Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1517026878206150"
MIME-Version: 1.0
Date: Sat, 27 Jan 2018 04:21:18 +0000
From: "Soren Jacobsen" <snj@netbsd.org>
Subject: CVS commit: pkgsrc/net/rsync
To: pkgsrc-changes@NetBSD.org
Reply-To: snj@netbsd.org
Message-Id: <20180127042118.62E38FBDE@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1517026878206150
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	snj
Date:		Sat Jan 27 04:21:18 UTC 2018

Modified Files:
	pkgsrc/net/rsync: Makefile distinfo
Added Files:
	pkgsrc/net/rsync/patches: patch-options.c

Log Message:
Fix CVE-2018-5764.

Bump PKGREVISION to 3.


To generate a diff of this commit:
cvs rdiff -u -r1.106 -r1.107 pkgsrc/net/rsync/Makefile
cvs rdiff -u -r1.46 -r1.47 pkgsrc/net/rsync/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/net/rsync/patches/patch-options.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1517026878206150
Content-Disposition: inline
Content-Length: 2713
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/net/rsync/Makefile
diff -u pkgsrc/net/rsync/Makefile:1.106 pkgsrc/net/rsync/Makefile:1.107
--- pkgsrc/net/rsync/Makefile:1.106	Sun Dec 31 20:55:43 2017
+++ pkgsrc/net/rsync/Makefile	Sat Jan 27 04:21:18 2018
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.106 2017/12/31 20:55:43 snj Exp $
+# $NetBSD: Makefile,v 1.107 2018/01/27 04:21:18 snj Exp $
 
 DISTNAME=	rsync-3.1.2
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	net
 MASTER_SITES=	http://rsync.samba.org/ftp/rsync/
 MASTER_SITES+=	http://rsync.samba.org/ftp/rsync/old-versions/

Index: pkgsrc/net/rsync/distinfo
diff -u pkgsrc/net/rsync/distinfo:1.46 pkgsrc/net/rsync/distinfo:1.47
--- pkgsrc/net/rsync/distinfo:1.46	Sun Dec 31 20:55:43 2017
+++ pkgsrc/net/rsync/distinfo	Sat Jan 27 04:21:18 2018
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.46 2017/12/31 20:55:43 snj Exp $
+$NetBSD: distinfo,v 1.47 2018/01/27 04:21:18 snj Exp $
 
 SHA1 (rsync-3.1.2.tar.gz) = 0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a
 RMD160 (rsync-3.1.2.tar.gz) = f7d6c0c9752af8d9eb933cffc6032c1763490a04
@@ -7,6 +7,7 @@ Size (rsync-3.1.2.tar.gz) = 892724 bytes
 SHA1 (patch-Makefile.in) = df3479e93de86524a391433a3d6e6108a797835a
 SHA1 (patch-ab) = 98aa07a50314e3309b48f803d6febb1138eae1f2
 SHA1 (patch-authenticate.c) = 0612fb141cea1509b882df78f1b90fa52b1092b0
+SHA1 (patch-options.c) = f5c163f457bf108cd9646d09f1253583326cc000
 SHA1 (patch-receiver.c) = 5bf0b7ceaaf79e0fd5f93e1c433162e9248fe37c
 SHA1 (patch-rsync.c) = e390038a9592d9bc3e77ebc2aabfa62bdd6778b3
 SHA1 (patch-xattrs.c) = 9883ea79a60c786dd5a3dc74f4872621823c9377

Added files:

Index: pkgsrc/net/rsync/patches/patch-options.c
diff -u /dev/null pkgsrc/net/rsync/patches/patch-options.c:1.1
--- /dev/null	Sat Jan 27 04:21:18 2018
+++ pkgsrc/net/rsync/patches/patch-options.c	Sat Jan 27 04:21:18 2018
@@ -0,0 +1,27 @@
+$NetBSD: patch-options.c,v 1.1 2018/01/27 04:21:18 snj Exp $
+
+Fix CVE-2018-5764.  Patch from:
+
+https://git.samba.org/rsync.git/?p=rsync.git;a=commitdiff;h=7706303828fcde524222babb2833864a4bd09e07
+
+--- options.c.orig	2018-01-26 20:08:22.204810417 -0800
++++ options.c	2018-01-26 20:09:37.250284871 -0800
+@@ -1294,6 +1294,7 @@ int parse_arguments(int *argc_p, const c
+ 	const char *arg, **argv = *argv_p;
+ 	int argc = *argc_p;
+ 	int opt;
++	int orig_protect_args = protect_args;
+ 
+ 	if (ref && *ref)
+ 		set_refuse_options(ref);
+@@ -1903,6 +1904,10 @@ int parse_arguments(int *argc_p, const c
+ 	if (fuzzy_basis > 1)
+ 		fuzzy_basis = basis_dir_cnt + 1;
+ 
++	/* Don't let the client reset protect_args if it was already processed */
++	if (orig_protect_args == 2 && am_server)
++		protect_args = orig_protect_args;
++
+ 	if (protect_args == 1 && am_server)
+ 		return 1;
+ 


--_----------=_1517026878206150--