1. photon
  2. Commit 02a9663e5179912812905bd58df93c8c0ecdcd29
Browse code

rsync : Fix CVE-2017-17433, CVE-2017-17434

Change-Id: I149b1e368b07beae4c09924401be23bb4de70fa8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4573
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Xiaolin Li <xiaolinl@vmware.com>

xiaolin-vmware authored on 2017/12/28 07:30:59
Showing 4 changed files
SPECS/rsync/rsync-CVE-2017-17433.patch
History View file @ 02a9663
1 1 
new file mode 100644
... ... 
@@ -0,0 +1,42 @@
0 
+From 3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 Mon Sep 17 00:00:00 2001
1 
+From: Jeriko One <jeriko.one@gmx.us>
2 
+Date: Thu, 2 Nov 2017 23:44:19 -0700
3 
+Subject: [PATCH] Check fname in recv_files sooner.
4 
+
5 
+---
6 
+ receiver.c | 12 ++++++------
7 
+ 1 file changed, 6 insertions(+), 6 deletions(-)
8 
+
9 
+diff --git a/receiver.c b/receiver.c
10 
+index baae3a9..9fdafa1 100644
11 
+--- a/receiver.c
12 
+@@ -574,6 +574,12 @@ int recv_files(int f_in, int f_out, char *local_name)
13 
+ 			file = dir_flist->files[cur_flist->parent_ndx];
14 
+ 		fname = local_name ? local_name : f_name(file, fbuf);
15 
+
16 
++		if (daemon_filter_list.head
17 
++		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
18 
++			rprintf(FERROR, "attempt to hack rsync failed.\n");
19 
++			exit_cleanup(RERR_PROTOCOL);
20 
++		}
21 
++
22 
+ 		if (DEBUG_GTE(RECV, 1))
23 
+ 			rprintf(FINFO, "recv_files(%s)\n", fname);
24 
+
25 
+@@ -645,12 +651,6 @@ int recv_files(int f_in, int f_out, char *local_name)
26 
+
27 
+ 		cleanup_got_literal = 0;
28 
+
29 
+-		if (daemon_filter_list.head
30 
+-		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
31 
+-			rprintf(FERROR, "attempt to hack rsync failed.\n");
32 
+-			exit_cleanup(RERR_PROTOCOL);
33 
+-		}
34 
+-
35 
+ 		if (read_batch) {
36 
+ 			int wanted = redoing
37 
+ 				   ? we_want_redo(ndx)
38 
+--
39 
+1.9.1
40 
+
SPECS/rsync/rsync-CVE-2017-17434-1.patch
History View file @ 02a9663
0 41 
new file mode 100644
... ... 
@@ -0,0 +1,25 @@
0 
+From 5509597decdbd7b91994210f700329d8a35e70a1 Mon Sep 17 00:00:00 2001
1 
+From: Jeriko One <jeriko.one@gmx.us>
2 
+Date: Thu, 16 Nov 2017 17:26:03 -0800
3 
+Subject: [PATCH] Check daemon filter against fnamecmp in recv_files().
4 
+
5 
+---
6 
+ receiver.c | 2 +-
7 
+ 1 file changed, 1 insertion(+), 1 deletion(-)
8 
+
9 
+diff --git a/receiver.c b/receiver.c
10 
+index 9fdafa1..9c46242 100644
11 
+--- a/receiver.c
12 
+@@ -722,7 +722,7 @@ int recv_files(int f_in, int f_out, char *local_name)
13 
+ 				break;
14 
+ 			}
15 
+ 			if (!fnamecmp || (daemon_filter_list.head
16 
+-			  && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
17 
++			  && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
18 
+ 				fnamecmp = fname;
19 
+ 				fnamecmp_type = FNAMECMP_FNAME;
20 
+ 			}
21 
+--
22 
+1.9.1
23 
+
SPECS/rsync/rsync-CVE-2017-17434-2.patch
History View file @ 02a9663
0 24 
new file mode 100644
... ... 
@@ -0,0 +1,36 @@
0 
+From 70aeb5fddd1b2f8e143276f8d5a085db16c593b9 Mon Sep 17 00:00:00 2001
1 
+From: Jeriko One <jeriko.one@gmx.us>
2 
+Date: Thu, 16 Nov 2017 17:05:42 -0800
3 
+Subject: [PATCH] Sanitize xname in read_ndx_and_attrs.
4 
+
5 
+---
6 
+ rsync.c | 6 ++++++
7 
+ 1 file changed, 6 insertions(+)
8 
+
9 
+diff --git a/rsync.c b/rsync.c
10 
+index b82e598..a0945ba 100644
11 
+--- a/rsync.c
12 
+@@ -49,6 +49,7 @@ extern int flist_eof;
13 
+ extern int file_old_total;
14 
+ extern int keep_dirlinks;
15 
+ extern int make_backups;
16 
++extern int sanitize_paths;
17 
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
18 
+ extern struct chmod_mode_struct *daemon_chmod_modes;
19 
+ #ifdef ICONV_OPTION
20 
+@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr,
21 
+ 	if (iflags & ITEM_XNAME_FOLLOWS) {
22 
+ 		if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
23 
+ 			exit_cleanup(RERR_PROTOCOL);
24 
++
25 
++		if (sanitize_paths) {
26 
++			sanitize_path(buf, buf, "", 0, SP_DEFAULT);
27 
++			len = strlen(buf);
28 
++		}
29 
+ 	} else {
30 
+ 		*buf = '\0';
31 
+ 		len = -1;
32 
+--
33 
+1.9.1
34 
+
SPECS/rsync/rsync.spec
History View file @ 02a9663
... ... 
@@ -1,12 +1,15 @@
1 1 
 Summary:        Fast incremental file transfer.
2 2 
 Name:           rsync
3 3 
 Version:        3.1.2
4 
-Release:        4%{?dist}
4 
+Release:        5%{?dist}
5 5 
 License:        GPLv3+
6 6 
 URL:            https://rsync.samba.org/
7 7 
 Source0:        https://download.samba.org/pub/rsync/src/%{name}-%{version}.tar.gz
8 8 
 %define sha1    rsync=0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a
9 9 
 Patch0:         rsync-CVE-2017-16548.patch
10 
+Patch1:         rsync-CVE-2017-17433.patch
11 
+Patch2:         rsync-CVE-2017-17434-1.patch
12 
+Patch3:         rsync-CVE-2017-17434-2.patch
10 13 
 Group:          Appication/Internet
11 14 
 Vendor:         VMware, Inc.
12 15 
 Distribution:   Photon
... ... 
@@ -17,6 +20,9 @@ Rsync is a fast and extraordinarily versatile file copying tool. It can copy loc
17 17 
 %prep
18 18 
 %setup -q
19 19 
 %patch0 -p1
20 
+%patch1 -p1
21 
+%patch2 -p1
22 
+%patch3 -p1
20 23 
 %build
21 24 
 %configure --prefix=/usr
22 25 
 make %{?_smp_mflags}
... ... 
@@ -56,6 +62,8 @@ make %{?_smp_mflags} check
56 56 
 %{_libdir}/systemd/system/rsyncd.service
57 57 
 %{_sysconfdir}/rsyncd.conf
58 58 
 %changelog
59 
+*   Wed Dec 27 2017 Xiaolin Li <xiaolinl@vmware.com> 3.1.2-5
60 
+-   Fix CVE-2017-17433, CVE-2017-17434
59 61 
 *   Wed Nov 29 2017 Xiaolin Li <xiaolinl@vmware.com> 3.1.2-4
60 62 
 -   Fix CVE-2017-16548
61 63 
 *   Wed Oct 05 2016 ChangLee <changlee@vmware.com> 3.1.2-3