OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rsync?expand=0&rev=6

rsync-overlong.patch

@@ -0,0 +1,60 @@
+--- rsync-2.6.9.orig/sender.c	2006-09-20 03:53:32.000000000 +0200
++++ rsync-2.6.9/sender.c	2007-07-25 15:33:05.000000000 +0200
+@@ -123,6 +123,7 @@
+ 	char fname[MAXPATHLEN];
+ 	struct file_struct *file;
+ 	unsigned int offset;
++	size_t l = 0;
+ 
+ 	if (ndx < 0 || ndx >= the_file_list->count)
+ 		return;
+@@ -133,6 +134,20 @@
+ 				    file->dir.root, "/", NULL);
+ 	} else
+ 		offset = 0;
++
++	l = offset + 1;
++	if (file) {
++		if (file->dirname)
++			l += strlen(file->dirname);
++		if (file->basename)
++			l += strlen(file->basename);
++	}
++
++	if (l >= sizeof(fname)) {
++		rprintf(FERROR, "Overlong pathname\n");
++		exit_cleanup(RERR_FILESELECT);
++	}
++
+ 	f_name(file, fname + offset);
+ 	if (remove_source_files) {
+ 		if (do_unlink(fname) == 0) {
+@@ -224,6 +239,7 @@
+ 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
+ 	int f_xfer = write_batch < 0 ? batch_fd : f_out;
+ 	int i, j;
++	size_t l = 0;
+ 
+ 	if (verbose > 2)
+ 		rprintf(FINFO, "send_files starting\n");
+@@ -259,6 +275,20 @@
+ 				fname[offset++] = '/';
+ 		} else
+ 			offset = 0;
++
++		l = offset + 1;
++		if (file) {
++			if (file->dirname)
++				l += strlen(file->dirname);
++			if (file->basename)
++				l += strlen(file->basename);
++		}
++
++		if (l >= sizeof(fname)) {
++			rprintf(FERROR, "Overlong pathname\n");
++			exit_cleanup(RERR_FILESELECT);
++		}
++
+ 		fname2 = f_name(file, fname + offset);
+ 
+ 		if (verbose > 2)

rsync.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Aug  2 13:52:28 CEST 2007 - ro@suse.de
+
+- protect from overlong filenames (#294073) CVE-2007-4091
+
 -------------------------------------------------------------------
 Mon May 14 12:50:38 CEST 2007 - mrueckert@suse.de
 

rsync.spec

@@ -18,12 +18,12 @@ BuildRequires:  texlive-latex
 BuildRequires:  te_ams te_latex
 %endif
 BuildRequires:  popt-devel zlib-devel
-License:        GNU General Public License (GPL)
+License:        GPL v2 or later
 Group:          Productivity/Networking/Other
 PreReq:         %fillup_prereq %insserv_prereq
 Autoreqprov:    on
 Version:        2.6.9
-Release:        7
+Release:        33
 Summary:        Replacement for RCP/mirror that has Many More Features
 Source:         samba.org/ftp/rsync/rsync-%{version}.tar.bz2
 Source1:        logrotate.rsync
@@ -34,6 +34,7 @@ Source5:        rsyncd.secrets
 Patch1:         slp-fix.diff
 Patch2:         slp.diff
 Patch3:         system-zlib.diff
+Patch4:         rsync-overlong.patch
 URL:            http://rsync.samba.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define with_system_zlib 0
@@ -69,6 +70,7 @@ cp configure.orig configure
 #patch -p1 < patches/slp.diff
 %patch2 -p1
 %patch1
+%patch4 -p1
 cp configure.orig configure
 
 %build
@@ -134,6 +136,8 @@ ln -sf ../../etc/init.d/rsyncd                $RPM_BUILD_ROOT/usr/sbin/rcrsyncd
 %doc COPYING NEWS README tech_report.ps tech_report.tex
 
 %changelog
+* Thu Aug 02 2007 - ro@suse.de
+- protect from overlong filenames (#294073) CVE-2007-4091
 * Mon May 14 2007 - mrueckert@suse.de
 - make build work on older distros again.
 * Tue May 08 2007 - dmueller@suse.de