OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rsync?expand=0&rev=6

2007-08-15 19:56:39 +00:00 · 2007-08-15 19:56:39 +00:00 · 6722232413
commit 6722232413
parent 73fa71965d
3 changed files with 71 additions and 2 deletions
--- a/rsync-overlong.patch
+++ b/rsync-overlong.patch
@ -0,0 +1,60 @@
+--- rsync-2.6.9.orig/sender.c	2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c	2007-07-25 15:33:05.000000000 +0200
+@@ -123,6 +123,7 @@
+ 	char fname[MAXPATHLEN];
+ 	struct file_struct *file;
+ 	unsigned int offset;
+	size_t l = 0;
+ 
+ 	if (ndx < 0 || ndx >= the_file_list->count)
+ 		return;
+@@ -133,6 +134,20 @@
+ 				    file->dir.root, "/", NULL);
+ 	} else
+ 		offset = 0;
+
+	l = offset + 1;
+	if (file) {
+		if (file->dirname)
+			l += strlen(file->dirname);
+		if (file->basename)
+			l += strlen(file->basename);
+	}
+
+	if (l >= sizeof(fname)) {
+		rprintf(FERROR, "Overlong pathname\n");
+		exit_cleanup(RERR_FILESELECT);
+	}
+
+ 	f_name(file, fname + offset);
+ 	if (remove_source_files) {
+ 		if (do_unlink(fname) == 0) {
+@@ -224,6 +239,7 @@
+ 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
+ 	int f_xfer = write_batch < 0 ? batch_fd : f_out;
+ 	int i, j;
+	size_t l = 0;
+ 
+ 	if (verbose > 2)
+ 		rprintf(FINFO, "send_files starting\n");
+@@ -259,6 +275,20 @@
+ 				fname[offset++] = '/';
+ 		} else
+ 			offset = 0;
+
+		l = offset + 1;
+		if (file) {
+			if (file->dirname)
+				l += strlen(file->dirname);
+			if (file->basename)
+				l += strlen(file->basename);
+		}
+
+		if (l >= sizeof(fname)) {
+			rprintf(FERROR, "Overlong pathname\n");
+			exit_cleanup(RERR_FILESELECT);
+		}
+
+ 		fname2 = f_name(file, fname + offset);
+ 
+ 		if (verbose > 2)
--- a/rsync.changes
+++ b/rsync.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Thu Aug  2 13:52:28 CEST 2007 - ro@suse.de
+
+- protect from overlong filenames (#294073) CVE-2007-4091
+
 -------------------------------------------------------------------
 Mon May 14 12:50:38 CEST 2007 - mrueckert@suse.de

--- a/rsync.spec
+++ b/rsync.spec
@ -18,12 +18,12 @@ BuildRequires:  texlive-latex
 BuildRequires:  te_ams te_latex
 %endif
 BuildRequires:  popt-devel zlib-devel
-License:        GNU General Public License (GPL)
+License:        GPL v2 or later
 Group:          Productivity/Networking/Other
 PreReq:         %fillup_prereq %insserv_prereq
 Autoreqprov:    on
 Version:        2.6.9
-Release:        7
+Release:        33
 Summary:        Replacement for RCP/mirror that has Many More Features
 Source:         samba.org/ftp/rsync/rsync-%{version}.tar.bz2
 Source1:        logrotate.rsync
@ -34,6 +34,7 @@ Source5:        rsyncd.secrets
 Patch1:         slp-fix.diff
 Patch2:         slp.diff
 Patch3:         system-zlib.diff
+Patch4:         rsync-overlong.patch
 URL:            http://rsync.samba.org/
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define with_system_zlib 0
@ -69,6 +70,7 @@ cp configure.orig configure
 #patch -p1 < patches/slp.diff
 %patch2 -p1
 %patch1
+%patch4 -p1
 cp configure.orig configure

 %build
@ -134,6 +136,8 @@ ln -sf ../../etc/init.d/rsyncd                $RPM_BUILD_ROOT/usr/sbin/rcrsyncd
 %doc COPYING NEWS README tech_report.ps tech_report.tex

 %changelog
+* Thu Aug 02 2007 - ro@suse.de
+- protect from overlong filenames (#294073) CVE-2007-4091
 * Mon May 14 2007 - mrueckert@suse.de
 - make build work on older distros again.
 * Tue May 08 2007 - dmueller@suse.de