug 2004 09:53:21 -0000      1.68
  @@ -34,7 +34,7 @@
   Group:        Filesystem
   License:      GPL
   Version:      2.6.2
  -Release:      20040706
  +Release:      20040815
   
   #   package options
   %option       with_timelimit  no
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to