new release 3.4.0 - critical security release

rsync.project rsync.project at gmail.com
Wed Jan 15 06:57:45 UTC 2025


The popt changes came from upstream popt. We have Solaris and FreeBSD CI
tests, along with linux, but don't have a method for testing other
platforms. If you submit a PR to fix this, please consider a way we can
test the fix in CI.
Cheers, Tridge

On Wed, 15 Jan 2025 at 14:35, <rsbecker at nexbridge.com> wrote:

> Another issue here in findme.c. strlcpy() is a BSD-only method and
> definitely not portable.
>
> Please consider other platforms when creating patches. I can provide a
> patch to this
>
> patch also.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of *Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:46 PM
> *To:* 'rsync.project' <rsync.project at gmail.com>
> *Cc:* rsync at lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> Here is my fix for the situation:
>
>
>
> *diff --git a/popt/findme.c b/popt/findme.c*
>
> *index ac4cbae..4fe8a18 100644*
>
> *--- a/popt/findme.c*
>
> *+++ b/popt/findme.c*
>
> @@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)
>
>      if (path == NULL) return NULL;
>
>
>
>      bufsize = strlen(path) + 1;
>
> +#if defined __TANDEM
>
> +    start = pathbuf = malloc(bufsize);
>
> +#else
>
>      start = pathbuf = alloca(bufsize);
>
> +#endif
>
>      if (pathbuf == NULL) return NULL;  /* XXX can't happen */
>
>      strlcpy(pathbuf, path, bufsize);
>
>      bufsize += sizeof "/" - 1 + strlen(argv0);
>
>      buf = malloc(bufsize);
>
> +#if defined __TANDEM
>
> +    if (buf == NULL) {
>
> +       free(start);
>
> +       return NULL;    /* XXX can't happen */
>
> +    }
>
> +#else
>
>      if (buf == NULL) return NULL;      /* XXX can't happen */
>
> +#endif
>
>
>
>      chptr = NULL;
>
>      /*@-branchstate@*/
>
> @@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)
>
>             *chptr = '\0';
>
>         snprintf(buf, bufsize, "%s/%s", start, argv0);
>
>
>
> +#if defined __TANDEM
>
> +       if (!access(buf, X_OK)) {
>
> +           free(start);
>
> +           return buf;
>
> +       }
>
> +#else
>
>         if (!access(buf, X_OK))
>
>             return buf;
>
> +#endif
>
>
>
>         if (chptr)
>
>             start = chptr + 1;
>
> @@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)
>
>
>
>      free(buf);
>
>
>
> +#if defined __TANDEM
>
> +    free(start);
>
> +#endif
>
>      return NULL;
>
> }
>
>
>
> I would respectfully ask that it be included ASAP.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of *Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:09 PM
> *To:* 'rsync.project' <rsync.project at gmail.com>
> *Cc:* rsync at lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> This happens on NonStop x86 and ia64. I have been building/packaging Rsync
> for years – almost a decade in fact. I think this happened once before this
> year, in fact.
>
>
>
> It is equivalent to the more portable malloc/free, which I would prefer to
> have in this series even if it has to be wrapped in a #if defined
> (__TANDEM) block.
>
>
>
> This call is considered not portable and allocates on the stack instead of
> the heap. This can cause performance issues as memory management on the
> heap is generally given more attention by runtimes. The reason it is not
> supported on NonStop is that the c99 compiler does not generate code for
> allocating on the stack on this machine.
>
>
>
> Please forgive me here, but adding a new dependency for a critical
> security fix is rather painful.
>
>
>
> --Randall
>
>
>
>
>
> *From:* rsync.project <rsync.project at gmail.com>
> *Sent:* January 14, 2025 4:31 PM
> *To:* rsbecker at nexbridge.com
> *Cc:* rsync at lists.samba.org
> *Subject:* Re: new release 3.4.0 - critical security release
>
>
>
> the alloca comes from the new popt release. What system are you having an
> issue with?
>
>
>
>
>
> On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com> wrote:
>
> A new dependency was added since 3.3, alloca(), which is not portable. Is
> there a way around this?
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of *rsync.project
> via rsync
> *Sent:* January 14, 2025 2:49 PM
> *To:* rsync-announce at lists.samba.org
> *Cc:* rsync at lists.samba.org
> *Subject:* new release 3.4.0 - critical security release
>
>
>
> We have just released version 3.4.0 of rsync. This release fixes 6
> security vulnerabilities found by two groups of security researchers.
>
>
>
> You can find the new release links here:
>
>
>
>  - https://rsync.samba.org/
>
>  - https://download.samba.org/pub/rsync/src/
>
>
>
> For details on the vulnerabilities please see this CERT advisory:
>
>
>
> https://kb.cert.org/vuls/id/952657
>
>
>
> The various distros should be doing security releases today
>
> Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
> Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
> discovering these vulnerabilities and working with the rsync project to
> develop and test fixes.
>
>
>
> Also many thanks to Wayne Davison for assisting with the release process
> as this is the first release I've done since 2002 when Wayne took over as
> the rsync maintainer.
>
>
>
> Andrew Tridgell
>
> rsync maintainer (again!)
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/rsync/attachments/20250115/50e8741b/attachment.htm>


More information about the rsync mailing list