Accepting request 336730 from home:vitezslav_cizek:branches:network

- add a compatibility flag to avoid checksum collisions (bsc#900914) * fixes rsync equivalent of librsync's CVE-2014-8242 * added rsync-equivalent_of_CVE-2014-8242.patch - modify rsync-add_back_use_slp_directive.patch OBS-URL: https://build.opensuse.org/request/show/336730 OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=47
2015-10-06 18:06:09 +00:00 · 2015-10-06 18:06:09 +00:00 · e31576eaae
commit e31576eaae
parent f44e0d97a6
4 changed files with 148 additions and 19 deletions
--- a/rsync-add_back_use_slp_directive.patch
+++ b/rsync-add_back_use_slp_directive.patch
@ -1,7 +1,7 @@
 Index: rsync-3.1.1/clientserver.c
 ===================================================================
--- rsync-3.1.1.orig/clientserver.c	2015-08-11 11:10:05.445550476 +0200
-+++ rsync-3.1.1/clientserver.c	2015-08-11 11:11:12.922400586 +0200
+--- rsync-3.1.1.orig/clientserver.c	2015-10-05 14:49:04.789801244 +0200
+++ rsync-3.1.1/clientserver.c	2015-10-05 14:49:04.799801378 +0200
@@ -1200,7 +1200,7 @@ int daemon_main(void)
 	 * local address??? */
 
@ -13,8 +13,8 @@ Index: rsync-3.1.1/clientserver.c
 	}
 Index: rsync-3.1.1/loadparm.c
 ===================================================================
--- rsync-3.1.1.orig/loadparm.c	2015-08-11 11:10:05.445550476 +0200
-+++ rsync-3.1.1/loadparm.c	2015-08-11 11:32:41.294010307 +0200
+--- rsync-3.1.1.orig/loadparm.c	2015-10-05 14:49:04.790801257 +0200
+++ rsync-3.1.1/loadparm.c	2015-10-05 15:40:06.561346152 +0200
@@ -101,6 +101,7 @@ typedef struct {
 	int rsync_port;
 #ifdef HAVE_LIBSLP
@ -23,23 +23,26 @@ Index: rsync-3.1.1/loadparm.c
 #endif
 } global_vars;
 
-@@ -322,6 +323,7 @@ static struct parm_struct parm_table[] =
+@@ -181,6 +182,10 @@ static const all_vars Defaults = {
+ 
+  /* listen_backlog; */		5,
+  /* rsync_port; */		0,
+#ifdef HAVE_LIBSLP
+ /* slp_refresh; */		0,
+ /* use_slp; */			True,
+#endif
+  },
+ 
+  /* ==== local_vars ==== */
+@@ -322,6 +327,7 @@ static struct parm_struct parm_table[] =
  {"port",              P_INTEGER,P_GLOBAL,&Vars.g.rsync_port,          NULL,0},
 #ifdef HAVE_LIBSLP
  {"slp refresh",       P_INTEGER,P_GLOBAL,&Vars.g.slp_refresh,         NULL,0},
-+ {"use slp",           P_BOOL,   P_GLOBAL,&Vars.g.use_slp,            NULL,0},
+ {"use slp",           P_BOOL,   P_GLOBAL,&Vars.g.use_slp,             NULL,0},
 #endif
  {"socket options",    P_STRING, P_GLOBAL,&Vars.g.socket_options,      NULL,0},
 
-@@ -376,6 +378,7 @@ static struct parm_struct parm_table[] =
- static void reset_all_vars(void)
- {
- 	memcpy(&Vars, &Defaults, sizeof Vars);
-+	Vars.g.use_slp = True;
- }
- 
- /* Expand %VAR% references.  Any unknown vars or unrecognized
-@@ -458,6 +461,7 @@ FN_GLOBAL_INTEGER(lp_listen_backlog, &Va
+@@ -458,6 +464,7 @@ FN_GLOBAL_INTEGER(lp_listen_backlog, &Va
 FN_GLOBAL_INTEGER(lp_rsync_port, &Vars.g.rsync_port)
 #ifdef HAVE_LIBSLP
 FN_GLOBAL_INTEGER(lp_slp_refresh, &Vars.g.slp_refresh)
@ -49,8 +52,8 @@ Index: rsync-3.1.1/loadparm.c
 FN_LOCAL_STRING(lp_auth_users, auth_users)
 Index: rsync-3.1.1/rsyncd.conf.yo
 ===================================================================
--- rsync-3.1.1.orig/rsyncd.conf.yo	2015-08-11 11:10:05.447550501 +0200
-+++ rsync-3.1.1/rsyncd.conf.yo	2015-08-11 11:34:15.206231147 +0200
+--- rsync-3.1.1.orig/rsyncd.conf.yo	2015-10-05 14:49:04.791801270 +0200
+++ rsync-3.1.1/rsyncd.conf.yo	2015-10-05 14:49:04.799801378 +0200
@@ -124,6 +124,10 @@ via the bf(--sockopts) command-line opti
 dit(bf(listen backlog)) You can override the default backlog value when the
 daemon listens for connections.  It defaults to 5.
@ -64,8 +67,8 @@ Index: rsync-3.1.1/rsyncd.conf.yo
 you have Service Location Protocol support compiled in. If this is
 Index: rsync-3.1.1/socket.c
 ===================================================================
--- rsync-3.1.1.orig/socket.c	2015-08-11 11:10:05.447550501 +0200
-+++ rsync-3.1.1/socket.c	2015-08-11 11:35:25.434145276 +0200
+--- rsync-3.1.1.orig/socket.c	2015-10-05 14:49:04.791801270 +0200
+++ rsync-3.1.1/socket.c	2015-10-05 14:49:04.799801378 +0200
@@ -546,7 +546,7 @@ void start_accept_loop(int port, int (*f
 	int *sp, maxfd, i;
 #ifdef HAVE_LIBSLP
@ -75,3 +78,23 @@ Index: rsync-3.1.1/socket.c
 	if (slp_timeout) {
 		if (slp_timeout < SLP_MIN_TIMEOUT)
 			slp_timeout = SLP_MIN_TIMEOUT;
+Index: rsync-3.1.1/main.c
+===================================================================
+--- rsync-3.1.1.orig/main.c	2015-10-05 14:49:04.790801257 +0200
+++ rsync-3.1.1/main.c	2015-10-05 14:49:04.800801392 +0200
+@@ -1250,8 +1250,13 @@ static int start_client(int argc, char *
+ 		if (shell_machine && !shell_machine[0]) {
+ #ifdef HAVE_LIBSLP
+ 			/* User entered just rsync:// URI */
+-			print_service_list();
+-			exit_cleanup(0);
+			if (lp_use_slp()) {
+				print_service_list();
+				exit_cleanup(0);
+			} else {
+				rprintf(FINFO, "SLP is disabled, cannot browse\n");
+				exit_cleanup(RERR_SYNTAX);
+			}
+ #else /* No SLP, die here */
+ 			rprintf(FINFO, "No SLP support, cannot browse\n");
+ 			exit_cleanup(RERR_SYNTAX);
--- a/rsync-equivalent_of_CVE-2014-8242.patch
+++ b/rsync-equivalent_of_CVE-2014-8242.patch
@ -0,0 +1,95 @@
+From eac858085e3ac94ec0ab5061d11f52652c90a869 Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Mon, 11 May 2015 12:36:20 -0700
+Subject: [PATCH] Add compat flag to allow proper seed checksum order. Fixes
+ the equivalent of librsync's CVE-2014-8242 issue.
+
+---
+ checksum.c | 17 +++++++++++++----
+ compat.c   |  5 +++++
+ options.c  |  1 +
+ 3 files changed, 19 insertions(+), 4 deletions(-)
+
+Index: rsync-3.1.1/checksum.c
+===================================================================
+--- rsync-3.1.1.orig/checksum.c	2015-10-06 11:18:33.293065513 +0200
+++ rsync-3.1.1/checksum.c	2015-10-06 11:18:34.382078657 +0200
+@@ -23,6 +23,7 @@
+ 
+ extern int checksum_seed;
+ extern int protocol_version;
+extern int proper_seed_order;
+ 
+ /*
+   a simple 32 bit checksum that can be upadted from either end
+@@ -54,10 +55,18 @@ void get_checksum2(char *buf, int32 len,
+ 	if (protocol_version >= 30) {
+ 		uchar seedbuf[4];
+ 		md5_begin(&m);
+-		md5_update(&m, (uchar *)buf, len);
+-		if (checksum_seed) {
+-			SIVALu(seedbuf, 0, checksum_seed);
+-			md5_update(&m, seedbuf, 4);
+		if (proper_seed_order) {
+			if (checksum_seed) {
+				SIVALu(seedbuf, 0, checksum_seed);
+				md5_update(&m, seedbuf, 4);
+			}
+			md5_update(&m, (uchar *)buf, len);
+		} else {
+			md5_update(&m, (uchar *)buf, len);
+			if (checksum_seed) {
+				SIVALu(seedbuf, 0, checksum_seed);
+				md5_update(&m, seedbuf, 4);
+			}
+ 		}
+ 		md5_result(&m, (uchar *)sum);
+ 	} else {
+Index: rsync-3.1.1/compat.c
+===================================================================
+--- rsync-3.1.1.orig/compat.c	2015-10-06 11:18:33.293065513 +0200
+++ rsync-3.1.1/compat.c	2015-10-06 11:18:34.383078669 +0200
+@@ -27,6 +27,7 @@ int inc_recurse = 0;
+ int compat_flags = 0;
+ int use_safe_inc_flist = 0;
+ int want_xattr_optim = 0;
+int proper_seed_order = 0;
+ 
+ extern int am_server;
+ extern int am_sender;
+@@ -78,6 +79,7 @@ int filesfrom_convert = 0;
+ #define CF_SYMLINK_ICONV (1<<2)
+ #define CF_SAFE_FLIST	 (1<<3)
+ #define CF_AVOID_XATTR_OPTIM (1<<4)
+#define CF_CHKSUM_SEED_FIX (1<<5)
+ 
+ static const char *client_info;
+ 
+@@ -257,12 +259,15 @@ void setup_protocol(int f_out,int f_in)
+ 				compat_flags |= CF_SAFE_FLIST;
+ 			if (local_server || strchr(client_info, 'x') != NULL)
+ 				compat_flags |= CF_AVOID_XATTR_OPTIM;
+			if (local_server || strchr(client_info, 'C') != NULL)
+				compat_flags |= CF_CHKSUM_SEED_FIX;
+ 			write_byte(f_out, compat_flags);
+ 		} else
+ 			compat_flags = read_byte(f_in);
+ 		/* The inc_recurse var MUST be set to 0 or 1. */
+ 		inc_recurse = compat_flags & CF_INC_RECURSE ? 1 : 0;
+ 		want_xattr_optim = protocol_version >= 31 && !(compat_flags & CF_AVOID_XATTR_OPTIM);
+		proper_seed_order = compat_flags & CF_CHKSUM_SEED_FIX ? 1 : 0;
+ 		if (am_sender) {
+ 			receiver_symlink_times = am_server
+ 			    ? strchr(client_info, 'L') != NULL
+Index: rsync-3.1.1/options.c
+===================================================================
+--- rsync-3.1.1.orig/options.c	2015-10-06 11:18:34.383078669 +0200
+++ rsync-3.1.1/options.c	2015-10-06 11:19:37.630842114 +0200
+@@ -2505,6 +2505,7 @@ void server_options(char **args, int *ar
+ #endif
+ 		argstr[x++] = 'f'; /* flist I/O-error safety support */
+ 		argstr[x++] = 'x'; /* xattr hardlink optimization not desired */
+		argstr[x++] = 'C'; /* support checksum seed order fix */
+ 	}
+ 
+ 	if (x >= (int)sizeof argstr) { /* Not possible... */
--- a/rsync.changes
+++ b/rsync.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Oct  6 11:16:55 UTC 2015 - vcizek@suse.com
+
+- add a compatibility flag to avoid checksum collisions (bsc#900914)
+  * fixes rsync equivalent of librsync's CVE-2014-8242
+  * added rsync-equivalent_of_CVE-2014-8242.patch
+- modify rsync-add_back_use_slp_directive.patch
+
 -------------------------------------------------------------------
 Tue Aug 11 09:40:36 UTC 2015 - vcizek@suse.com

--- a/rsync.spec
+++ b/rsync.spec
@ -44,7 +44,9 @@ Source12:       %{name}.keyring
 Patch3:         system-zlib.diff
 Patch4:         rsync-CVE-2014-9512.patch
 Patch5:         rsync-no-libattr.patch
+#PATCH-FIX-SUSE boo#922710 slp
 Patch6:         rsync-add_back_use_slp_directive.patch
+Patch7:         rsync-equivalent_of_CVE-2014-8242.patch
 BuildRequires:  autoconf
 BuildRequires:  libacl-devel
 BuildRequires:  openslp-devel
@ -87,6 +89,7 @@ patch -p1 < patches/acls.diff
 patch -p1 < patches/xattrs.diff
 patch -p1 < patches/slp.diff
 %patch6 -p1
+%patch7 -p1
 # fate#312479
 patch -p1 < patches/time-limit.diff
 %patch5 -p1