OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Christoph Schug
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 18-Aug-2007 20:50:39
Branch: HEAD Handle: 2007081819503900
Modified files:
openpkg-src/rsync rsync.patch rsync.spec
Log:
security fix regarding CVE-2007-4091
Summary:
Revision Changes Path
1.24 +67 -0 openpkg-src/rsync/rsync.patch
1.89 +1 -1 openpkg-src/rsync/rsync.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/rsync/rsync.patch
============================================================================
$ cvs diff -u -r1.23 -r1.24 rsync.patch
--- openpkg-src/rsync/rsync.patch 8 Nov 2006 08:36:12 -0000 1.23
+++ openpkg-src/rsync/rsync.patch 18 Aug 2007 18:50:39 -0000 1.24
@@ -49,3 +49,70 @@
#define RSYNC_PORT 873
+________________________________________________________________________
+
+Security fix regarding CVE-2007-4091
+ o http://secunia.com/cve_reference/CVE-2007-4091/
+ o http://www.suse.de/%7Ekrahmer/rsync-2.6.9-fname-obo.diff
+
+Index: sender.c
+--- sender.c.orig 2006-09-20 03:53:32.000000000 +0200
++++ sender.c 2007-07-25 15:33:05.000000000 +0200
+@@ -123,6 +123,7 @@
+ char fname[MAXPATHLEN];
+ struct file_struct *file;
+ unsigned int offset;
++ size_t l = 0;
+
+ if (ndx < 0 || ndx >= the_file_list->count)
+ return;
+@@ -133,6 +134,20 @@
+ file->dir.root, "/", NULL);
+ } else
+ offset = 0;
++
++ l = offset + 1;
++ if (file) {
++ if (file->dirname)
++ l += strlen(file->dirname);
++ if (file->basename)
++ l += strlen(file->basename);
++ }
++
++ if (l >= sizeof(fname)) {
++ rprintf(FERROR, "Overlong pathname\n");
++ exit_cleanup(RERR_FILESELECT);
++ }
++
+ f_name(file, fname + offset);
+ if (remove_source_files) {
+ if (do_unlink(fname) == 0) {
+@@ -224,6 +239,7 @@
+ enum logcode log_code = log_before_transfer ? FLOG : FINFO;
+ int f_xfer = write_batch < 0 ? batch_fd : f_out;
+ int i, j;
++ size_t l = 0;
+
+ if (verbose > 2)
+ rprintf(FINFO, "send_files starting\n");
+@@ -259,6 +275,20 @@
+ fname[offset++] = '/';
+ } else
+ offset = 0;
++
++ l = offset + 1;
++ if (file) {
++ if (file->dirname)
++ l += strlen(file->dirname);
++ if (file->basename)
++ l += strlen(file->basename);
++ }
++
++ if (l >= sizeof(fname)) {
++ rprintf(FERROR, "Overlong pathname\n");
++ exit_cleanup(RERR_FILESELECT);
++ }
++
+ fname2 = f_name(file, fname + offset);
+
+ if (verbose > 2)
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/rsync/rsync.spec
============================================================================
$ cvs diff -u -r1.88 -r1.89 rsync.spec
--- openpkg-src/rsync/rsync.spec 1 Jan 2007 17:41:33 -0000 1.88
+++ openpkg-src/rsync/rsync.spec 18 Aug 2007 18:50:39 -0000 1.89
@@ -33,7 +33,7 @@
Group: Filesystem
License: GPL
Version: 2.6.9
-Release: 20061221
+Release: 20070818
# package options
%option with_timelimit no
@@ .
______________________________________________________________________
OpenPKG http://openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
