Release the fix for the argv use-after-free issue with popt 1.19?

2024-02-02 Thread Matt McCutchen via rsync 
I'm using Fedora 38's rsync-3.2.7-2.fc38.x86_64 package, and the other
day, I noticed that one of my backup scripts was creating directories
with garbage names.  Eventually I tracked the problem down to the argv
use-after-free issue with popt 1.19 that was fixed in commit
8990ad96de881f7332d16d32485f9d8b841a87d2.  That fix has not been
released.  Is an rsync release coming any time soon?  If not, I'll ask
Fedora to consider adding the individual patch to their package.  (And
in the meantime, I've switched to using my own rsync 3.2.7 package with
the patch.)

Thanks,
Matt

-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html

Skip source files that differ from existing destination files with a warning?

2020-09-17 Thread Matt McCutchen via rsync 
Hi again, rsync list!  I was heavily involved in rsync development and
support back in 2005-2010.  I've largely lost interest in that now and
my knowledge of rsync is beginning to become stale, but I'm still a big
fan and user of rsync, so I'm back with a user question. :)  I did
search the web and didn't find anything relevant.

I have a scenario in which regular files are created in a source
directory over time and shouldn't change after creation.  I run rsync
periodically to copy the source to a destination, and if a source file
differs from an existing destination file, I want rsync to warn me and
not transfer it.

For the "not transfer" part, I can use --ignore-existing, but I don't
see a direct way to be warned only about source files that differ from
existing destination files.  If I use --info=SKIP1, rsync warns about
all source files that exist on the destination, whether or not they
differ.  So as a workaround, after the --ignore-existing run, I'm using
a separate dry run without --ignore-existing to warn about any
remaining differences.

Is there a better solution?  Do people think that filing an enhancement
request to show the --ignore-existing warning only for files with
itemizable differences would be justified?

My reading of the code also suggests that if the sender is malicious,
--ignore-existing will not stop the receiver from processing a transfer
of an existing destination file initiated by the sender, though I
haven't attempted an actual test to confirm this.  I can work around
this security gap by transferring from the source to a temporary
directory and then from there to the destination; in the second step,
my local version of rsync serves as both sender and receiver, so there
is no risk.  I suspect several other rsync options may similarly not be
enforced against a malicious peer.  Is this worth fixing?

Thanks,
Matt


-- 
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html