From fb448f87c0b3906b91d453451083dc003ac94ebe Mon Sep 17 00:00:00 2001 From: Matthias Schmitz Date: Mon, 5 Feb 2024 20:02:23 +0100 Subject: rsync: Fix rsync hanging when used with --relative Fixes [YOCTO #15383] This bug was introduced into upstream when fixing CVE-2022-29154. It was later discovered and fixed upstream but this fix didn't make it into poky yet. The added patch is taken from upstreams git repository: https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf Signed-off-by: Matthias Schmitz Signed-off-by: Steve Sakoman --- ...ix-relative-when-copying-an-absolute-path.patch | 31 ++++++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.1.3.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch (limited to 'meta') diff --git a/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch new file mode 100644 index 0000000000..b2e02dba97 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch @@ -0,0 +1,31 @@ +From fabef23bea6e9963c06e218586fda1a823e3c6bf Mon Sep 17 00:00:00 2001 +From: Wayne Davison +Date: Mon, 8 Aug 2022 21:30:21 -0700 +Subject: [PATCH] Fix --relative when copying an absolute path. + +CVE: CVE-2022-29154 +Upstream-Status: Backport [https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf] +Signed-off-by: Matthias Schmitz +--- + exclude.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exclude.c b/exclude.c +index 2394023f..ba5ca5a3 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -434,8 +434,10 @@ void add_implied_include(const char *arg) + *p++ = *cp++; + break; + case '/': +- if (p[-1] == '/') /* This is safe because of the initial slash. */ ++ if (p[-1] == '/') { /* This is safe because of the initial slash. */ ++ cp++; + break; ++ } + if (relative_paths) { + filter_rule const *ent; + int found = 0; +-- +2.39.2 + diff --git a/meta/recipes-devtools/rsync/rsync_3.1.3.bb b/meta/recipes-devtools/rsync/rsync_3.1.3.bb index a5c20dee34..c744503227 100644 --- a/meta/recipes-devtools/rsync/rsync_3.1.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.1.3.bb @@ -17,6 +17,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2016-9842.patch \ file://CVE-2016-9843.patch \ file://CVE-2022-29154.patch \ + file://0001-Fix-relative-when-copying-an-absolute-path.patch \ " SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf" -- cgit 1.2.3-korg