patch for CVE-2017-16548, mitigation for weak checksumsdiff -r1.104 -r1.105 pkgsrc/net/rsync/Makefile
(spz)
| @@ -1,33 +1,36 @@ | @@ -1,33 +1,36 @@ | |||
| 1 | # $NetBSD: Makefile,v 1.104 2017/01/19 18:52:20 agc Exp $ | 1 | # $NetBSD: Makefile,v 1.105 2017/11/10 06:59:16 spz Exp $ | |
| 2 | 2 | |||
| 3 | DISTNAME= rsync-3.1.2 | 3 | DISTNAME= rsync-3.1.2 | |
| 4 | PKGREVISION= 1 | |||
| 4 | CATEGORIES= net | 5 | CATEGORIES= net | |
| 5 | MASTER_SITES= http://rsync.samba.org/ftp/rsync/ | 6 | MASTER_SITES= http://rsync.samba.org/ftp/rsync/ | |
| 6 | MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/ | 7 | MASTER_SITES+= http://rsync.samba.org/ftp/rsync/old-versions/ | |
| 7 | MASTER_SITES+= ftp://ftp.fu-berlin.de/unix/network/rsync/ | 8 | MASTER_SITES+= ftp://ftp.fu-berlin.de/unix/network/rsync/ | |
| 8 | 9 | |||
| 9 | MAINTAINER= pkgsrc-users@NetBSD.org | 10 | MAINTAINER= pkgsrc-users@NetBSD.org | |
| 10 | HOMEPAGE= http://rsync.samba.org/ | 11 | HOMEPAGE= http://rsync.samba.org/ | |
| 11 | COMMENT= Network file distribution/synchronisation utility | 12 | COMMENT= Network file distribution/synchronisation utility | |
| 12 | LICENSE= gnu-gpl-v3 | 13 | LICENSE= gnu-gpl-v3 | |
| 13 | 14 | |||
| 14 | INSTALLATION_DIRS= bin ${PKGMANDIR}/man1 ${PKGMANDIR}/man5 share/doc/rsync | 15 | INSTALLATION_DIRS= bin ${PKGMANDIR}/man1 ${PKGMANDIR}/man5 share/doc/rsync | |
| 15 | 16 | |||
| 16 | GNU_CONFIGURE= yes | 17 | GNU_CONFIGURE= yes | |
| 17 | CONFIGURE_ARGS+= --with-included-popt | 18 | CONFIGURE_ARGS+= --with-included-popt | |
| 18 | CONFIGURE_ARGS+= --with-rsyncd-conf=${PKG_SYSCONFDIR}/rsyncd.conf | 19 | CONFIGURE_ARGS+= --with-rsyncd-conf=${PKG_SYSCONFDIR}/rsyncd.conf | |
| 19 | TEST_TARGET= test | 20 | TEST_TARGET= test | |
| 20 | 21 | |||
| 22 | USE_TOOLS+= perl | |||
| 23 | ||||
| 21 | PKG_SYSCONFSUBDIR= rsync | 24 | PKG_SYSCONFSUBDIR= rsync | |
| 22 | 25 | |||
| 23 | RCD_SCRIPTS= rsyncd | 26 | RCD_SCRIPTS= rsyncd | |
| 24 | RCD_SCRIPT_SRC.rsyncd= files/rsyncd.sh | 27 | RCD_SCRIPT_SRC.rsyncd= files/rsyncd.sh | |
| 25 | SMF_NAME= rsyncd | 28 | SMF_NAME= rsyncd | |
| 26 | 29 | |||
| 27 | SUBST_CLASSES+= paths | 30 | SUBST_CLASSES+= paths | |
| 28 | SUBST_MESSAGE.paths= Fixing hardcoded paths. | 31 | SUBST_MESSAGE.paths= Fixing hardcoded paths. | |
| 29 | SUBST_STAGE.paths= post-patch | 32 | SUBST_STAGE.paths= post-patch | |
| 30 | SUBST_FILES.paths= rsync.1 rsyncd.conf.5 | 33 | SUBST_FILES.paths= rsync.1 rsyncd.conf.5 | |
| 31 | SUBST_SED.paths= -e 's|/etc/rsyncd|${PKG_SYSCONFDIR}/rsyncd|g' | 34 | SUBST_SED.paths= -e 's|/etc/rsyncd|${PKG_SYSCONFDIR}/rsyncd|g' | |
| 32 | SUBST_SED.paths+= -e 's|/usr/bin/rsync|${PREFIX}/bin/rsync|g' | 35 | SUBST_SED.paths+= -e 's|/usr/bin/rsync|${PREFIX}/bin/rsync|g' | |
| 33 | 36 |
| @@ -1,8 +1,10 @@ | @@ -1,8 +1,10 @@ | |||
| 1 | $NetBSD: distinfo,v 1.44 2015/12/23 19:53:24 ryoon Exp $ | 1 | $NetBSD: distinfo,v 1.45 2017/11/10 06:59:16 spz Exp $ | |
| 2 | 2 | |||
| 3 | SHA1 (rsync-3.1.2.tar.gz) = 0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a | 3 | SHA1 (rsync-3.1.2.tar.gz) = 0d4c7fb7fe3fc80eeff922a7c1d81df11dbb8a1a | |
| 4 | RMD160 (rsync-3.1.2.tar.gz) = f7d6c0c9752af8d9eb933cffc6032c1763490a04 | 4 | RMD160 (rsync-3.1.2.tar.gz) = f7d6c0c9752af8d9eb933cffc6032c1763490a04 | |
| 5 | SHA512 (rsync-3.1.2.tar.gz) = 4c55fd69f436ead0cb5a0b7c6fdfef9bb28ddb9c63534eb619e756b118d5b08cfc5e696498650932c86e865b37e06633da947e6720ca0c27ed5c034313ae208b | 5 | SHA512 (rsync-3.1.2.tar.gz) = 4c55fd69f436ead0cb5a0b7c6fdfef9bb28ddb9c63534eb619e756b118d5b08cfc5e696498650932c86e865b37e06633da947e6720ca0c27ed5c034313ae208b | |
| 6 | Size (rsync-3.1.2.tar.gz) = 892724 bytes | 6 | Size (rsync-3.1.2.tar.gz) = 892724 bytes | |
| 7 | SHA1 (patch-Makefile.in) = df3479e93de86524a391433a3d6e6108a797835a | 7 | SHA1 (patch-Makefile.in) = df3479e93de86524a391433a3d6e6108a797835a | |
| 8 | SHA1 (patch-ab) = 98aa07a50314e3309b48f803d6febb1138eae1f2 | 8 | SHA1 (patch-ab) = 98aa07a50314e3309b48f803d6febb1138eae1f2 | |
| 9 | SHA1 (patch-authenticate.c) = 0612fb141cea1509b882df78f1b90fa52b1092b0 | |||
| 10 | SHA1 (patch-xattrs.c) = 9883ea79a60c786dd5a3dc74f4872621823c9377 |
$NetBSD: patch-authenticate.c,v 1.3 2017/11/10 06:59:16 spz Exp $
3.1.2 is not vulnerable to CVE-2017-15994, the code is different,
but not allowing fallback to MD4 for passwords is a good idea by now.
Patch from
https://git.samba.org/?p=rsync.git;a=blobdiff;f=authenticate.c;h=a106b0f60a8cb88e37080bc5e2a58ce28c66f379;hp=d60ee20b6b53a9351efbdf175f36525ead220de6;hb=9a480deec4d20277d8e20bc55515ef0640ca1e55;hpb=c252546ceeb0925eb8a4061315e3ff0a8c55b48b
--- authenticate.c.orig 2015-08-24 18:54:00.000000000 +0000
+++ authenticate.c
@@ -22,6 +22,7 @@
#include "itypes.h"
extern int read_only;
+extern int protocol_version;
extern char *password_file;
/***************************************************************************
@@ -237,6 +238,11 @@ char *auth_server(int f_in, int f_out, i
if (!users || !*users)
return "";
+ if (protocol_version < 21) { /* Don't allow a weak checksum for the password. */
+ rprintf(FERROR, "ERROR: protocol version is too old!\n");
+ exit_cleanup(RERR_PROTOCOL);
+ }
+
gen_challenge(addr, challenge);
io_printf(f_out, "%s%s\n", leader, challenge);
$NetBSD: patch-xattrs.c,v 1.1 2017/11/10 06:59:16 spz Exp $
patch for CVE-2017-16548 from
https://git.samba.org/rsync.git/?p=rsync.git;a=blobdiff;f=xattrs.c;h=4867e6f5b8ad2934d43b06f3b99b7b3690a6dc7a;hp=68305d7559b34f5cc2f196b74429b82fa6ff49dd;hb=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1;hpb=bc112b0e7feece62ce98708092306639a8a53cce
--- xattrs.c.orig 2015-08-08 19:47:03.000000000 +0000
+++ xattrs.c
@@ -696,6 +696,10 @@ void receive_xattr(int f, struct file_st
out_of_memory("receive_xattr");
name = ptr + dget_len + extra_len;
read_buf(f, name, name_len);
+ if (name_len < 1 || name[name_len-1] != '\0') {
+ rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
+ exit_cleanup(RERR_FILEIO);
+ }
if (dget_len == datum_len)
read_buf(f, ptr, dget_len);
else {