From patchwork Thu Jan 23 02:59:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55985 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BFA89C0218C for ; Thu, 23 Jan 2025 03:00:17 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web11.3130.1737601212430037376 for ; Wed, 22 Jan 2025 19:00:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=C70tlF4E; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2ee989553c1so838595a91.3 for ; Wed, 22 Jan 2025 19:00:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601212; x=1738206012; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=bDulA8DjWSG4wLMxiRuKQu785gnRe5RyxirGJQyVPmw=; b=C70tlF4EK0WmQb0IU2eo9JsPrOD8Yx6nR5ZiaDfXtPlcjtkWwNP0SbGaG9exv3QP51 h78N/0kVQ1VTK5VqwDK89cl8H5pXkwBkI2ZcvS5cT6TtWedzk65J4jOs+x/ofGgaauiD 1sfeD9tWHkidQLIblgo7lk0d6bt4iGlujgwSqNSsWreEDJKTUXVkTatM3jrVeUKA6CV2 XM+1b1Zt98PazMo2YncYA8r2/hNjOECrSeOwNdoJ2oBCfgXPX30T/mQYugat55sM5idQ dd0tFVLEgMPjkpZDpFoIQ7ewE9Gjh6Rtcpre5DhUFJnGJ7kk2UwGxuXa8rx0LfbovTQt c+UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601212; x=1738206012; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bDulA8DjWSG4wLMxiRuKQu785gnRe5RyxirGJQyVPmw=; b=OEdTJQ3ux8oIH/dzORv0CnOgUCgYe0I1tBFw6kBIWIeg0J+TPLJQk8IKW3uXFnq7wl jDZHQRMNKvw2oPobM2Wcgpy4Bvjw07OrThDT/p8WrRLOrtbXSRZbZu+39QsfJLs2tIuR OHcS0bKVQ22m6lxF9Wh6/kr2GCWnMzKdkPSQonCJKJD0ucRdyW8PYAfQAQXEOm0CYnfR LGLkW4XzcSxwb6KajOr5Jpr4LVYrJ5wSvqOQqfEBu31QOjbwCAFCgzUoolhFjiNWVZOR xKnwG3g3iaTAP/kD7BW/yFYgavj5OC8VmLGsr0kYmOr1FGsxIyPvbxbdfPx2BSU6E20/ 3A3w== X-Gm-Message-State: AOJu0YzFJwxQacvhsG68OwGreR7QQEInblKRNpkpB9tRUCbPqX813eRj FkQyW32DQ3lj+zTW/DNkE49iyJF7aYwZ1G5j0aaiob557RnBuEr7ktx4vPvtsOraSYcYfrRhbNY LWlQ= X-Gm-Gg: ASbGncsb2E2d7BMP7lBIhymn0YTXF3uEo1ZvKUQiK3mo6+kCxTyOAhlTobhY++7Fpnx 8fzYCE90kGBrQJuqdiOAcgfknkdzFNtFYZkNUkidWPfnHVP7ZQ0rSL0p89IeWKFq/1qGmtA7jXf YHLFAy9csh2hGjSz3PI24bsmRSaKOYmQW+qAabPSOiCcGjc35u6RJP+O0euKbgwLR1DP+NjRaw5 jfNS+DSfdgJvdN/+hx1mfPmKvJb1QfnAtR6PS7gcxjWkTsCKz1kGKA6+dplFNU1/XvkMw== X-Google-Smtp-Source: AGHT+IHu8K1nXe6sWLBfSq57QSE+5xfbB535rxP6/gdi9fAKOSnuUkSb4eOm69gZyQJx9YEop2zndQ== X-Received: by 2002:a05:6a00:10d0:b0:72d:9cbc:730d with SMTP id d2e1a72fcca58-72dafa44d90mr35368683b3a.11.1737601211553; Wed, 22 Jan 2025 19:00:11 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:11 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 1/8] rsync: fix CVE-2024-12084 Date: Wed, 22 Jan 2025 18:59:51 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210166 From: Archana Polampalli A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12084-0001.patch | 156 ++++++++++++++++++ .../rsync/files/CVE-2024-12084-0002.patch | 43 +++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 2 + 3 files changed, 201 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch new file mode 100644 index 0000000000..d654067fab --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12084-0001.patch @@ -0,0 +1,156 @@ +From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001 +From: Wayne Davison +Date: Tue, 29 Oct 2024 22:55:29 -0700 +Subject: [PATCH] Some checksum buffer fixes. + +- Put sum2_array into sum_struct to hold an array of sum2 checksums + that are each xfer_sum_len bytes. +- Remove sum2 buf from sum_buf. +- Add macro sum2_at() to access each sum2 array element. +- Throw an error if a sums header has an s2length larger than + xfer_sum_len. + +CVE: CVE-2024-12084 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=0902b52f6687b1f7952422080d50b93108742e53] + +Signed-off-by: Archana Polampalli +--- + io.c | 3 ++- + match.c | 8 ++++---- + rsync.c | 5 ++++- + rsync.h | 4 +++- + sender.c | 4 +++- + 5 files changed, 16 insertions(+), 8 deletions(-) + +diff --git a/io.c b/io.c +index a99ac0ec..bb60eeca 100644 +--- a/io.c ++++ b/io.c +@@ -55,6 +55,7 @@ extern int read_batch; + extern int compat_flags; + extern int protect_args; + extern int checksum_seed; ++extern int xfer_sum_len; + extern int daemon_connection; + extern int protocol_version; + extern int remove_source_files; +@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum) + exit_cleanup(RERR_PROTOCOL); + } + sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f); +- if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) { ++ if (sum->s2length < 0 || sum->s2length > xfer_sum_len) { + rprintf(FERROR, "Invalid checksum length %d [%s]\n", + sum->s2length, who_am_i()); + exit_cleanup(RERR_PROTOCOL); +diff --git a/match.c b/match.c +index cdb30a15..36e78ed2 100644 +--- a/match.c ++++ b/match.c +@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s, + done_csum2 = 1; + } + +- if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) { ++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) { + false_alarms++; + continue; + } +@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s, + if (i != aligned_i) { + if (sum != s->sums[aligned_i].sum1 + || l != s->sums[aligned_i].len +- || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0) ++ || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0) + goto check_want_i; + i = aligned_i; + } +@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s, + if (sum != s->sums[i].sum1) + goto check_want_i; + get_checksum2((char *)map, l, sum2); +- if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0) ++ if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) + goto check_want_i; + /* OK, we have a re-alignment match. Bump the offset + * forward to the new match point. */ +@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s, + && (!updating_basis_file || s->sums[want_i].offset >= offset + || s->sums[want_i].flags & SUMFLG_SAME_OFFSET) + && sum == s->sums[want_i].sum1 +- && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) { ++ && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) { + /* we've found an adjacent match - the RLL coder + * will be happy */ + i = want_i; +diff --git a/rsync.c b/rsync.c +index cd288f57..b130aba5 100644 +--- a/rsync.c ++++ b/rsync.c +@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha + */ + void free_sums(struct sum_struct *s) + { +- if (s->sums) free(s->sums); ++ if (s->sums) { ++ free(s->sums); ++ free(s->sum2_array); ++ } + free(s); + } + +diff --git a/rsync.h b/rsync.h +index d3709fe0..8ddbe702 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -958,12 +958,12 @@ struct sum_buf { + uint32 sum1; /**< simple checksum */ + int32 chain; /**< next hash-table collision */ + short flags; /**< flag bits */ +- char sum2[SUM_LENGTH]; /**< checksum */ + }; + + struct sum_struct { + OFF_T flength; /**< total file length */ + struct sum_buf *sums; /**< points to info for each chunk */ ++ char *sum2_array; /**< checksums of length xfer_sum_len */ + int32 count; /**< how many chunks */ + int32 blength; /**< block_length */ + int32 remainder; /**< flength % block_length */ +@@ -982,6 +982,8 @@ struct map_struct { + int status; /* first errno from read errors */ + }; + ++#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) ++ + #define NAME_IS_FILE (0) /* filter name as a file */ + #define NAME_IS_DIR (1<<0) /* filter name as a dir */ + #define NAME_IS_XATTR (1<<2) /* filter name as an xattr */ +diff --git a/sender.c b/sender.c +index 3d4f052e..ab205341 100644 +--- a/sender.c ++++ b/sender.c +@@ -31,6 +31,7 @@ extern int log_before_transfer; + extern int stdout_format_has_i; + extern int logfile_format_has_i; + extern int want_xattr_optim; ++extern int xfer_sum_len; + extern int csum_length; + extern int append_mode; + extern int copy_links; +@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f) + return(s); + + s->sums = new_array(struct sum_buf, s->count); ++ s->sum2_array = new_array(char, s->count * xfer_sum_len); + + for (i = 0; i < s->count; i++) { + s->sums[i].sum1 = read_int(f); +- read_buf(f, s->sums[i].sum2, s->s2length); ++ read_buf(f, sum2_at(s, i), s->s2length); + + s->sums[i].offset = offset; + s->sums[i].flags = 0; +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch new file mode 100644 index 0000000000..266b80c241 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12084-0002.patch @@ -0,0 +1,43 @@ +From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001 +From: Wayne Davison +Date: Tue, 5 Nov 2024 11:01:03 -0800 +Subject: [PATCH] Another cast when multiplying integers. + +CVE: CVE-2024-12084 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1] + +Signed-off-by: Archana Polampalli +--- + rsync.h | 2 +- + sender.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rsync.h b/rsync.h +index 8ddbe702..0f9e277f 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -982,7 +982,7 @@ struct map_struct { + int status; /* first errno from read errors */ + }; + +-#define sum2_at(s, i) ((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len)) ++#define sum2_at(s, i) ((s)->sum2_array + ((size_t)(i) * xfer_sum_len)) + + #define NAME_IS_FILE (0) /* filter name as a file */ + #define NAME_IS_DIR (1<<0) /* filter name as a dir */ +diff --git a/sender.c b/sender.c +index ab205341..2bbff2fa 100644 +--- a/sender.c ++++ b/sender.c +@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f) + return(s); + + s->sums = new_array(struct sum_buf, s->count); +- s->sum2_array = new_array(char, s->count * xfer_sum_len); ++ s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len); + + for (i = 0; i < s->count; i++) { + s->sums[i].sum1 = read_int(f); +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 130581a785..2f3ea61978 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -15,6 +15,8 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://makefile-no-rebuild.patch \ file://determism.patch \ file://0001-Add-missing-prototypes-to-function-declarations.patch \ + file://CVE-2024-12084-0001.patch \ + file://CVE-2024-12084-0002.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55983 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BEC95C0218E for ; Thu, 23 Jan 2025 03:00:17 +0000 (UTC) Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by mx.groups.io with SMTP id smtpd.web10.2980.1737601213821623253 for ; Wed, 22 Jan 2025 19:00:13 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=bpiuJe4b; spf=softfail (domain: sakoman.com, ip: 209.85.214.171, mailfrom: steve@sakoman.com) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-21675fd60feso7702145ad.2 for ; Wed, 22 Jan 2025 19:00:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601213; x=1738206013; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=huFhUOwohlNSw+rn2skzyaNDBwD1RcVbUqR/CLHRtY4=; b=bpiuJe4bkOst6v0lLkkZlpghGBYNvkN27xI3yS2e04RwvnzHqW1Qd7OHNbeEUOj/Pu xm19wYFBpjlLS84kKeWdKTvnHQUAOISWWgORbmnYQaMLABkbxg98kSZ4sFByDapcUzlQ aTTzmYR+d8otnDmtYXgPzr5OPAuZL9Mxl98qXXjQEW4D5spf4Z/wQJ1ivFRxH9eOTmON n5qfinta2PnEZZylTvnSdpY8uTIJFMQ4iA4Wi52T3t0TUJec4Fg3lal755MXvhJTCMGJ fDgagB0TXRism/2weATkpyGca3YThpOEZRJfs83yTDwTE2a1e3ErB1wgrLbv2brYm9RS MhmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601213; x=1738206013; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=huFhUOwohlNSw+rn2skzyaNDBwD1RcVbUqR/CLHRtY4=; b=KfL4znt5hv4bznELZzIQ9QDbjNNNukXah79FdD7Omo2DsEVmBIdfbKB2XCAThLTKNe IYrm8ZdruBzA6HbKsITXsU1ODn1SPfrAkcKNG0BlVHys4s4Z6QCiPbO7dTWkWh158Tyx htRP3FLU1fWPmjTvugu3pJsPBL4Y8av77/D6K4CO/tSok9PFzaL9ORLLKV/BZTmWjx3k 6i2AwqIh+JzC08J/seQ8aOl9aWeTO2AfOTOfvQA7DJ4UpffWDN0crq6bXTfLZj2tzve1 7Ld9RpamY3C01V0Z71hYkOhWFkGnZY4HlXa4ilE1xm4sUSiPl+tbjfAFN0Ql5/IVo2IT GzqA== X-Gm-Message-State: AOJu0Yw0q4uUYhOUoK8v9COUCrE6D5llKEAFB8dNaCSBiKEYZin4RDcr /K16+snba50fBZFhj+mP8Ek5UhtBcPSPkCpvZQRuBluIeSXgVcvHT+qTrAL6mE5jkvGktRdj/nt g4k0= X-Gm-Gg: ASbGncsTZvCXeA3MngeB5WTfPCXL6HixqYo9UQQRr6BjCCgQ1dLRghWnnQ3s0GcB7Bu XPCbDlu3Glbdp1pgT+Ge+z+aP6xIcqLnYfYswRu42XV5p2l21xQ7IdvGCpLzEvQmpi9D50jYhF7 VGzb1OBmqtrUdbbucIVO3ksLr18qHSaEYnvA7czrnYiZeHrtT13K2imECy/IexxJkNn5W5Hgrbz Jgjm0m3hiBBlw/xQnz3xbHeYRUNOR321XWEUU6ouiu9bSo396ioSvXmyb0/3/ujxLLpAA== X-Google-Smtp-Source: AGHT+IENPTHNphFwMqssNo4/hzj7/X9y4igWeO+R4CmdmxZ4qY+ZkY2lSjlNsE79wA0R23HmysN6sA== X-Received: by 2002:a05:6a20:7491:b0:1e1:bef7:af57 with SMTP id adf61e73a8af0-1eb214a4638mr36594770637.21.1737601213017; Wed, 22 Jan 2025 19:00:13 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:12 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 2/8] rsync: fix CVE-2024-12085 Date: Wed, 22 Jan 2025 18:59:52 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210167 From: Archana Polampalli A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12085.patch | 32 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 33 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12085.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12085.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12085.patch new file mode 100644 index 0000000000..165d5a62f9 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12085.patch @@ -0,0 +1,32 @@ +From 589b0691e59f761ccb05ddb8e1124991440db2c7 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Thu, 14 Nov 2024 09:57:08 +1100 +Subject: [PATCH] prevent information leak off the stack + +prevent leak of uninitialised stack data in hash_search + +CVE: CVE-2024-12085 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=589b0691e59f761ccb05ddb8e1124991440db2c7] + +Signed-off-by: Archana Polampalli +--- + match.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/match.c b/match.c +index 36e78ed2..dfd6af2c 100644 +--- a/match.c ++++ b/match.c +@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s, + int more; + schar *map; + ++ // prevent possible memory leaks ++ memset(sum2, 0, sizeof sum2); ++ + /* want_i is used to encourage adjacent matches, allowing the RLL + * coding of the output to work more efficiently. */ + want_i = 0; +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 2f3ea61978..0d9c68a915 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -17,6 +17,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://0001-Add-missing-prototypes-to-function-declarations.patch \ file://CVE-2024-12084-0001.patch \ file://CVE-2024-12084-0002.patch \ + file://CVE-2024-12085.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:53 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55984 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id AD5DBC02181 for ; Thu, 23 Jan 2025 03:00:17 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.3131.1737601215420113013 for ; Wed, 22 Jan 2025 19:00:15 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=e8QylADv; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2f441904a42so903410a91.1 for ; Wed, 22 Jan 2025 19:00:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601215; x=1738206015; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=7ebfKKR0qR6p1ElLX8dJsbgVVcUFJExf8P0f8nVwLHc=; b=e8QylADvpiUApaegbY5urb8ZftbLJhCLxFhEAEslSrpCpcLOkpzSVj+tWkqZE/XCzE vq1n0U6DirIp1Ht2u1NwiYJCUIrZuwtjQQoK0ZR7ecaN51u88+jh2IoN2ROZ9PMRC4wM v5L0hFdSTqgf9VCBAfgyJgxBcB3iV0uX80d0sOyTdyeSHVI7SKWdN0YGXlZqVg3ePeFQ nEx01BIvSEFWNghJr7qTvOgLpiqGpsq+wE2xFjPSHgBIrJbH41cK0gUS5ST3HDa7fZkA LC6J2/lFgbhfOLa+rWV0P+5SCAlaYWLRnV5ywrqoSomkoDR5V/277wfuvckQ5txE/MvB Fpng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601215; x=1738206015; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7ebfKKR0qR6p1ElLX8dJsbgVVcUFJExf8P0f8nVwLHc=; b=DqgIDVKsG3GJ4HWJcZm6fqeVU0l0zkg5sTce1npkwVY68DP06sOKZcfzjpFR8pXB0h IgSApM/ucw5C3AwzY3XUE+WcnhuWaGyl7hDGY7KLZotGqbtNVmq3tZVhr/vtwUSvMu7k 6UeYlw6hEFFXVC71PN5Mi6ypFOTaOwBQIVN1Ftv0vDpQksWcs32UB1ZhVTdbaJFAdk2z PUl2V3T9P/1wEAxPOojuUbakTpRhW+upKXuuCeq80fTmJsYNj16YcaLS4K3l3IPiejMT bml8Tqt0MnZS+UqEjPRHN/l5pR+Y5dR8c+dYec2B61efBJK4C+9dbzFJrle8+JdGxcSB byfQ== X-Gm-Message-State: AOJu0YyBHFJXQaIcr0L9hhnmLwwmbGjNrnhWPf4bnuT/L9JgCa8nmSrN ZOhSNCqwX05SNJWWZFUHdhR7iaA2J1/Not7pAl2rTf6bdcLkooec0qlG3jgjUyB00OAWeFMvJ48 N268= X-Gm-Gg: ASbGncuXOxmbg03Q3ary05k4UJhNKUAm+LsBBreGiZiqsePEOLmKszGyi25+AjRhjw0 qKzH+U0pK83W4rCRdlQYUdByfw+4RmuhSny0l0RRa/cyB5eSKoTvgDwvds743MusiqjyXPZZgSd hEbx7Qu4VuMzk7v8uuaM1I5Hz1eG2r3X/Oz21pmk0ukpHrOOKshhhhlHQmP9PiGjP6hqED9K0ec CAHB/0uH4xHiGx1h4iS0nctOS5pYwucd7P9gQY5fGvZoDe5zzXH5xujQbIfvjviK6ZgEA== X-Google-Smtp-Source: AGHT+IGCDsEfzi6XNx27lTnPmA8x7nJSzxmZjXVj8K0mTK0Axql+iTHouZSVS4MtixoWN003fGTizw== X-Received: by 2002:a05:6a00:2184:b0:725:ef4b:de33 with SMTP id d2e1a72fcca58-72daf88b1b9mr37106505b3a.0.1737601214512; Wed, 22 Jan 2025 19:00:14 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:14 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 3/8] rsync: fix CVE-2024-12086 Date: Wed, 22 Jan 2025 18:59:53 -0800 Message-ID: <19f4e7bd965c63f19cc756e6e2bf8f58d9e1dc8d.1737601063.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210168 From: Archana Polampalli A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12086-0001.patch | 42 +++++++ .../rsync/files/CVE-2024-12086-0002.patch | 108 ++++++++++++++++++ .../rsync/files/CVE-2024-12086-0003.patch | 108 ++++++++++++++++++ .../rsync/files/CVE-2024-12086-0004.patch | 41 +++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 4 + 5 files changed, 303 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch new file mode 100644 index 0000000000..958a25a37b --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0001.patch @@ -0,0 +1,42 @@ +From 8ad4b5d912fad1df29717dddaa775724da77d299 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 11:08:03 +1100 +Subject: [PATCH] refuse fuzzy options when fuzzy not selected + +this prevents a malicious server providing a file to compare to when +the user has not given the fuzzy option + +CVE: CVE-2024-12086 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=8ad4b5d912fad1df29717dddaa775724da77d299] + +Signed-off-by: Archana Polampalli +--- + receiver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/receiver.c b/receiver.c +index 6b4b369e..2d7f6033 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN]; + extern struct file_list *cur_flist, *first_flist, *dir_flist; + extern filter_rule_list daemon_filter_list; + extern OFF_T preallocated_len; ++extern int fuzzy_basis; + + extern struct name_num_item *xfer_sum_nni; + extern int xfer_sum_len; +@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name) + fnamecmp = get_backup_name(fname); + break; + case FNAMECMP_FUZZY: ++ if (fuzzy_basis == 0) { ++ rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname); ++ exit_cleanup(RERR_PROTOCOL); ++ } + if (file->dirname) { + pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); + fnamecmp = fnamecmpbuf; +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch new file mode 100644 index 0000000000..5d25f12dd8 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0002.patch @@ -0,0 +1,108 @@ +From b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 12:26:10 +1100 +Subject: [PATCH] added secure_relative_open() + +this is an open that enforces no symlink following for all path +components in a relative path + +CVE: CVE-2024-12086 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=b4a27ca25d0abb6fcf14f41b7e11f3a6e1d8a4ff] + +Signed-off-by: Archana Polampalli +--- + syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 74 insertions(+) + +diff --git a/syscall.c b/syscall.c +index b4b0f1f1..cffc814b 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -33,6 +33,8 @@ + #include + #endif + ++#include "ifuncs.h" ++ + extern int dry_run; + extern int am_root; + extern int am_sender; +@@ -707,3 +709,75 @@ int do_open_nofollow(const char *pathname, int flags) + + return fd; + } ++ ++/* ++ open a file relative to a base directory. The basedir can be NULL, ++ in which case the current working directory is used. The relpath ++ must be a relative path, and the relpath must not contain any ++ elements in the path which follow symlinks (ie. like O_NOFOLLOW, but ++ applies to all path components, not just the last component) ++*/ ++int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) ++{ ++ if (!relpath || relpath[0] == '/') { ++ // must be a relative path ++ errno = EINVAL; ++ return -1; ++ } ++ ++#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) ++ // really old system, all we can do is live with the risks ++ if (!basedir) { ++ return open(relpath, flags, mode); ++ } ++ char fullpath[MAXPATHLEN]; ++ pathjoin(fullpath, sizeof fullpath, basedir, relpath); ++ return open(fullpath, flags, mode); ++#else ++ int dirfd = AT_FDCWD; ++ if (basedir != NULL) { ++ dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY); ++ if (dirfd == -1) { ++ return -1; ++ } ++ } ++ int retfd = -1; ++ ++ char *path_copy = my_strdup(relpath, __FILE__, __LINE__); ++ if (!path_copy) { ++ return -1; ++ } ++ ++ for (const char *part = strtok(path_copy, "/"); ++ part != NULL; ++ part = strtok(NULL, "/")) ++ { ++ int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW); ++ if (next_fd == -1 && errno == ENOTDIR) { ++ if (strtok(NULL, "/") != NULL) { ++ // this is not the last component of the path ++ errno = ELOOP; ++ goto cleanup; ++ } ++ // this could be the last component of the path, try as a file ++ retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode); ++ goto cleanup; ++ } ++ if (next_fd == -1) { ++ goto cleanup; ++ } ++ if (dirfd != AT_FDCWD) close(dirfd); ++ dirfd = next_fd; ++ } ++ ++ // the path must be a directory ++ errno = EINVAL; ++ ++cleanup: ++ free(path_copy); ++ if (dirfd != AT_FDCWD) { ++ close(dirfd); ++ } ++ return retfd; ++#endif // O_NOFOLLOW, O_DIRECTORY ++} +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch new file mode 100644 index 0000000000..de1747adf2 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0003.patch @@ -0,0 +1,108 @@ +From c35e28331f10ba6eba370611abd78bde32d54da7 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 12:28:13 +1100 +Subject: [PATCH] receiver: use secure_relative_open() for basis file + +this prevents attacks where the basis file is manipulated by a +malicious sender to gain information about files outside the +destination tree + +CVE: CVE-2024-12086 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=c35e28331f10ba6eba370611abd78bde32d54da7] + +Signed-off-by: Archana Polampalli +--- + receiver.c | 42 ++++++++++++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 16 deletions(-) + +diff --git a/receiver.c b/receiver.c +index 2d7f6033..8031b8f4 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name) + progress_init(); + + while (1) { ++ const char *basedir = NULL; ++ + cleanup_disable(); + + /* This call also sets cur_flist. */ +@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name) + exit_cleanup(RERR_PROTOCOL); + } + if (file->dirname) { +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname); +- fnamecmp = fnamecmpbuf; +- } else +- fnamecmp = xname; ++ basedir = file->dirname; ++ } ++ fnamecmp = xname; + break; + default: + if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) { + fnamecmp_type -= FNAMECMP_FUZZY + 1; + if (file->dirname) { +- stringjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname); ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname); ++ basedir = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ } ++ fnamecmp = xname; + } else if (fnamecmp_type >= basis_dir_cnt) { + rprintf(FERROR, + "invalid basis_dir index: %d.\n", + fnamecmp_type); + exit_cleanup(RERR_PROTOCOL); +- } else +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname); +- fnamecmp = fnamecmpbuf; ++ } else { ++ basedir = basis_dir[fnamecmp_type]; ++ fnamecmp = fname; ++ } + break; + } + if (!fnamecmp || (daemon_filter_list.head +@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name) + } + + /* open the file */ +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + + if (fd1 == -1 && protocol_version < 29) { + if (fnamecmp != fname) { +@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name) + + if (fd1 == -1 && basis_dir[0]) { + /* pre-29 allowed only one alternate basis */ +- pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, +- basis_dir[0], fname); +- fnamecmp = fnamecmpbuf; ++ basedir = basis_dir[0]; ++ fnamecmp = fname; + fnamecmp_type = FNAMECMP_BASIS_DIR_LOW; +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0); + } + } + ++ if (basedir) { ++ // for the following code we need the full ++ // path name as a single string ++ pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp); ++ fnamecmp = fnamecmpbuf; ++ } ++ + one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR; + updating_basis_or_equiv = one_inplace + || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP)); +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch new file mode 100644 index 0000000000..b85e1dfae4 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12086-0004.patch @@ -0,0 +1,41 @@ +From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Tue, 26 Nov 2024 09:16:31 +1100 +Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open + +CVE: CVE-2024-12086 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa] + +Signed-off-by: Archana Polampalli +--- + syscall.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/syscall.c b/syscall.c +index cffc814b..081357bb 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags) + must be a relative path, and the relpath must not contain any + elements in the path which follow symlinks (ie. like O_NOFOLLOW, but + applies to all path components, not just the last component) ++ ++ The relpath must also not contain any ../ elements in the path + */ + int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode) + { +@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo + errno = EINVAL; + return -1; + } ++ if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) { ++ // no ../ elements allowed in the relpath ++ errno = EINVAL; ++ return -1; ++ } + + #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY) + // really old system, all we can do is live with the risks +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 0d9c68a915..0bde73aad2 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -18,6 +18,10 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12084-0001.patch \ file://CVE-2024-12084-0002.patch \ file://CVE-2024-12085.patch \ + file://CVE-2024-12086-0001.patch \ + file://CVE-2024-12086-0002.patch \ + file://CVE-2024-12086-0003.patch \ + file://CVE-2024-12086-0004.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55982 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1EEBC0218D for ; Thu, 23 Jan 2025 03:00:17 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web10.2982.1737601216706587659 for ; Wed, 22 Jan 2025 19:00:16 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=Q5NIUhEB; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-2f441904a42so903445a91.1 for ; Wed, 22 Jan 2025 19:00:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601216; x=1738206016; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=KNOoTUQiTJU8cdrRsT0s2xZSYmx226rtojAMywlQJW8=; b=Q5NIUhEBsxt91YmqrBwRq72rnMZuKpO8ey0bMEGc5fuMZ90am15uaFSNwzy9b+D9IG auzEIYZraDAkc9sTlFIP+Rx7NMRSieXY/0jMn4s0I5grCYYV2Oa+JGFl3z4G6YUXf0CY TagC9GFDSrDyZ6exvZQXTynYqGvpYGWQZfU9Lxf7ifKRuw7laAE3FPRHUTC/rpTlBk0w CnDlTczFRs92pBYCDbZns5SSCX/fRDz2U61fockT/sm9m8GQz1AiO4lJ8wChjU296+0n kTgy2JHY2uNIGVzf5eythdiO6/TMuNECdQshmqtKIL3eJLivdsj1FAQkDtsqyqkzQ0YY X5zg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601216; x=1738206016; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KNOoTUQiTJU8cdrRsT0s2xZSYmx226rtojAMywlQJW8=; b=rJ7eLvp+zHnzH8Fxf5UyAojJYVFiTuMjtXehh0rdcis9eMFVbW3PqqSrI/4X5sZ5xJ CveyT/3uhzeWd9k/kltNxYJpItrzu12E70umO2NVy3320VPbte2PyonQrwt3ZaE3fZSc c9co38S/K3zexmNx8gbVUWoBF7Xqjl8UqrE8nFdZ4twSIYzKKbzui9WZa/eoG3AVJhbU yQNbiz3T30TSkvFaPwNQf6928E5uWbr36/Yv/7gdXZ1QJ82+G2yRO3yzPUDI6iwRQkCq YcFwgvgCXWAB5HEaNmu5jRGOC4NjDFWjBRqkpY5edhTNFaZtzcav3OvefK1z8AH0B8eW Hr/g== X-Gm-Message-State: AOJu0Yw16uBcVNeKVwKjxAyoVv2Go8plLAIcUPUcPFkf1Hq8gUhaqzJt 3vicveou/XTQCKd5EInfQXMH1oN9A7u0f9Yq2i8Ug0X8vaXytiHDOAb5SKBT+FL7dVofBb/VT11 bQS8= X-Gm-Gg: ASbGncuqsefJTIukP0omGWXy+jQquhjN7SRLXzH1Vl+MaoD9K9XxhXAJ/0LQqKI7Qwe C7p3Thf2IuMrN4CwzBc1No0rcMq373BFcoVDWfwJDKOtQka3hfEU/ZDTSoa1J6d+9JPWFAsF2zn CFD2HzhBKjJtABc1amoB4E2/yIuIe8hHm9EWsIqwiDFx7UmHSyizf9twVg4EnR3Z2jIrIKQqjbm OucWbDkNS9535vDeWwQlOy7+nmkHBX1K8t+bN/M0thJrvEnHhQtijXCge4fERfTQLKlEA== X-Google-Smtp-Source: AGHT+IH7dZ5yKDzpcj1sChJ1RKeI8HxvzYeAbRuiUn9h1UUs/8Yc/AfEMFVfK9vYbQuYJLIeUsoOVA== X-Received: by 2002:a05:6a00:a38d:b0:725:cfd0:dffa with SMTP id d2e1a72fcca58-72daf9beb7emr30792055b3a.5.1737601215924; Wed, 22 Jan 2025 19:00:15 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:15 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 4/8] rsync: fix CVE-2024-12087 Date: Wed, 22 Jan 2025 18:59:54 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:17 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210169 From: Archana Polampalli A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12087-0001.patch | 49 +++++++++++++++++++ .../rsync/files/CVE-2024-12087-0002.patch | 31 ++++++++++++ .../rsync/files/CVE-2024-12087-0003.patch | 40 +++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 ++ 4 files changed, 123 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch new file mode 100644 index 0000000000..67abc64a62 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0001.patch @@ -0,0 +1,49 @@ +From 688f5c379a433038bde36897a156d589be373a98 Mon Sep 17 00:00:00 2001 +From: Wayne Davison +Date: Thu, 14 Nov 2024 15:46:50 -0800 +Subject: [PATCH] Refuse a duplicate dirlist. + +CVE: CVE-2024-12087 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=688f5c379a433038bde36897a156d589be373a98] + +Signed-off-by: Archana Polampalli +--- + flist.c | 9 +++++++++ + rsync.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/flist.c b/flist.c +index 464d556e..847b1054 100644 +--- a/flist.c ++++ b/flist.c +@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx) + init_hard_links(); + #endif + ++ if (inc_recurse && dir_ndx >= 0) { ++ struct file_struct *file = dir_flist->files[dir_ndx]; ++ if (file->flags & FLAG_GOT_DIR_FLIST) { ++ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); ++ exit_cleanup(RERR_PROTOCOL); ++ } ++ file->flags |= FLAG_GOT_DIR_FLIST; ++ } ++ + flist = flist_new(0, "recv_file_list"); + flist_expand(flist, FLIST_START_LARGE); + +diff --git a/rsync.h b/rsync.h +index 0f9e277f..b9a7101a 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -84,6 +84,7 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ ++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch new file mode 100644 index 0000000000..8a22e0c371 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0002.patch @@ -0,0 +1,31 @@ +From 344327385fa47fa5bb67a32c237735e6240cfb93 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Tue, 26 Nov 2024 16:12:45 +1100 +Subject: [PATCH] range check dir_ndx before use + +CVE: CVE-2024-12087 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=344327385fa47fa5bb67a32c237735e6240cfb93] + +Signed-off-by: Archana Polampalli +--- + flist.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/flist.c b/flist.c +index 847b1054..087f9da6 100644 +--- a/flist.c ++++ b/flist.c +@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx) + #endif + + if (inc_recurse && dir_ndx >= 0) { ++ if (dir_ndx >= dir_flist->used) { ++ rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used); ++ exit_cleanup(RERR_PROTOCOL); ++ } + struct file_struct *file = dir_flist->files[dir_ndx]; + if (file->flags & FLAG_GOT_DIR_FLIST) { + rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch new file mode 100644 index 0000000000..0ece69c4e7 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12087-0003.patch @@ -0,0 +1,40 @@ +From 996af4a79f9afe4d7158ecdd87c78cee382c6b39 Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Wed, 15 Jan 2025 15:10:24 +0100 +Subject: [PATCH] Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED + +fixes commit 688f5c379a43 (Refuse a duplicate dirlist.) + +Fixes: https://github.com/RsyncProject/rsync/issues/702 +Fixes: https://github.com/RsyncProject/rsync/issues/697 +CVE: CVE-2024-12087 + +Upstream-Status: Backport [https://github.com/RsyncProject/rsync/commit/996af4a79f9afe4d7158ecdd87c78cee382c6b39] + +Signed-off-by: Archana Polampalli +--- + rsync.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync.h b/rsync.h +index 9be1297b..479ac484 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -84,7 +84,6 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ +-#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +@@ -93,6 +92,7 @@ + #define FLAG_SKIP_GROUP (1<<10) /* receiver/generator */ + #define FLAG_TIME_FAILED (1<<11)/* generator */ + #define FLAG_MOD_NSEC (1<<12) /* sender/receiver/generator */ ++#define FLAG_GOT_DIR_FLIST (1<<13)/* sender/receiver/generator - dir_flist only */ + + /* These flags are passed to functions but not stored. */ + +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 0bde73aad2..d6942dc595 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -22,6 +22,9 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12086-0002.patch \ file://CVE-2024-12086-0003.patch \ file://CVE-2024-12086-0004.patch \ + file://CVE-2024-12087-0001.patch \ + file://CVE-2024-12087-0002.patch \ + file://CVE-2024-12087-0003.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55986 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4548C0218C for ; Thu, 23 Jan 2025 03:00:27 +0000 (UTC) Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com [209.85.214.181]) by mx.groups.io with SMTP id smtpd.web11.3132.1737601218332035584 for ; Wed, 22 Jan 2025 19:00:18 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=dyhXkIga; spf=softfail (domain: sakoman.com, ip: 209.85.214.181, mailfrom: steve@sakoman.com) Received: by mail-pl1-f181.google.com with SMTP id d9443c01a7336-21675fd60feso7703575ad.2 for ; Wed, 22 Jan 2025 19:00:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601217; x=1738206017; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=YYE2dLd40hMPK6IAhJZCvW3ZdwtT/6qnYWxPPmc2fh0=; b=dyhXkIgauWf12l6vfbP3jqC3AMME8smcS2aiVfAvdfk7WaqCrmQgSNnenq+JrObY7A seh2rKmkyxzHgChlCMi7HD+scb4qkOfT3vXdPAcBnDu4pC6QxYvulrwlUBfnEpB+sCie PrfVXsCCSGxHpjvJCKu+pNGdeBZDjXntoGDoprETqGi7lG2zNPgICXoy4SPbcdayn6Rr qp1ph8YZc4Tax0/+TK2N65hvpLB7r6JKilQFS1HKDLsWgTLyghnsbt5rtteFLRIJG59h C2DL2mso8/rbcygrIe0UuCGysIYnymafPcMkqmj3s7m6/mz+GmyeV/vAWUVjf6f+Q14K KbPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601217; x=1738206017; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YYE2dLd40hMPK6IAhJZCvW3ZdwtT/6qnYWxPPmc2fh0=; b=WMK0nL0JeJJhw3qUyE+Y8Z1/ASfX4X/SM3/eRD3JQbdGMZ7h3EmKqxPVUy7X0qM+2S OVHU2MPiEuhaFLLd7Cf3ig84Rwv41VASznH5qGc0UGYxBznykEmBeM4I8Q0Sb716Vhgj AsLHXVizbS3UMFPH+RSdVdlMzfob9qMmUqvEy86t0VklONvyih+g5iObXDf+QpZn9tlU o6HtL0xKP1Q4SpcSNVfYM7zTqhvcs8EK8cXA0cCkVHdAL5ZicAGIipFSd4b3HVcnEyOn loPo6JfP3NvjhV+uEz/SvdGEdTwZMFNshdlkqkhO8wG0uGBtNUfhEalf9vueoStaQs6e 4rUw== X-Gm-Message-State: AOJu0YyArY4memySRNFuSAc+OY5OlwWMZnGm7Xga94BdOkhnOJW9a34L rTZnRrnzqf8Wx18ZLgJ0bgWJ2wgDgVL4w6dImpdSuW5wi1pz5aGKjg7duFxry3Eof9BIp70dcVl +D9o= X-Gm-Gg: ASbGncstOM4VWfY8BbmzZKrxVYNYvjEAFDgVmOjfis23hkrEglyxWHadAdp4Un4fUkt hgMR2MC8XnZfVFs6rvznI+PzTBORKxxHkQxCnnaGBxhocXQhzwmHV5lCOjRV15sj0Q9Po/AeRnk zxKaqliNK0SZQE2ppDdKLvxbbqiba12yQ667r7RmxtezlYHEGUc6belUI+28ZrJ8Ggl+Hpm92HN GcXRIV7/7fHAeKZaINNNNqdFlQkLf2lePP1jgF1HXsgYARADzY/T7XOtCKBQyC/OTsTaQ== X-Google-Smtp-Source: AGHT+IGL8+L7XpjK3LF5fGGdSDmMKkH77toGFFq5nuieuNpoo03Vp7HJSvqB604W/ylKDEB2S8Fiuw== X-Received: by 2002:a05:6a20:748c:b0:1e0:d848:9e8f with SMTP id adf61e73a8af0-1eb2147dd69mr39536627637.13.1737601217560; Wed, 22 Jan 2025 19:00:17 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:17 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 5/8] rsync: fix CVE-2024-12088 Date: Wed, 22 Jan 2025 18:59:55 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210170 From: Archana Polampalli A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12088.patch | 141 ++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 142 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12088.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch new file mode 100644 index 0000000000..b2a3a86e1a --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12088.patch @@ -0,0 +1,141 @@ +From 407c71c7ce562137230e8ba19149c81ccc47c387 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Sat, 23 Nov 2024 15:15:53 +1100 +Subject: [PATCH] make --safe-links stricter + +when --safe-links is used also reject links where a '../' component is +included in the destination as other than the leading part of the +filename + +CVE: CVE-2024-12088 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=407c71c7ce562137230e8ba19149c81ccc47c387] + +Signed-off-by: Archana Polampalli +--- + testsuite/safe-links.test | 55 ++++++++++++++++++++++++++++++++++++ + testsuite/unsafe-byname.test | 2 +- + util1.c | 26 ++++++++++++++++- + 3 files changed, 81 insertions(+), 2 deletions(-) + create mode 100644 testsuite/safe-links.test + +diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test +new file mode 100644 +index 00000000..6e95a4b9 +--- /dev/null ++++ b/testsuite/safe-links.test +@@ -0,0 +1,55 @@ ++#!/bin/sh ++ ++. "$suitedir/rsync.fns" ++ ++test_symlink() { ++ is_a_link "$1" || test_fail "File $1 is not a symlink" ++} ++ ++test_regular() { ++ if [ ! -f "$1" ]; then ++ test_fail "File $1 is not regular file or not exists" ++ fi ++} ++ ++test_notexist() { ++ if [ -e "$1" ]; then ++ test_fail "File $1 exists" ++ fi ++ if [ -h "$1" ]; then ++ test_fail "File $1 exists as a symlink" ++ fi ++} ++ ++cd "$tmpdir" ++ ++mkdir from ++ ++mkdir "from/safe" ++mkdir "from/unsafe" ++ ++mkdir "from/safe/files" ++mkdir "from/safe/links" ++ ++touch "from/safe/files/file1" ++touch "from/safe/files/file2" ++touch "from/unsafe/unsafefile" ++ ++ln -s ../files/file1 "from/safe/links/" ++ln -s ../files/file2 "from/safe/links/" ++ln -s ../../unsafe/unsafefile "from/safe/links/" ++ln -s a/a/a/../../../unsafe2 "from/safe/links/" ++ ++#echo "LISTING FROM" ++#ls -lR from ++ ++echo "rsync with relative path and just -a" ++$RSYNC -avv --safe-links from/safe/ to ++ ++#echo "LISTING TO" ++#ls -lR to ++ ++test_symlink to/links/file1 ++test_symlink to/links/file2 ++test_notexist to/links/unsafefile ++test_notexist to/links/unsafe2 +diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test +index 75e72014..d2e318ef 100644 +--- a/testsuite/unsafe-byname.test ++++ b/testsuite/unsafe-byname.test +@@ -40,7 +40,7 @@ test_unsafe ..//../dest from/dir unsafe + test_unsafe .. from/file safe + test_unsafe ../.. from/file unsafe + test_unsafe ..//.. from//file unsafe +-test_unsafe dir/.. from safe ++test_unsafe dir/.. from unsafe + test_unsafe dir/../.. from unsafe + test_unsafe dir/..//.. from unsafe + +diff --git a/util1.c b/util1.c +index da50ff1e..f260d398 100644 +--- a/util1.c ++++ b/util1.c +@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create) + * + * "src" is the top source directory currently applicable at the level + * of the referenced symlink. This is usually the symlink's full path +- * (including its name), as referenced from the root of the transfer. */ ++ * (including its name), as referenced from the root of the transfer. ++ * ++ * NOTE: this also rejects dest names with a .. component in other ++ * than the first component of the name ie. it rejects names such as ++ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or ++ * 'b' could later be replaced with symlinks such as a link to '.' ++ * resulting in the link being transferred now becoming unsafe ++ */ + int unsafe_symlink(const char *dest, const char *src) + { + const char *name, *slash; +@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src) + if (!dest || !*dest || *dest == '/') + return 1; + ++ // reject destinations with /../ in the name other than at the start of the name ++ const char *dest2 = dest; ++ while (strncmp(dest2, "../", 3) == 0) { ++ dest2 += 3; ++ while (*dest2 == '/') { ++ // allow for ..//..///../foo ++ dest2++; ++ } ++ } ++ if (strstr(dest2, "/../")) ++ return 1; ++ ++ // reject if the destination ends in /.. ++ const size_t dlen = strlen(dest); ++ if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0) ++ return 1; ++ + /* find out what our safety margin is */ + for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) { + /* ".." segment starts the count over. "." segment is ignored. */ +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index d6942dc595..169650fe91 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -25,6 +25,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12087-0001.patch \ file://CVE-2024-12087-0002.patch \ file://CVE-2024-12087-0003.patch \ + file://CVE-2024-12088.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55987 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA5C6C0218E for ; Thu, 23 Jan 2025 03:00:27 +0000 (UTC) Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) by mx.groups.io with SMTP id smtpd.web11.3133.1737601219752013012 for ; Wed, 22 Jan 2025 19:00:19 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=D4BtOx0o; spf=softfail (domain: sakoman.com, ip: 209.85.216.47, mailfrom: steve@sakoman.com) Received: by mail-pj1-f47.google.com with SMTP id 98e67ed59e1d1-2ee709715d9so696682a91.3 for ; Wed, 22 Jan 2025 19:00:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601219; x=1738206019; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Efpi1VehyAEcBGzQOxmSWtug7ck03PD5IgCNQgQA78I=; b=D4BtOx0oQVrDZzRE9dtmYGQq4EcLFwHFDZZ+0gk3JeZHWbBxYzlnsH8ii2MxKoa1r3 UnKkomRk8uqgJDMk0gISfoxt79ige3ep9XAiaxckQSnyC+Tf5O29eaRHgM9MFIIvGl0Q wulat7gvCVeGPDFLYsNCJK/i5q21VXtHTkJEu/AYFO0cQZ4d2Biw6dkvM9cxKggDDIOp 4l07cH/fz/KqyWqlHqA57OS/DWp8If722hm9Js3DYpQ6zCFypHryfalYuvq2QMyG5glo lat9LTxvaIoMJADVd43BX5lax6XpexiJOAuKBQKLNVyCMN8PWEpRk29E7Dm1VlMHCA49 k0kA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601219; x=1738206019; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Efpi1VehyAEcBGzQOxmSWtug7ck03PD5IgCNQgQA78I=; b=mG45fzUbW0TkLfGnM0l02FurgU1UnNPVNg1kO+PifzMi9g6WtAQHOYe7j1c/LFKy34 QI2Fe6R+GrOhka2G7Ab+tGGYHO+xe7dW+Rzd1DY3Wn21/ymto+y8S0oQE3u8gGakukoy tru+g5+LlQBKHw4FVb66YtH3Ebb6RytJaO8+KMxps169bx5wGE21Kxl2DxrOr6PpFUSS 8uxNeZ3ww3E4oXY5pWP19n1gsiCesGXRyMSdw0BfgwdM1Eddjd+ILHSXOnvdql4W1Umh jmMydpLfZWuM+BsRxzsTQ7ic0KplQdDdp99EVIUk2kqcgpQ9LtUGEzzy+Hl3MN3Nr2Hb IQ3A== X-Gm-Message-State: AOJu0Yz11ld+PAZoJwuWpXxa4wnPt5Me/l8lvgFdi3rIe/PpHdSeXSsb Kfmz7hj8Gav4UvACbqhC2yfDTQ1XszajUjzSS3l1eUvuE2lsC1NozeU0eQNC1+r+A/SH7HMwjT8 qpa0= X-Gm-Gg: ASbGncsRXYfvppGmqw6hPjSRxCy3J8pxMenS4QZH8a/tlAft5qPgqCu3M5/a6+y1lkc xpcLkdEJN6Xi1Y3uXNjoHFzFBefLJiRe+fqp7ERYMH5LGnKSx0kf+Yhq8R1P4gW5UpRRpl3qN9B s49ll4cENkp49XLXH58E9ShU1rcLaTbIWJYlY7imhmc+wsVZS5hdsEqqTgzcexJNSyYGNr9+MpB F0jemp7+4PviXP+rcZSO/TRhThJiC2N2hphrgnExPYhy9facrJz7wglv17Wi6SDChBx/A== X-Google-Smtp-Source: AGHT+IHJwqy3TggVCO8qNz7xMUre/v7x+SS1KeHKtJp0BfXsorejFdVn5XMm0Wh2Bm7pQhIOYgddkA== X-Received: by 2002:a05:6a00:428d:b0:71e:4786:98ee with SMTP id d2e1a72fcca58-72dafae88b0mr33123524b3a.21.1737601218900; Wed, 22 Jan 2025 19:00:18 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:18 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 6/8] rsync: fix CVE-2024-12747 Date: Wed, 22 Jan 2025 18:59:56 -0800 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210171 From: Archana Polampalli A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. Signed-off-by: Archana Polampalli Signed-off-by: Steve Sakoman --- .../rsync/files/CVE-2024-12747.patch | 192 ++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.2.7.bb | 1 + 2 files changed, 193 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/CVE-2024-12747.patch diff --git a/meta/recipes-devtools/rsync/files/CVE-2024-12747.patch b/meta/recipes-devtools/rsync/files/CVE-2024-12747.patch new file mode 100644 index 0000000000..b1dd0a03b9 --- /dev/null +++ b/meta/recipes-devtools/rsync/files/CVE-2024-12747.patch @@ -0,0 +1,192 @@ +From 0590b09d9a34ae72741b91ec0708a820650198b0 Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 18 Dec 2024 08:59:42 +1100 +Subject: [PATCH] fixed symlink race condition in sender + +when we open a file that we don't expect to be a symlink use +O_NOFOLLOW to prevent a race condition where an attacker could change +a file between being a normal file and a symlink + +CVE: CVE-2024-12747 + +Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=0590b09d9a34ae72741b91ec0708a820650198b0] + +Signed-off-by: Archana Polampalli +--- + checksum.c | 2 +- + flist.c | 2 +- + generator.c | 4 ++-- + receiver.c | 2 +- + sender.c | 2 +- + syscall.c | 20 ++++++++++++++++++++ + t_unsafe.c | 3 +++ + tls.c | 3 +++ + trimslash.c | 2 ++ + util1.c | 2 +- + 10 files changed, 35 insertions(+), 7 deletions(-) + +diff --git a/checksum.c b/checksum.c +index cb21882c..66e80896 100644 +--- a/checksum.c ++++ b/checksum.c +@@ -406,7 +406,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum) + int32 remainder; + int fd; + +- fd = do_open(fname, O_RDONLY, 0); ++ fd = do_open_checklinks(fname); + if (fd == -1) { + memset(sum, 0, file_sum_len); + return; +diff --git a/flist.c b/flist.c +index 087f9da6..17832533 100644 +--- a/flist.c ++++ b/flist.c +@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist, + + if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) { + if (st.st_size == 0) { +- int fd = do_open(fname, O_RDONLY, 0); ++ int fd = do_open_checklinks(fname); + if (fd >= 0) { + st.st_size = get_device_size(fd, fname); + close(fd); +diff --git a/generator.c b/generator.c +index 110db28f..3f13bb95 100644 +--- a/generator.c ++++ b/generator.c +@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, + + if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) { + /* This early open into fd skips the regular open below. */ +- if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0) ++ if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0) + real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp); + } + +@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx, + } + + /* open the file */ +- if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) { ++ if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) { + rsyserr(FERROR, errno, "failed to open %s, continuing", + full_fname(fnamecmp)); + pretend_missing: +diff --git a/receiver.c b/receiver.c +index 8031b8f4..edfbb210 100644 +--- a/receiver.c ++++ b/receiver.c +@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name) + if (fnamecmp != fname) { + fnamecmp = fname; + fnamecmp_type = FNAMECMP_FNAME; +- fd1 = do_open(fnamecmp, O_RDONLY, 0); ++ fd1 = do_open_nofollow(fnamecmp, O_RDONLY); + } + + if (fd1 == -1 && basis_dir[0]) { +diff --git a/sender.c b/sender.c +index 2bbff2fa..a4d46c39 100644 +--- a/sender.c ++++ b/sender.c +@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out) + exit_cleanup(RERR_PROTOCOL); + } + +- fd = do_open(fname, O_RDONLY, 0); ++ fd = do_open_checklinks(fname); + if (fd == -1) { + if (errno == ENOENT) { + enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING; +diff --git a/syscall.c b/syscall.c +index 081357bb..8cea2900 100644 +--- a/syscall.c ++++ b/syscall.c +@@ -45,6 +45,8 @@ extern int preallocate_files; + extern int preserve_perms; + extern int preserve_executability; + extern int open_noatime; ++extern int copy_links; ++extern int copy_unsafe_links; + + #ifndef S_BLKSIZE + # if defined hpux || defined __hpux__ || defined __hpux +@@ -788,3 +790,21 @@ cleanup: + return retfd; + #endif // O_NOFOLLOW, O_DIRECTORY + } ++ ++/* ++ varient of do_open/do_open_nofollow which does do_open() if the ++ copy_links or copy_unsafe_links options are set and does ++ do_open_nofollow() otherwise ++ ++ This is used to prevent a race condition where an attacker could be ++ switching a file between being a symlink and being a normal file ++ ++ The open is always done with O_RDONLY flags ++ */ ++int do_open_checklinks(const char *pathname) ++{ ++ if (copy_links || copy_unsafe_links) { ++ return do_open(pathname, O_RDONLY, 0); ++ } ++ return do_open_nofollow(pathname, O_RDONLY); ++} +diff --git a/t_unsafe.c b/t_unsafe.c +index 010cac50..e10619a2 100644 +--- a/t_unsafe.c ++++ b/t_unsafe.c +@@ -28,6 +28,9 @@ int am_root = 0; + int am_sender = 1; + int read_only = 0; + int list_only = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; ++ + short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG]; + + int +diff --git a/tls.c b/tls.c +index e6b0708a..858f8f10 100644 +--- a/tls.c ++++ b/tls.c +@@ -49,6 +49,9 @@ int list_only = 0; + int link_times = 0; + int link_owner = 0; + int nsec_times = 0; ++int safe_symlinks = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; + + #ifdef SUPPORT_XATTRS + +diff --git a/trimslash.c b/trimslash.c +index 1ec928ca..f2774cd7 100644 +--- a/trimslash.c ++++ b/trimslash.c +@@ -26,6 +26,8 @@ int am_root = 0; + int am_sender = 1; + int read_only = 1; + int list_only = 0; ++int copy_links = 0; ++int copy_unsafe_links = 0; + + int + main(int argc, char **argv) +diff --git a/util1.c b/util1.c +index f260d398..d84bc414 100644 +--- a/util1.c ++++ b/util1.c +@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode) + int len; /* Number of bytes read into `buf'. */ + OFF_T prealloc_len = 0, offset = 0; + +- if ((ifd = do_open(source, O_RDONLY, 0)) < 0) { ++ if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) { + int save_errno = errno; + rsyserr(FERROR_XFER, errno, "open %s", full_fname(source)); + errno = save_errno; +-- +2.40.0 diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb index 169650fe91..d0796d3c12 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb @@ -26,6 +26,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ file://CVE-2024-12087-0002.patch \ file://CVE-2024-12087-0003.patch \ file://CVE-2024-12088.patch \ + file://CVE-2024-12747.patch \ " SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb" From patchwork Thu Jan 23 02:59:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55988 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA434C02182 for ; Thu, 23 Jan 2025 03:00:27 +0000 (UTC) Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) by mx.groups.io with SMTP id smtpd.web11.3135.1737601221126790049 for ; Wed, 22 Jan 2025 19:00:21 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=oA3mOWQH; spf=softfail (domain: sakoman.com, ip: 209.85.216.49, mailfrom: steve@sakoman.com) Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-2f13acbe29bso2585159a91.1 for ; Wed, 22 Jan 2025 19:00:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601220; x=1738206020; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=PAwBoQgjlqdN0lt1W5MQV8pK/e1W9mKfJrTU2unM280=; b=oA3mOWQHsOUj5sP1Sz6oH4xSrVZkiy2icGLGEvdE23yN8hWJnsyeMZvIPwBVBMmnoy 06raI7v25FlkexPMGAETQ0xXcnsM78hnJ3RFPqrWhtjU9TPgT8rKdLMVdzc74phbmXjM u+nHLFfWCCZSG0Xd9zy++aBYG20R+KL+TsOBTF8EDla66rmGrLfTI8cb0vgHHlVIcMce j2PPSPGGEGlOT8MMLWZ9bA6ss2i9MBV84D9xQHNUeirwyuTQvjuXjV32DAa3u+SlU0iX 0y9c94HsXA7ip3UkWJuRKmlp1I/MHehUFor0fZfbhbKlB37y+vLOfJpGzHScDN3WvSHD 6nwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601220; x=1738206020; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PAwBoQgjlqdN0lt1W5MQV8pK/e1W9mKfJrTU2unM280=; b=fpvAvKC/JgoUqUfKz7hdE5IwPYDzSeMTR+/MBkKXtU+b9pEbiVvF1jg8LlJjGCFcmq 2Hen3kHSJAMQfKKw868I+j39PBZ1h6KKEL1403BOGKb6twPmbVR7/u/rswM8IMgnUfzo ugcyUPuktwV07IeD3xpFaIgAZeLDCnb8ToeDuUehbSx4Sw0YAUNbWe8yFlQpUL737NvU QOEnkB/47XwWoMHo+0W4x8rdwk9TSXrn0N0wA8/3YgPWXS7DwX1d5HHl1EJtPWRpYDez dWl6mK+QXFmrqrtAhVkzhWnwFUL67ipzUAmqAWDcK0yNrgOvlwjy3bV1KD7A2cnOPUkw f/3A== X-Gm-Message-State: AOJu0YyUp1Cp4zt1bLmWrzjZtcvcrq4x9ldS4Y/TJVDNBjI4rcZN7bM6 mWb+0Ngpw9UGZT1x+HMqQu7EYOgOjhkC9fNyiLwasKPKQnAKnu/3nDVS5oxei1niP2tfR4voq7H lGKs= X-Gm-Gg: ASbGncu0P8FS2kFwpeBddeeZdbXQbM6OYqymS4+k3GtHmxqVJkzo3P+e7mwbNJRc/hU oflLgN1QR4iHnipWZ6vMTS+CtapgbPq4VtmlzOs5dpPMLDX20ZjJGL0YqYSl/cliud17Jn0iZLH 4BliZVe/J4/OqGkxBBlgnV8d44WaG43Dl/WH7aRKjT38ulmHkkLEuxVRmDKoWSGakXhpiEfifbp ywzCR63yyFA8AlrAf0FGT8CrgKkUaC3doTrTIDvm9QVLRX8ecn6R4Dr0JXtTsiQO1D9gg== X-Google-Smtp-Source: AGHT+IHy6LDoMG/iQjjXAEMdZtu0RdR/VaPZhOCkB2rss7GEF6IHQedul3X6LSVlMHRQdwMmeC/CXw== X-Received: by 2002:a05:6a00:8c0b:b0:72a:a9d9:55ff with SMTP id d2e1a72fcca58-72f7d069edemr2042803b3a.0.1737601220335; Wed, 22 Jan 2025 19:00:20 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:20 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 7/8] rust-target-config: Fix TARGET_C_INT_WIDTH with correct size Date: Wed, 22 Jan 2025 18:59:57 -0800 Message-ID: <0e02d0feba8bd48a27c41db875dcd33d46e4dc0d.1737601063.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210172 From: Harish Sadineni [YOCTO #15600] The TARGET_C_INT_WIDTH value was incorrectly set to 64 instead of 32. It is updated for PPC, Mips, and riscv64 architectures. Discussion links for solution: https://lists.openembedded.org/g/openembedded-core/message/207486 https://lists.openembedded.org/g/openembedded-core/message/207496 Signed-off-by: Harish Sadineni Signed-off-by: Richard Purdie (cherry picked from commit b9df8cd8b29064d115dab3bfd1ea14f94a5c0238) Signed-off-by: Steve Sakoman --- meta/classes-recipe/rust-target-config.bbclass | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/meta/classes-recipe/rust-target-config.bbclass b/meta/classes-recipe/rust-target-config.bbclass index 926b0630b1..1bd7626bd8 100644 --- a/meta/classes-recipe/rust-target-config.bbclass +++ b/meta/classes-recipe/rust-target-config.bbclass @@ -195,7 +195,7 @@ MAX_ATOMIC_WIDTH[mipsel] = "32" DATA_LAYOUT[mips64] = "E-m:e-i8:8:32-i16:16:32-i64:64-n32:64-S128" TARGET_ENDIAN[mips64] = "big" TARGET_POINTER_WIDTH[mips64] = "64" -TARGET_C_INT_WIDTH[mips64] = "64" +TARGET_C_INT_WIDTH[mips64] = "32" MAX_ATOMIC_WIDTH[mips64] = "64" ## mips64-n32-unknown-linux-{gnu, musl} @@ -209,7 +209,7 @@ MAX_ATOMIC_WIDTH[mips64-n32] = "64" DATA_LAYOUT[mips64el] = "e-m:e-i8:8:32-i16:16:32-i64:64-n32:64-S128" TARGET_ENDIAN[mips64el] = "little" TARGET_POINTER_WIDTH[mips64el] = "64" -TARGET_C_INT_WIDTH[mips64el] = "64" +TARGET_C_INT_WIDTH[mips64el] = "32" MAX_ATOMIC_WIDTH[mips64el] = "64" ## powerpc-unknown-linux-{gnu, musl} @@ -223,14 +223,14 @@ MAX_ATOMIC_WIDTH[powerpc] = "32" DATA_LAYOUT[powerpc64] = "E-m:e-i64:64-n32:64-S128-v256:256:256-v512:512:512" TARGET_ENDIAN[powerpc64] = "big" TARGET_POINTER_WIDTH[powerpc64] = "64" -TARGET_C_INT_WIDTH[powerpc64] = "64" +TARGET_C_INT_WIDTH[powerpc64] = "32" MAX_ATOMIC_WIDTH[powerpc64] = "64" ## powerpc64le-unknown-linux-{gnu, musl} DATA_LAYOUT[powerpc64le] = "e-m:e-i64:64-n32:64-v256:256:256-v512:512:512" TARGET_ENDIAN[powerpc64le] = "little" TARGET_POINTER_WIDTH[powerpc64le] = "64" -TARGET_C_INT_WIDTH[powerpc64le] = "64" +TARGET_C_INT_WIDTH[powerpc64le] = "32" MAX_ATOMIC_WIDTH[powerpc64le] = "64" ## riscv32gc-unknown-linux-{gnu, musl} @@ -244,7 +244,7 @@ MAX_ATOMIC_WIDTH[riscv32gc] = "32" DATA_LAYOUT[riscv64gc] = "e-m:e-p:64:64-i64:64-i128:128-n64-S128" TARGET_ENDIAN[riscv64gc] = "little" TARGET_POINTER_WIDTH[riscv64gc] = "64" -TARGET_C_INT_WIDTH[riscv64gc] = "64" +TARGET_C_INT_WIDTH[riscv64gc] = "32" MAX_ATOMIC_WIDTH[riscv64gc] = "64" ## loongarch64-unknown-linux-{gnu, musl} From patchwork Thu Jan 23 02:59:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 55989 X-Patchwork-Delegate: steve@sakoman.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD9C2C02181 for ; Thu, 23 Jan 2025 03:00:27 +0000 (UTC) Received: from mail-pj1-f54.google.com (mail-pj1-f54.google.com [209.85.216.54]) by mx.groups.io with SMTP id smtpd.web10.2990.1737601222240235415 for ; Wed, 22 Jan 2025 19:00:22 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20230601.gappssmtp.com header.s=20230601 header.b=r+2lgyWI; spf=softfail (domain: sakoman.com, ip: 209.85.216.54, mailfrom: steve@sakoman.com) Received: by mail-pj1-f54.google.com with SMTP id 98e67ed59e1d1-2ee46851b5eso665528a91.1 for ; Wed, 22 Jan 2025 19:00:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20230601.gappssmtp.com; s=20230601; t=1737601221; x=1738206021; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=u3nmiGO9aH9qD9B8e4Xts+vQ5mOP/DZdsmyMdMOzzx8=; b=r+2lgyWIigbkmcfkvNpc3ZTlNDQ3Gqep6c8ZIw6FZjjodhNNCjJSkWWlWkZlS15ota C1RdQmpXWiB4Z7FKGjUWl9uxbIp5RRE4eb5lzreYu0DVnECV8WFs/uXVZzdzVDpmr0Nr mhfF5XYt03NZGC8f0xr3Kjwiw+btVuCc/M9FnYqvdw0njz3whCnLBnmep6ne4GgBrcDQ yr9PpXIeIe5oglzf2Dkdx+I6oCkX5VwD3zQ4RRuod1+hiPl6AKHSWh8ubMwCFuHJJJ3y hH87oF/VLx/UdkkzAqt6yGwT2TVJqBDoP+cTJ3MgK/mAz9WvUM2JWsTBIL4VCMoq1oHS RXOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737601221; x=1738206021; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=u3nmiGO9aH9qD9B8e4Xts+vQ5mOP/DZdsmyMdMOzzx8=; b=R/+H9UCZlexZu+VIBz2i3m07HSbhoNLgLj9nOJT17MszN1C9y6vc1wFDVXJpuNtQsr 1Cab0kpyQ9g12cF9v1mZ2784a8uK/Z2DWIhsb4rURoHlgsKSzqiXJmLGtFLk3LikSPGK GMljbll/1qNoGGWHKNHx3r+Q75OK1ShrHdU0DmOB54TZ54IRtSu2g6alBJL12CcSctL/ khqDwydgr9bjE6rKqHH0XEgqmIXzfb96bC8j7NKUpnY0pBBmJs5McQjRl6G3JuAOsUGn 2fVDIPmGOthln4uSphA5DgyBZ8CuZ7RxU0E/4ArGdniJX0O0xoymOTTSWTMgDRN3ppxL UWAg== X-Gm-Message-State: AOJu0YyODx8iTRJd063nxvFN7nhkVP4Ku+JQJN3nJt9E6PX4MlyA9aL/ 1UUK/+Vx1ce4ce47fblEyjvbX50gLPQxmsMrKC4taaf3YC/9a/0/5xFLfayJyzwbVKrY9wO7h4J 6PzI= X-Gm-Gg: ASbGnct/a8h4nzEMlgWBTOHDS3lXjjjXBsUDWGwQxif0/EUjCgHBoN5bX658Fq2/bkN uMVJJFiZyDCwsSqim5iOPsuAPfFEvAdENb10S8OGUGj8XhK8pokrLoXXUKKqNSj+7HUeMQXfEWH yktYCv4PR20rg0GcH8VbTzbNX5Huje++56MNAXnGqw86MZ+9gAxXa5FUS7PJ1QbbFlXj+11ebUR eD/ADb/1XJE8L3KRojuoMUAxFw1j5npA+L9IcZm7s2G/U15ZfgcAXfGLaD06JhF7dtwOA== X-Google-Smtp-Source: AGHT+IHUUsN7ZbTGLWmFS+Z/6CkWkrNcI3x+LI3v/RFD8sgsq0CmEu/Lc32zDtX+1IRCWd1j1oXIoA== X-Received: by 2002:aa7:8887:0:b0:725:d956:aa6f with SMTP id d2e1a72fcca58-72daf931de0mr27355687b3a.5.1737601221526; Wed, 22 Jan 2025 19:00:21 -0800 (PST) Received: from hexa.. ([98.142.47.158]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72dab816accsm12048389b3a.69.2025.01.22.19.00.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Jan 2025 19:00:21 -0800 (PST) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][scarthgap 8/8] boost: fix do_fetch error Date: Wed, 22 Jan 2025 18:59:58 -0800 Message-ID: <7ecd0d5584b7692b58ac8039b4107c4e0836d553.1737601063.git.steve@sakoman.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 23 Jan 2025 03:00:27 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210173 From: Jiaying Song Change the SRC_URI to the correct value due to the following error: WARNING: boost-native-1.84.0-r0 do_fetch: Checksum failure encountered with download of https://boostorg.jfrog.io/artifactory/main/release/1.84.0/source/boost_1_84_0.tar.bz2 - will attempt other sources if available Signed-off-by: Jiaying Song Signed-off-by: Steve Sakoman --- meta/recipes-support/boost/boost-1.84.0.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/boost/boost-1.84.0.inc b/meta/recipes-support/boost/boost-1.84.0.inc index 5bbea2ba5b..be1ad20f47 100644 --- a/meta/recipes-support/boost/boost-1.84.0.inc +++ b/meta/recipes-support/boost/boost-1.84.0.inc @@ -11,7 +11,7 @@ BOOST_VER = "${@"_".join(d.getVar("PV").split("."))}" BOOST_MAJ = "${@"_".join(d.getVar("PV").split(".")[0:2])}" BOOST_P = "boost_${BOOST_VER}" -SRC_URI = "https://boostorg.jfrog.io/artifactory/main/release/${PV}/source/${BOOST_P}.tar.bz2" +SRC_URI = "https://archives.boost.io/release/${PV}/source/${BOOST_P}.tar.bz2" SRC_URI[sha256sum] = "cc4b893acf645c9d4b698e9a0f08ca8846aa5d6c68275c14c3e7949c24109454" UPSTREAM_CHECK_URI = "http://www.boost.org/users/download/"