- Update to 3.4

* Bump to protocol 32
  Drop CVE patches:
  * Removed rsync-CVE-2024-12084-overflow-01.patch
  * Removed rsync-CVE-2024-12084-overflow-02.patch
  * Removed rsync-CVE-2024-12085.patch
  * Removed rsync-CVE-2024-12086_01.patch
  * Removed rsync-CVE-2024-12086_02.patch
  * Removed rsync-CVE-2024-12086_03.patch
  * Removed rsync-CVE-2024-12086_04.patch
  * Removed rsync-CVE-2024-12087_01.patch
  * Removed rsync-CVE-2024-12087_02.patch
  * Removed rsync-CVE-2024-12088.patch
  * Removed rsync-CVE-2024-12747.patch

OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=130

rsync-3.3.0.tar.gz.asc

@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQQASMiwJtTJbw5YnC9shZ+xS5aoxQUCZhF6vQAKCRBshZ+xS5ao
-xZ6kAKDZkE3C9w/cu8o3/Ic5KNycbcTw8gCdH/pdNo6kSGF3qLelFI6uK5Q4jdA=
-=vJGJ
------END PGP SIGNATURE-----

rsync-3.4.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8e942f95a44226a012fe822faffa6c7fc38c34047add3a0c941e9bc8b8b93aa4
+size 1167983

rsync-3.4.0.tar.gz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJIBAABCgAyFiEEn+8RLc4ZoNx+iCy4G7JJl6hTX28FAmeGuIAUHGFuZHJld0B0
+cmlkZ2VsbC5uZXQACgkQG7JJl6hTX29nyRAAn8QQ88FiH7auK/Jsw876mHGrvwv6
+U4ny4S7GXaWjmk3gsl8U7U1agst18az39nsKmf4ILo29JuLtMRb3qMrOPCemOJF5
+qKTNQNn0H2qKkyAJQHivtKDxI++ZW0O7dtoEcoMVbuR8S/f1z0xH4cOcP52XnLSa
+4/ycwDTS2MC1o5OIoVdgSSyB7/WYwU/b/0DR9ZUpRlPa4M3Six5cOJeu22+XQx9O
+MXQ6xHMCzyN52jNs449TrXzFU1cGtliA4ug/FkgXD5Tkdn+Ktrb2oeWk37bDvYx6
+waL5SBGrSiMmDAHHnmRCW+0xWxBe8fR5RgQRiyMmIVIewZmH6PczsB3z8Q6bTwLU
+7fhBVd4jX3kxsv7t+VkeVTsw6bAKIw/vDNKnhwpOTLGLkLvVmt+r6OBRXl5CuhT8
+sU3+Jj4cZ7XSPgcAA3P/nVX9Lbrj5iff1/bebIHXcNNh30gMP89PFaVoAr0O/XOm
+94pqiLAFPwnzhc8QJN8VRc+ERB6Mjp6aTozLGoDIfLGEs5PUOyY5RC4x6mjUKzla
+zu7lCNEJ2U4+nQr33qKBrvPCmz/Ku4bwsqtPbUUVPUsSBmLJdZCcLD7yHbTSYTbG
+NRQXZ19pzhGJWYoNZsiobveLK/C3Qgx8ZH3DFw4vqNHVV/sk05zrIT3WC+twagJl
+aLNsQ67nthgXqmk=
+=6bD5
+-----END PGP SIGNATURE-----

rsync-CVE-2024-12084-overflow-01.patch

@@ -1,152 +0,0 @@
-From 0902b52f6687b1f7952422080d50b93108742e53 Mon Sep 17 00:00:00 2001
-From: Wayne Davison <wayne@opencoder.net>
-Date: Tue, 29 Oct 2024 22:55:29 -0700
-Subject: [PATCH 1/2] Some checksum buffer fixes.
-
-- Put sum2_array into sum_struct to hold an array of sum2 checksums
-  that are each xfer_sum_len bytes.
-- Remove sum2 buf from sum_buf.
-- Add macro sum2_at() to access each sum2 array element.
-- Throw an error if a sums header has an s2length larger than
-  xfer_sum_len.
----
- io.c     | 3 ++-
- match.c  | 8 ++++----
- rsync.c  | 5 ++++-
- rsync.h  | 4 +++-
- sender.c | 4 +++-
- 5 files changed, 16 insertions(+), 8 deletions(-)
-
-diff --git a/io.c b/io.c
-index a99ac0ec..bb60eeca 100644
---- a/io.c
-+++ b/io.c
-@@ -55,6 +55,7 @@ extern int read_batch;
- extern int compat_flags;
- extern int protect_args;
- extern int checksum_seed;
-+extern int xfer_sum_len;
- extern int daemon_connection;
- extern int protocol_version;
- extern int remove_source_files;
-@@ -1977,7 +1978,7 @@ void read_sum_head(int f, struct sum_struct *sum)
- 		exit_cleanup(RERR_PROTOCOL);
- 	}
- 	sum->s2length = protocol_version < 27 ? csum_length : (int)read_int(f);
--	if (sum->s2length < 0 || sum->s2length > MAX_DIGEST_LEN) {
-+	if (sum->s2length < 0 || sum->s2length > xfer_sum_len) {
- 		rprintf(FERROR, "Invalid checksum length %d [%s]\n",
- 			sum->s2length, who_am_i());
- 		exit_cleanup(RERR_PROTOCOL);
-diff --git a/match.c b/match.c
-index cdb30a15..36e78ed2 100644
---- a/match.c
-+++ b/match.c
-@@ -232,7 +232,7 @@ static void hash_search(int f,struct sum_struct *s,
- 				done_csum2 = 1;
- 			}
- 
--			if (memcmp(sum2,s->sums[i].sum2,s->s2length) != 0) {
-+			if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0) {
- 				false_alarms++;
- 				continue;
- 			}
-@@ -252,7 +252,7 @@ static void hash_search(int f,struct sum_struct *s,
- 					if (i != aligned_i) {
- 						if (sum != s->sums[aligned_i].sum1
- 						 || l != s->sums[aligned_i].len
--						 || memcmp(sum2, s->sums[aligned_i].sum2, s->s2length) != 0)
-+						 || memcmp(sum2, sum2_at(s, aligned_i), s->s2length) != 0)
- 							goto check_want_i;
- 						i = aligned_i;
- 					}
-@@ -271,7 +271,7 @@ static void hash_search(int f,struct sum_struct *s,
- 						if (sum != s->sums[i].sum1)
- 							goto check_want_i;
- 						get_checksum2((char *)map, l, sum2);
--						if (memcmp(sum2, s->sums[i].sum2, s->s2length) != 0)
-+						if (memcmp(sum2, sum2_at(s, i), s->s2length) != 0)
- 							goto check_want_i;
- 						/* OK, we have a re-alignment match.  Bump the offset
- 						 * forward to the new match point. */
-@@ -290,7 +290,7 @@ static void hash_search(int f,struct sum_struct *s,
- 			 && (!updating_basis_file || s->sums[want_i].offset >= offset
- 			  || s->sums[want_i].flags & SUMFLG_SAME_OFFSET)
- 			 && sum == s->sums[want_i].sum1
--			 && memcmp(sum2, s->sums[want_i].sum2, s->s2length) == 0) {
-+			 && memcmp(sum2, sum2_at(s, want_i), s->s2length) == 0) {
- 				/* we've found an adjacent match - the RLL coder
- 				 * will be happy */
- 				i = want_i;
-diff --git a/rsync.c b/rsync.c
-index cd288f57..b130aba5 100644
---- a/rsync.c
-+++ b/rsync.c
-@@ -437,7 +437,10 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr, cha
-   */
- void free_sums(struct sum_struct *s)
- {
--	if (s->sums) free(s->sums);
-+	if (s->sums) {
-+		free(s->sums);
-+		free(s->sum2_array);
-+	}
- 	free(s);
- }
- 
-diff --git a/rsync.h b/rsync.h
-index d3709fe0..8ddbe702 100644
---- a/rsync.h
-+++ b/rsync.h
-@@ -958,12 +958,12 @@ struct sum_buf {
- 	uint32 sum1;	        /**< simple checksum */
- 	int32 chain;		/**< next hash-table collision */
- 	short flags;		/**< flag bits */
--	char sum2[SUM_LENGTH];	/**< checksum  */
- };
- 
- struct sum_struct {
- 	OFF_T flength;		/**< total file length */
- 	struct sum_buf *sums;	/**< points to info for each chunk */
-+	char *sum2_array;	/**< checksums of length xfer_sum_len */
- 	int32 count;		/**< how many chunks */
- 	int32 blength;		/**< block_length */
- 	int32 remainder;	/**< flength % block_length */
-@@ -982,6 +982,8 @@ struct map_struct {
- 	int status;		/* first errno from read errors		*/
- };
- 
-+#define sum2_at(s, i)	((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
-+
- #define NAME_IS_FILE		(0)    /* filter name as a file */
- #define NAME_IS_DIR		(1<<0) /* filter name as a dir */
- #define NAME_IS_XATTR		(1<<2) /* filter name as an xattr */
-diff --git a/sender.c b/sender.c
-index 3d4f052e..ab205341 100644
---- a/sender.c
-+++ b/sender.c
-@@ -31,6 +31,7 @@ extern int log_before_transfer;
- extern int stdout_format_has_i;
- extern int logfile_format_has_i;
- extern int want_xattr_optim;
-+extern int xfer_sum_len;
- extern int csum_length;
- extern int append_mode;
- extern int copy_links;
-@@ -94,10 +95,11 @@ static struct sum_struct *receive_sums(int f)
- 		return(s);
- 
- 	s->sums = new_array(struct sum_buf, s->count);
-+	s->sum2_array = new_array(char, s->count * xfer_sum_len);
- 
- 	for (i = 0; i < s->count; i++) {
- 		s->sums[i].sum1 = read_int(f);
--		read_buf(f, s->sums[i].sum2, s->s2length);
-+		read_buf(f, sum2_at(s, i), s->s2length);
- 
- 		s->sums[i].offset = offset;
- 		s->sums[i].flags = 0;
--- 
-2.34.1
-
-

rsync-CVE-2024-12084-overflow-02.patch

@@ -1,40 +0,0 @@
-From 42e2b56c4ede3ab164f9a5c6dae02aa84606a6c1 Mon Sep 17 00:00:00 2001
-From: Wayne Davison <wayne@opencoder.net>
-Date: Tue, 5 Nov 2024 11:01:03 -0800
-Subject: [PATCH 2/2] Another cast when multiplying integers.
-
----
- rsync.h  | 2 +-
- sender.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/rsync.h b/rsync.h
-index 8ddbe702..0f9e277f 100644
---- a/rsync.h
-+++ b/rsync.h
-@@ -982,7 +982,7 @@ struct map_struct {
- 	int status;		/* first errno from read errors		*/
- };
- 
--#define sum2_at(s, i)	((s)->sum2_array + ((OFF_T)(i) * xfer_sum_len))
-+#define sum2_at(s, i)	((s)->sum2_array + ((size_t)(i) * xfer_sum_len))
- 
- #define NAME_IS_FILE		(0)    /* filter name as a file */
- #define NAME_IS_DIR		(1<<0) /* filter name as a dir */
-diff --git a/sender.c b/sender.c
-index ab205341..2bbff2fa 100644
---- a/sender.c
-+++ b/sender.c
-@@ -95,7 +95,7 @@ static struct sum_struct *receive_sums(int f)
- 		return(s);
- 
- 	s->sums = new_array(struct sum_buf, s->count);
--	s->sum2_array = new_array(char, s->count * xfer_sum_len);
-+	s->sum2_array = new_array(char, (size_t)s->count * xfer_sum_len);
- 
- 	for (i = 0; i < s->count; i++) {
- 		s->sums[i].sum1 = read_int(f);
--- 
-2.34.1
-
-

rsync-CVE-2024-12085.patch

@@ -1,28 +0,0 @@
-From cf620065502f065d4ea44f5df4f81295a738aa21 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Thu, 14 Nov 2024 09:57:08 +1100
-Subject: [PATCH] prevent information leak off the stack
-
-prevent leak of uninitialised stack data in hash_search
----
- match.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/match.c b/match.c
-index 36e78ed2..dfd6af2c 100644
---- a/match.c
-+++ b/match.c
-@@ -147,6 +147,9 @@ static void hash_search(int f,struct sum_struct *s,
- 	int more;
- 	schar *map;
- 
-+	// prevent possible memory leaks
-+	memset(sum2, 0, sizeof sum2);
-+
- 	/* want_i is used to encourage adjacent matches, allowing the RLL
- 	 * coding of the output to work more efficiently. */
- 	want_i = 0;
--- 
-2.34.1
-
-

rsync-CVE-2024-12086_01.patch

@@ -1,38 +0,0 @@
-From 3feb8669d875d03c9ceb82e208ef40ddda8eb908 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Sat, 23 Nov 2024 11:08:03 +1100
-Subject: [PATCH 1/4] refuse fuzzy options when fuzzy not selected
-
-this prevents a malicious server providing a file to compare to when
-the user has not given the fuzzy option
----
- receiver.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/receiver.c b/receiver.c
-index 6b4b369e..2d7f6033 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -66,6 +66,7 @@ extern char sender_file_sum[MAX_DIGEST_LEN];
- extern struct file_list *cur_flist, *first_flist, *dir_flist;
- extern filter_rule_list daemon_filter_list;
- extern OFF_T preallocated_len;
-+extern int fuzzy_basis;
- 
- extern struct name_num_item *xfer_sum_nni;
- extern int xfer_sum_len;
-@@ -716,6 +717,10 @@ int recv_files(int f_in, int f_out, char *local_name)
- 				fnamecmp = get_backup_name(fname);
- 				break;
- 			case FNAMECMP_FUZZY:
-+				if (fuzzy_basis == 0) {
-+					rprintf(FERROR_XFER, "rsync: refusing malicious fuzzy operation for %s\n", xname);
-+					exit_cleanup(RERR_PROTOCOL);
-+				}
- 				if (file->dirname) {
- 					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
- 					fnamecmp = fnamecmpbuf;
--- 
-2.34.1
-
-

rsync-CVE-2024-12086_02.patch

@@ -1,104 +0,0 @@
-From 33385aefe4773e7a3982d41995681eb079c92d12 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Sat, 23 Nov 2024 12:26:10 +1100
-Subject: [PATCH 2/4] added secure_relative_open()
-
-this is an open that enforces no symlink following for all path
-components in a relative path
----
- syscall.c | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 74 insertions(+)
-
-diff --git a/syscall.c b/syscall.c
-index d92074aa..a4b7f542 100644
---- a/syscall.c
-+++ b/syscall.c
-@@ -33,6 +33,8 @@
- #include <sys/syscall.h>
- #endif
- 
-+#include "ifuncs.h"
-+
- extern int dry_run;
- extern int am_root;
- extern int am_sender;
-@@ -712,3 +714,75 @@ int do_open_nofollow(const char *pathname, int flags)
- 
- 	return fd;
- }
-+
-+/*
-+  open a file relative to a base directory. The basedir can be NULL,
-+  in which case the current working directory is used. The relpath
-+  must be a relative path, and the relpath must not contain any
-+  elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
-+  applies to all path components, not just the last component)
-+*/
-+int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
-+{
-+	if (!relpath || relpath[0] == '/') {
-+		// must be a relative path
-+		errno = EINVAL;
-+		return -1;
-+	}
-+
-+#if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
-+	// really old system, all we can do is live with the risks
-+	if (!basedir) {
-+		return open(relpath, flags, mode);
-+	}
-+	char fullpath[MAXPATHLEN];
-+	pathjoin(fullpath, sizeof fullpath, basedir, relpath);
-+	return open(fullpath, flags, mode);
-+#else
-+	int dirfd = AT_FDCWD;
-+	if (basedir != NULL) {
-+		dirfd = openat(AT_FDCWD, basedir, O_RDONLY | O_DIRECTORY);
-+		if (dirfd == -1) {
-+			return -1;
-+		}
-+	}
-+	int retfd = -1;
-+
-+	char *path_copy = my_strdup(relpath, __FILE__, __LINE__);
-+	if (!path_copy) {
-+		return -1;
-+	}
-+	
-+	for (const char *part = strtok(path_copy, "/");
-+	     part != NULL;
-+	     part = strtok(NULL, "/"))
-+	{
-+		int next_fd = openat(dirfd, part, O_RDONLY | O_DIRECTORY | O_NOFOLLOW);
-+		if (next_fd == -1 && errno == ENOTDIR) {
-+			if (strtok(NULL, "/") != NULL) {
-+				// this is not the last component of the path
-+				errno = ELOOP;
-+				goto cleanup;
-+			}
-+			// this could be the last component of the path, try as a file
-+			retfd = openat(dirfd, part, flags | O_NOFOLLOW, mode);
-+			goto cleanup;
-+		}
-+		if (next_fd == -1) {
-+			goto cleanup;
-+		}
-+		if (dirfd != AT_FDCWD) close(dirfd);
-+		dirfd = next_fd;
-+	}
-+
-+	// the path must be a directory
-+	errno = EINVAL;
-+
-+cleanup:
-+	free(path_copy);
-+	if (dirfd != AT_FDCWD) {
-+		close(dirfd);
-+	}
-+	return retfd;
-+#endif // O_NOFOLLOW, O_DIRECTORY
-+}
--- 
-2.34.1
-
-

rsync-CVE-2024-12086_03.patch

@@ -1,104 +0,0 @@
-From e59ef9939d3f0ccc8f9bab51442989a81be0c914 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Sat, 23 Nov 2024 12:28:13 +1100
-Subject: [PATCH 3/4] receiver: use secure_relative_open() for basis file
-
-this prevents attacks where the basis file is manipulated by a
-malicious sender to gain information about files outside the
-destination tree
----
- receiver.c | 42 ++++++++++++++++++++++++++----------------
- 1 file changed, 26 insertions(+), 16 deletions(-)
-
-diff --git a/receiver.c b/receiver.c
-index 2d7f6033..8031b8f4 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -552,6 +552,8 @@ int recv_files(int f_in, int f_out, char *local_name)
- 	progress_init();
- 
- 	while (1) {
-+		const char *basedir = NULL;
-+
- 		cleanup_disable();
- 
- 		/* This call also sets cur_flist. */
-@@ -722,27 +724,29 @@ int recv_files(int f_in, int f_out, char *local_name)
- 					exit_cleanup(RERR_PROTOCOL);
- 				}
- 				if (file->dirname) {
--					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, file->dirname, xname);
--					fnamecmp = fnamecmpbuf;
--				} else
--					fnamecmp = xname;
-+					basedir = file->dirname;
-+				}
-+				fnamecmp = xname;
- 				break;
- 			default:
- 				if (fnamecmp_type > FNAMECMP_FUZZY && fnamecmp_type-FNAMECMP_FUZZY <= basis_dir_cnt) {
- 					fnamecmp_type -= FNAMECMP_FUZZY + 1;
- 					if (file->dirname) {
--						stringjoin(fnamecmpbuf, sizeof fnamecmpbuf,
--							   basis_dir[fnamecmp_type], "/", file->dirname, "/", xname, NULL);
--					} else
--						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], xname);
-+						pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], file->dirname);
-+						basedir = fnamecmpbuf;
-+					} else {
-+						basedir = basis_dir[fnamecmp_type];
-+					}
-+					fnamecmp = xname;
- 				} else if (fnamecmp_type >= basis_dir_cnt) {
- 					rprintf(FERROR,
- 						"invalid basis_dir index: %d.\n",
- 						fnamecmp_type);
- 					exit_cleanup(RERR_PROTOCOL);
--				} else
--					pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basis_dir[fnamecmp_type], fname);
--				fnamecmp = fnamecmpbuf;
-+				} else {
-+					basedir = basis_dir[fnamecmp_type];
-+					fnamecmp = fname;
-+				}
- 				break;
- 			}
- 			if (!fnamecmp || (daemon_filter_list.head
-@@ -765,7 +769,7 @@ int recv_files(int f_in, int f_out, char *local_name)
- 		}
- 
- 		/* open the file */
--		fd1 = do_open(fnamecmp, O_RDONLY, 0);
-+		fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
- 
- 		if (fd1 == -1 && protocol_version < 29) {
- 			if (fnamecmp != fname) {
-@@ -776,14 +780,20 @@ int recv_files(int f_in, int f_out, char *local_name)
- 
- 			if (fd1 == -1 && basis_dir[0]) {
- 				/* pre-29 allowed only one alternate basis */
--				pathjoin(fnamecmpbuf, sizeof fnamecmpbuf,
--					 basis_dir[0], fname);
--				fnamecmp = fnamecmpbuf;
-+				basedir = basis_dir[0];
-+				fnamecmp = fname;
- 				fnamecmp_type = FNAMECMP_BASIS_DIR_LOW;
--				fd1 = do_open(fnamecmp, O_RDONLY, 0);
-+				fd1 = secure_relative_open(basedir, fnamecmp, O_RDONLY, 0);
- 			}
- 		}
- 
-+		if (basedir) {
-+			// for the following code we need the full
-+			// path name as a single string
-+			pathjoin(fnamecmpbuf, sizeof fnamecmpbuf, basedir, fnamecmp);
-+			fnamecmp = fnamecmpbuf;
-+		}
-+
- 		one_inplace = inplace_partial && fnamecmp_type == FNAMECMP_PARTIAL_DIR;
- 		updating_basis_or_equiv = one_inplace
- 		    || (inplace && (fnamecmp == fname || fnamecmp_type == FNAMECMP_BACKUP));
--- 
-2.34.1
-
-

rsync-CVE-2024-12086_04.patch

@@ -1,38 +0,0 @@
-From c78e53edb802d04f7e4e070fe8314f2544749e7a Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Tue, 26 Nov 2024 09:16:31 +1100
-Subject: [PATCH 4/4] disallow ../ elements in relpath for secure_relative_open
-
----
- syscall.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/syscall.c b/syscall.c
-index a4b7f542..47c5ea57 100644
---- a/syscall.c
-+++ b/syscall.c
-@@ -721,6 +721,8 @@ int do_open_nofollow(const char *pathname, int flags)
-   must be a relative path, and the relpath must not contain any
-   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
-   applies to all path components, not just the last component)
-+
-+  The relpath must also not contain any ../ elements in the path
- */
- int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
- {
-@@ -729,6 +731,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
- 		errno = EINVAL;
- 		return -1;
- 	}
-+	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
-+		// no ../ elements allowed in the relpath
-+		errno = EINVAL;
-+		return -1;
-+	}
- 
- #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
- 	// really old system, all we can do is live with the risks
--- 
-2.34.1
-
-

rsync-CVE-2024-12087_01.patch

@@ -1,46 +0,0 @@
-From 0ebc19ee486a8e928a68d8f98d07d40f176770aa Mon Sep 17 00:00:00 2001
-From: Wayne Davison <wayne@opencoder.net>
-Date: Thu, 14 Nov 2024 15:46:50 -0800
-Subject: [PATCH 1/2] Refuse a duplicate dirlist.
-
----
- flist.c | 9 +++++++++
- rsync.h | 1 +
- 2 files changed, 10 insertions(+)
-
-diff --git a/flist.c b/flist.c
-index 464d556e..847b1054 100644
---- a/flist.c
-+++ b/flist.c
-@@ -2584,6 +2584,15 @@ struct file_list *recv_file_list(int f, int dir_ndx)
- 		init_hard_links();
- #endif
- 
-+	if (inc_recurse && dir_ndx >= 0) {
-+		struct file_struct *file = dir_flist->files[dir_ndx];
-+		if (file->flags & FLAG_GOT_DIR_FLIST) {
-+			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
-+			exit_cleanup(RERR_PROTOCOL);
-+		}
-+		file->flags |= FLAG_GOT_DIR_FLIST;
-+	}
-+
- 	flist = flist_new(0, "recv_file_list");
- 	flist_expand(flist, FLIST_START_LARGE);
- 
-diff --git a/rsync.h b/rsync.h
-index 0f9e277f..b9a7101a 100644
---- a/rsync.h
-+++ b/rsync.h
-@@ -84,6 +84,7 @@
- #define FLAG_DUPLICATE (1<<4)	/* sender */
- #define FLAG_MISSING_DIR (1<<4)	/* generator */
- #define FLAG_HLINKED (1<<5)	/* receiver/generator (checked on all types) */
-+#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */
- #define FLAG_HLINK_FIRST (1<<6)	/* receiver/generator (w/FLAG_HLINKED) */
- #define FLAG_IMPLIED_DIR (1<<6)	/* sender/receiver/generator (dirs only) */
- #define FLAG_HLINK_LAST (1<<7)	/* receiver/generator */
--- 
-2.34.1
-
-

rsync-CVE-2024-12087_02.patch

@@ -1,28 +0,0 @@
-From b3e16be18d582dac1513c0a932d146b36e867b1b Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Tue, 26 Nov 2024 16:12:45 +1100
-Subject: [PATCH 2/2] range check dir_ndx before use
-
----
- flist.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/flist.c b/flist.c
-index 847b1054..087f9da6 100644
---- a/flist.c
-+++ b/flist.c
-@@ -2585,6 +2585,10 @@ struct file_list *recv_file_list(int f, int dir_ndx)
- #endif
- 
- 	if (inc_recurse && dir_ndx >= 0) {
-+		if (dir_ndx >= dir_flist->used) {
-+			rprintf(FERROR_XFER, "rsync: refusing invalid dir_ndx %u >= %u\n", dir_ndx, dir_flist->used);
-+			exit_cleanup(RERR_PROTOCOL);
-+		}
- 		struct file_struct *file = dir_flist->files[dir_ndx];
- 		if (file->flags & FLAG_GOT_DIR_FLIST) {
- 			rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx);
--- 
-2.34.1
-
-

rsync-CVE-2024-12088.patch

@@ -1,137 +0,0 @@
-From 535f8f816539ba681ef0f12015d2cb587ae61b6d Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <andrew@tridgell.net>
-Date: Sat, 23 Nov 2024 15:15:53 +1100
-Subject: [PATCH] make --safe-links stricter
-
-when --safe-links is used also reject links where a '../' component is
-included in the destination as other than the leading part of the
-filename
----
- testsuite/safe-links.test    | 55 ++++++++++++++++++++++++++++++++++++
- testsuite/unsafe-byname.test |  2 +-
- util1.c                      | 26 ++++++++++++++++-
- 3 files changed, 81 insertions(+), 2 deletions(-)
- create mode 100644 testsuite/safe-links.test
-
-diff --git a/testsuite/safe-links.test b/testsuite/safe-links.test
-new file mode 100644
-index 00000000..6e95a4b9
---- /dev/null
-+++ b/testsuite/safe-links.test
-@@ -0,0 +1,55 @@
-+#!/bin/sh
-+
-+. "$suitedir/rsync.fns"
-+
-+test_symlink() {
-+	is_a_link "$1" || test_fail "File $1 is not a symlink"
-+}
-+
-+test_regular() {
-+	if [ ! -f "$1" ]; then
-+		test_fail "File $1 is not regular file or not exists"
-+	fi
-+}
-+
-+test_notexist() {
-+        if [ -e "$1" ]; then
-+                test_fail "File $1 exists"
-+	fi
-+        if [ -h "$1" ]; then
-+                test_fail "File $1 exists as a symlink"
-+	fi
-+}
-+
-+cd "$tmpdir"
-+
-+mkdir from
-+
-+mkdir "from/safe"
-+mkdir "from/unsafe"
-+
-+mkdir "from/safe/files"
-+mkdir "from/safe/links"
-+
-+touch "from/safe/files/file1"
-+touch "from/safe/files/file2"
-+touch "from/unsafe/unsafefile"
-+
-+ln -s ../files/file1 "from/safe/links/"
-+ln -s ../files/file2 "from/safe/links/"
-+ln -s ../../unsafe/unsafefile "from/safe/links/"
-+ln -s a/a/a/../../../unsafe2 "from/safe/links/"
-+
-+#echo "LISTING FROM"
-+#ls -lR from
-+
-+echo "rsync with relative path and just -a"
-+$RSYNC -avv --safe-links from/safe/ to
-+
-+#echo "LISTING TO"
-+#ls -lR to
-+
-+test_symlink to/links/file1
-+test_symlink to/links/file2
-+test_notexist to/links/unsafefile
-+test_notexist to/links/unsafe2
-diff --git a/testsuite/unsafe-byname.test b/testsuite/unsafe-byname.test
-index 75e72014..d2e318ef 100644
---- a/testsuite/unsafe-byname.test
-+++ b/testsuite/unsafe-byname.test
-@@ -40,7 +40,7 @@ test_unsafe ..//../dest 		from/dir			unsafe
- test_unsafe ..				from/file			safe
- test_unsafe ../..			from/file			unsafe
- test_unsafe ..//..			from//file			unsafe
--test_unsafe dir/..			from				safe
-+test_unsafe dir/..			from				unsafe
- test_unsafe dir/../..			from				unsafe
- test_unsafe dir/..//..			from				unsafe
- 
-diff --git a/util1.c b/util1.c
-index da50ff1e..f260d398 100644
---- a/util1.c
-+++ b/util1.c
-@@ -1318,7 +1318,14 @@ int handle_partial_dir(const char *fname, int create)
-  *
-  * "src" is the top source directory currently applicable at the level
-  * of the referenced symlink.  This is usually the symlink's full path
-- * (including its name), as referenced from the root of the transfer. */
-+ * (including its name), as referenced from the root of the transfer.
-+ *
-+ * NOTE: this also rejects dest names with a .. component in other
-+ * than the first component of the name ie. it rejects names such as
-+ * a/b/../x/y. This needs to be done as the leading subpaths 'a' or
-+ * 'b' could later be replaced with symlinks such as a link to '.'
-+ * resulting in the link being transferred now becoming unsafe
-+ */
- int unsafe_symlink(const char *dest, const char *src)
- {
- 	const char *name, *slash;
-@@ -1328,6 +1335,23 @@ int unsafe_symlink(const char *dest, const char *src)
- 	if (!dest || !*dest || *dest == '/')
- 		return 1;
- 
-+	// reject destinations with /../ in the name other than at the start of the name
-+	const char *dest2 = dest;
-+	while (strncmp(dest2, "../", 3) == 0) {
-+	    dest2 += 3;
-+	    while (*dest2 == '/') {
-+		// allow for ..//..///../foo
-+		dest2++;
-+	    }
-+	}
-+	if (strstr(dest2, "/../"))
-+	    return 1;
-+
-+	// reject if the destination ends in /..
-+	const size_t dlen = strlen(dest);
-+	if (dlen > 3 && strcmp(&dest[dlen-3], "/..") == 0)
-+	    return 1;
-+
- 	/* find out what our safety margin is */
- 	for (name = src; (slash = strchr(name, '/')) != 0; name = slash+1) {
- 		/* ".." segment starts the count over.  "." segment is ignored. */
--- 
-2.34.1
-
-

rsync-CVE-2024-12747.patch

@@ -1,163 +0,0 @@
-diff --git a/checksum.c b/checksum.c
-index cb21882..66e8089 100644
---- a/checksum.c
-+++ b/checksum.c
-@@ -406,7 +406,7 @@ void file_checksum(const char *fname, const STRUCT_STAT *st_p, char *sum)
- 	int32 remainder;
- 	int fd;
- 
--	fd = do_open(fname, O_RDONLY, 0);
-+	fd = do_open_checklinks(fname);
- 	if (fd == -1) {
- 		memset(sum, 0, file_sum_len);
- 		return;
-diff --git a/flist.c b/flist.c
-index 087f9da..1783253 100644
---- a/flist.c
-+++ b/flist.c
-@@ -1390,7 +1390,7 @@ struct file_struct *make_file(const char *fname, struct file_list *flist,
- 
- 	if (copy_devices && am_sender && IS_DEVICE(st.st_mode)) {
- 		if (st.st_size == 0) {
--			int fd = do_open(fname, O_RDONLY, 0);
-+			int fd = do_open_checklinks(fname);
- 			if (fd >= 0) {
- 				st.st_size = get_device_size(fd, fname);
- 				close(fd);
-diff --git a/generator.c b/generator.c
-index 110db28..3f13bb9 100644
---- a/generator.c
-+++ b/generator.c
-@@ -1798,7 +1798,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
- 
- 	if (write_devices && IS_DEVICE(sx.st.st_mode) && sx.st.st_size == 0) {
- 		/* This early open into fd skips the regular open below. */
--		if ((fd = do_open(fnamecmp, O_RDONLY, 0)) >= 0)
-+		if ((fd = do_open_nofollow(fnamecmp, O_RDONLY)) >= 0)
- 			real_sx.st.st_size = sx.st.st_size = get_device_size(fd, fnamecmp);
- 	}
- 
-@@ -1867,7 +1867,7 @@ static void recv_generator(char *fname, struct file_struct *file, int ndx,
- 	}
- 
- 	/* open the file */
--	if (fd < 0 && (fd = do_open(fnamecmp, O_RDONLY, 0)) < 0) {
-+	if (fd < 0 && (fd = do_open_checklinks(fnamecmp)) < 0) {
- 		rsyserr(FERROR, errno, "failed to open %s, continuing",
- 			full_fname(fnamecmp));
- 	  pretend_missing:
-diff --git a/receiver.c b/receiver.c
-index 8031b8f..edfbb21 100644
---- a/receiver.c
-+++ b/receiver.c
-@@ -775,7 +775,7 @@ int recv_files(int f_in, int f_out, char *local_name)
- 			if (fnamecmp != fname) {
- 				fnamecmp = fname;
- 				fnamecmp_type = FNAMECMP_FNAME;
--				fd1 = do_open(fnamecmp, O_RDONLY, 0);
-+				fd1 = do_open_nofollow(fnamecmp, O_RDONLY);
- 			}
- 
- 			if (fd1 == -1 && basis_dir[0]) {
-diff --git a/sender.c b/sender.c
-index 2bbff2f..a4d46c3 100644
---- a/sender.c
-+++ b/sender.c
-@@ -350,7 +350,7 @@ void send_files(int f_in, int f_out)
- 			exit_cleanup(RERR_PROTOCOL);
- 		}
- 
--		fd = do_open(fname, O_RDONLY, 0);
-+		fd = do_open_checklinks(fname);
- 		if (fd == -1) {
- 			if (errno == ENOENT) {
- 				enum logcode c = am_daemon && protocol_version < 28 ? FERROR : FWARNING;
-diff --git a/syscall.c b/syscall.c
-index 47c5ea5..c55ae5f 100644
---- a/syscall.c
-+++ b/syscall.c
-@@ -45,6 +45,8 @@ extern int preallocate_files;
- extern int preserve_perms;
- extern int preserve_executability;
- extern int open_noatime;
-+extern int copy_links;
-+extern int copy_unsafe_links;
- 
- #ifndef S_BLKSIZE
- # if defined hpux || defined __hpux__ || defined __hpux
-@@ -793,3 +795,21 @@ cleanup:
- 	return retfd;
- #endif // O_NOFOLLOW, O_DIRECTORY
- }
-+
-+/*
-+  varient of do_open/do_open_nofollow which does do_open() if the
-+  copy_links or copy_unsafe_links options are set and does
-+  do_open_nofollow() otherwise
-+
-+  This is used to prevent a race condition where an attacker could be
-+  switching a file between being a symlink and being a normal file
-+
-+  The open is always done with O_RDONLY flags
-+ */
-+int do_open_checklinks(const char *pathname)
-+{
-+	if (copy_links || copy_unsafe_links) {
-+		return do_open(pathname, O_RDONLY, 0);
-+	}
-+	return do_open_nofollow(pathname, O_RDONLY);
-+}
-diff --git a/t_unsafe.c b/t_unsafe.c
-index 010cac5..e10619a 100644
---- a/t_unsafe.c
-+++ b/t_unsafe.c
-@@ -28,6 +28,9 @@ int am_root = 0;
- int am_sender = 1;
- int read_only = 0;
- int list_only = 0;
-+int copy_links = 0;
-+int copy_unsafe_links = 0;
-+
- short info_levels[COUNT_INFO], debug_levels[COUNT_DEBUG];
- 
- int
-diff --git a/tls.c b/tls.c
-index e6b0708..858f8f1 100644
---- a/tls.c
-+++ b/tls.c
-@@ -49,6 +49,9 @@ int list_only = 0;
- int link_times = 0;
- int link_owner = 0;
- int nsec_times = 0;
-+int safe_symlinks = 0;
-+int copy_links = 0;
-+int copy_unsafe_links = 0;
- 
- #ifdef SUPPORT_XATTRS
- 
-diff --git a/trimslash.c b/trimslash.c
-index 1ec928c..f2774cd 100644
---- a/trimslash.c
-+++ b/trimslash.c
-@@ -26,6 +26,8 @@ int am_root = 0;
- int am_sender = 1;
- int read_only = 1;
- int list_only = 0;
-+int copy_links = 0;
-+int copy_unsafe_links = 0;
- 
- int
- main(int argc, char **argv)
-diff --git a/util1.c b/util1.c
-index f260d39..d84bc41 100644
---- a/util1.c
-+++ b/util1.c
-@@ -365,7 +365,7 @@ int copy_file(const char *source, const char *dest, int tmpfilefd, mode_t mode)
- 	int len;   /* Number of bytes read into `buf'. */
- 	OFF_T prealloc_len = 0, offset = 0;
- 
--	if ((ifd = do_open(source, O_RDONLY, 0)) < 0) {
-+	if ((ifd = do_open_nofollow(source, O_RDONLY)) < 0) {
- 		int save_errno = errno;
- 		rsyserr(FERROR_XFER, errno, "open %s", full_fname(source));
- 		errno = save_errno;

rsync-gcc14.patch

@@ -1,13 +0,0 @@
-Index: rsync-3.3.0/configure.ac
-===================================================================
---- rsync-3.3.0.orig/configure.ac
-+++ rsync-3.3.0/configure.ac
-@@ -412,7 +412,7 @@ AS_HELP_STRING([--disable-ipv6],[disable
- #include <stdlib.h>
- #include <sys/types.h>
- #include <sys/socket.h>
--main()
-+int main(void)
- {
-    if (socket(AF_INET6, SOCK_STREAM, 0) < 0)
-      exit(1);

rsync-patches-3.3.0.tar.gz.asc

@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABECAB0WIQQASMiwJtTJbw5YnC9shZ+xS5aoxQUCZhF6vQAKCRBshZ+xS5ao
-xcOpAJ0e/0uM2Ds98F7lwsTWiYdsJJ4EGwCfU4SaBIySxtKPdHh0Qy6Y1dt8uTc=
-=dZu7
------END PGP SIGNATURE-----

rsync-patches-3.4.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51533dc5b9b4293d3499b673df185c93484f3e6fcf2de52f9bf1f07fa3d7cbc1
+size 103831

rsync-patches-3.4.0.tar.gz.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQJIBAABCgAyFiEEn+8RLc4ZoNx+iCy4G7JJl6hTX28FAmeGuIAUHGFuZHJld0B0
+cmlkZ2VsbC5uZXQACgkQG7JJl6hTX2/6cg/+LZBcaBsD6AAIDRQeBh5XvGWqZowx
+Zb66c52bSJ4WmruG2ccnBsxQLUhwHws/Rxqak7M5bUP11Z54ub+exSXxMVB8yFs7
+KZ1TyQKfiV1TJSspK8LQT6+mndlHAkpXAZWChWrKiQLUC1hrEpqRN+kFGEEqpNAB
++8+dtnGf4x3WQpMRybadvw5WR6y1EgkJbZrqikLgi9edmi9UVE1VWfDoA96yR8eA
+d5g9daNSx+QdqlWXt8L3djZG56l+QQhcKb6h/35+wHjaV1PgCq+zDdujn1v34ZtR
+7FMdqeEXWudiGU3U1xLay/sz057ZGhVXO7fRmcC4OhBEMTYNyzHO42yz0O3Sxe8j
+oK7+qJGqzsyLDtgpsHJFKXG8xBqGNoW/9c6RaJhEQyCgF0VhifE5aWbId7IwlSB3
+IzZuXcuGWUG0EhodNMQjYLxpdWfZexxkExu6Fx7D3RiOx04p5Rgb3EX9dP1tjVkt
+iWWVuHE9WI4NO85YXtKNYkRz9jESIhc9m+B7BzWmD/R9/r4OjfY0nlrrE9l9bTWg
+lm44bVRofY2SfO8cJgH3wCa4znUUBud7hAgBpKjnOXDEedLtmQOdbbDBvWGj64kS
+V9pZ4tSkaZT+ojgHhPAfqLqkQoVlHWs0q9R5PqjCRTWFynzi85rl9ForJXpo7UHU
+lJaIYEmTUu5Ub50=
+=MYKy
+-----END PGP SIGNATURE-----
+

rsync-usr-etc.patch

@@ -1,7 +1,8 @@
-diff -ur a/clientserver.c b/clientserver.c
+Index: rsync-3.4.0/clientserver.c
---- a/clientserver.c	2023-11-28 17:12:41.643268046 +0100
+===================================================================
-+++ b/clientserver.c	2023-11-28 17:25:30.476279700 +0100
+--- rsync-3.4.0.orig/clientserver.c
-@@ -1261,10 +1261,16 @@
++++ rsync-3.4.0/clientserver.c
+@@ -1261,10 +1261,16 @@ static void send_listing(int fd)
  static int load_config(int globals_only)
  {
  	if (!config_file) {
@@ -20,10 +21,11 @@ diff -ur a/clientserver.c b/clientserver.c
  	}
  	return lp_load(config_file, globals_only);
  }
-diff -ur a/configure.ac b/configure.ac
+Index: rsync-3.4.0/configure.ac
---- a/configure.ac	2023-11-28 17:12:41.647268046 +0100
+===================================================================
-+++ b/configure.ac	2023-11-28 17:40:15.678280030 +0100
+--- rsync-3.4.0.orig/configure.ac
-@@ -175,7 +175,7 @@
++++ rsync-3.4.0/configure.ac
+@@ -175,7 +175,7 @@ AC_ARG_WITH(rsync-path,
  AC_DEFINE_UNQUOTED(RSYNC_PATH, "$RSYNC_PATH", [location of rsync on remote machine])
  
  AC_ARG_WITH(rsyncd-conf,
@@ -32,7 +34,7 @@ diff -ur a/configure.ac b/configure.ac
  	[ if test ! -z "$with_rsyncd_conf" ; then
  		case $with_rsyncd_conf in
  			yes|no)
-@@ -193,7 +193,27 @@
+@@ -193,7 +193,27 @@ AC_ARG_WITH(rsyncd-conf,
  	fi ],
  	[ RSYNCD_SYSCONF="/etc/rsyncd.conf" ])
  
@@ -61,10 +63,11 @@ diff -ur a/configure.ac b/configure.ac
  
  AC_ARG_WITH(rsh,
  	AS_HELP_STRING([--with-rsh=CMD],[set remote shell command to CMD (default: ssh)]))
-diff -ur a/rsyncd.conf.5.md b/rsyncd.conf.5.md
+Index: rsync-3.4.0/rsyncd.conf.5.md
---- a/rsyncd.conf.5.md	2023-11-28 17:12:41.643268046 +0100
+===================================================================
-+++ b/rsyncd.conf.5.md	2023-11-29 13:08:32.125333095 +0100
+--- rsync-3.4.0.orig/rsyncd.conf.5.md
-@@ -1235,7 +1235,7 @@
++++ rsync-3.4.0/rsyncd.conf.5.md
+@@ -1242,7 +1242,7 @@ The /etc/rsyncd.secrets file would look
  
  ## FILES
  

rsync.changes

@@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Wed Jan 15 13:30:11 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Update to 3.4
+  * Bump to protocol 32
+  Drop CVE patches:
+  * Removed rsync-CVE-2024-12084-overflow-01.patch
+  * Removed rsync-CVE-2024-12084-overflow-02.patch
+  * Removed rsync-CVE-2024-12085.patch
+  * Removed rsync-CVE-2024-12086_01.patch
+  * Removed rsync-CVE-2024-12086_02.patch
+  * Removed rsync-CVE-2024-12086_03.patch
+  * Removed rsync-CVE-2024-12086_04.patch
+  * Removed rsync-CVE-2024-12087_01.patch
+  * Removed rsync-CVE-2024-12087_02.patch
+  * Removed rsync-CVE-2024-12088.patch
+  * Removed rsync-CVE-2024-12747.patch
+
 -------------------------------------------------------------------
 Tue Jan 14 08:39:57 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
 

rsync.keyring

@@ -1,32 +1,130 @@
-pub   1024D/4B96A8C5 2003-12-19
-uid                  Wayne Davison <wayned@users.sourceforge.net>
-uid                  Wayne Davison <wayned@samba.org>
-sub   1024g/29C67D63 2003-12-19
-
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.9 (GNU/Linux)
+Comment: Hostname: 
+Version: Hockeypuck 2.2
 
-mQGiBD/ja2cRBACZqtQ/VnuWd2TA/T4nFitXPOF//7uterTWZVMDBrSE3tJdW1lv
+xsFNBFnFrIoBEAC8ph2kG5EBWVcjjNPsn5nYSktPjkqdJJTupYf1mrQXqmbcW2I0
-90z2g2RJKktJTC3yjs82IH6wWvvFsHDPGXQRuoBr0dPYHBaVhKX85uewigHiE2M1
+6YYEdQ48kqv5EXJI+9hm8kIOi+VjD+JL4OplU1QY4qzclTTzxEZclJ3Ql/2hjfzX
-1Ub8Vv1c/JDGAh1cNmCAWazghV+emamrWJWq0f0hz5eqq4LCcPwo4riUVwCg9W37
+edncmYFe7iuklK3y9cyk5ObzfyZdic7FS/Mu8G+dp3uLVx83ZCbVF/CmdWjVSS9i
-YAR8Z4NHa6FWjrEKjl2NIMUD/iXJnp6qJFMK9Fs+2dWyL1m/mRb0h+I/cqgpkUvo
+IBBI5N/nfvGszAWf8lrGAvwOjp16MHzruW0DHwtO2DdFoSlgSeLSCQJLOK8EQUps
-gRhL95Jttg2QQtXJWCsB3hA/L/2Iu2bV8iS1aRlZQsAWogA3/m56ROs8cIyN4ouj
+pCofElQf1YhTQugtR4iy3DyZlhRyxmUFPpCHI83hAXKKFbhvsm8IgXUGF2AZY+SL
-1dpPoG7sKGA8BTvXxuSF9l6ngx7208iX+xiQCDeGfBtBFBy70iJxTFGzp2mP3IiP
+vy1mheE+dLk8CMzrgHB1su9aDXCOJ/Zt53GqluRaYXroi/vbS0+koqDOukn2UPla
-pwWtBACJ6l8UPwSRmp0Hz/N6H4RkzqGQnvYsMba/uPkRYou/14JsEGCQqjSB99UX
+MF5XP2ASJQU6mPm1mY2F0rAeMXapteG1exqoS2ttoQnMXUknXUQh1d7AP40OK/8k
-hsPg9wubCEpo3YFTf1p1j3OlbOhiiMkRFwyYaT1fqGjQK0w8hQ1yXHxbXffnz6e3
+VjX+DapMOFrjoFCcwBxWbaTY7j4JtjaqBHVdALRczrv4AxPhfZRndhRA+uqg5FpG
-gKELz7fNQxS0L/tZkNOT7uyGuwnPsUDCBAzDPMwYVIFRo+MKZLQgV2F5bmUgRGF2
+tsta47U2T/Y38M5qNkpJaHsAOSRorW/efgI6S0f6E/BaJh6AyXqRvJNhvWpEfpTf
-aXNvbiA8d2F5bmVkQHNhbWJhLm9yZz6IWwQTEQIAGwUCP+NrZwYLCQgHAwIDFQID
+Fb/4zlFz7Z4WIrmFFHWbGm2NR8rJOCs02zH6nX1S7XCTXIpK6YuJwam33WOvR2i2
-AxYCAQIeAQIXgAAKCRBshZ+xS5aoxbKaAJ98/UHW+BAmnsWCvCXYw5xAvjKQuwCg
+TgDf/xlsislTVPmWcqEMxLH5/YDqTQXzRtjsuGdjCvlAqN9tO7infXhm7QARAQAB
-7rJUYSl3xpb6YmIaBbyyw5QTKiC0LFdheW5lIERhdmlzb24gPHdheW5lZEB1c2Vy
+zSVBbmRyZXcgVHJpZGdlbGwgPGFuZHJld0B0cmlkZ2VsbC5uZXQ+wsF3BBMBAgAh
-cy5zb3VyY2Vmb3JnZS5uZXQ+iF4EExECAB4FAkFgW4ACGwMGCwkIBwMCAxUCAwMW
+AhsDAh4BAheABQJZxa9lBQsJCAcDBRUKCQgLBRYCAwEAAAoJEBuySZeoU19v+sQP
-AgECHgECF4AACgkQbIWfsUuWqMXxFQCg9Dgb5SnWZroPGl25DL2OYFHdqV4An0N2
+/RACMNYGlRP6hcHXbHOo/YeB0EFcyhjrhq0t5/RDCDs36wAPA+/vCNLHun2/Vvve
-QQj0mVi18JgadtS4xv7yNiDauQENBD/ja3EQBADkZadXo4zP2P9XjCP9jCel2hIp
+H1f0SRvzhFL1V0wbu+s5Tvr4dnnpWR3qGMl407uSsj8e2lhB8wB25l3u59HQbTbv
-E/khYifgu8sLYQ3VOaVM6iczw71a+iM3C44CddioGNv0svJ/cEttbtAE5zZIfqm0
+UWiTlspmsiL3u/mLqeczknXk0fabl3xTpTOVgc4Zee5BKC6sOAmnW/4gIK/dOGAq
-Rd/CYR+kqOkUydss736olRh+4lXLi9dAzDwHoEmlO+i95V6bDdSCAF9+XLhpfUY/
+ooHRDWlZUsvD5tU/y9p2AD6/hGXoUCm2rcUj5HVzoU2B8Dl8BwKgshBIOV6HozRU
-xtgistlUGTd+wyeQMwADBQP9HXUGOcR18VJsQtFOmXaXv9MSKZYMjCf9R5Z7gcPF
+7EORnrcwF8VPkVosX6YBQE+c6QCmaxByKkWvU3C1KxxesIdcMO+YEHZEOo3P0LWG
-PSIWINyUvMEgnLIrUKJ7pgoA6cLDnYm/lBVP801u5C+D4s79oCnjS21wlOxA2Go0
+bomGNNJ0s0cbKnuuI59q16OgOz3JLAB0a0pRw9BPzJaJ92YKHFSREbiG0QnUn/hZ
-hxG6XpT9mwBOWk4uZUK+g8Emeu7Vi6l3XwH8fACdCIfp3wKlqH/qtkqN7Gts95TM
+BsidhaCLg7syTkCvdC6jn+CySydpTAjCf7Api18+JbsHMf2Top1lUxZat6OwiZ7V
-59uIRgQYEQIABgUCP+NrcQAKCRBshZ+xS5aoxUisAKC2tk0y7PNjh9C9vbfx3fdA
+SsyyMt3QSePhGtyw4XzfNJfk3zqE6grqbhhennnysH13nHQoWJ8Q5vdKXlryHT+w
-gqiD8gCgg6qjwVbeddcrA0a84BB3zXnb93A=
+kaYKMna0CoLfZD/BG2eFUuJyLJttmbwBjE8q80DwgNIWKqfUGb0tzXstZKYppCkt
-=0IcW
+6M1xkFGPvYa6b6NF2vydW0bwUEE6vrLy1zARYxh8pCc+R8Vr4iDmGBztlIUhI6Us
+7GLqabOBy4HXgte32TQYUedb+dxRnbSLvL/OI6w7Gp+GwsGOBBMBAgAhAhsDAh4B
+AheABQJZxa9lBQsJCAcDBRUKCQgLBRYCAwEAACEJEBuySZeoU19vFiEEn+8RLc4Z
+oNx+iCy4G7JJl6hTX2/6xA/9EAIw1gaVE/qFwddsc6j9h4HQQVzKGOuGrS3n9EMI
+OzfrAA8D7+8I0se6fb9W+94fV/RJG/OEUvVXTBu76zlO+vh2eelZHeoYyXjTu5Ky
+Px7aWEHzAHbmXe7n0dBtNu9RaJOWymayIve7+Yup5zOSdeTR9puXfFOlM5WBzhl5
+7kEoLqw4Cadb/iAgr904YCqigdENaVlSy8Pm1T/L2nYAPr+EZehQKbatxSPkdXOh
+TYHwOXwHAqCyEEg5XoejNFTsQ5GetzAXxU+RWixfpgFAT5zpAKZrEHIqRa9TcLUr
+HF6wh1ww75gQdkQ6jc/QtYZuiYY00nSzRxsqe64jn2rXo6A7PcksAHRrSlHD0E/M
+lon3ZgocVJERuIbRCdSf+FkGyJ2FoIuDuzJOQK90LqOf4LJLJ2lMCMJ/sCmLXz4l
+uwcx/ZOinWVTFlq3o7CJntVKzLIy3dBJ4+Ea3LDhfN80l+TfOoTqCupuGF6eefKw
+fXecdChYnxDm90peWvIdP7CRpgoydrQKgt9kP8EbZ4VS4nIsm22ZvAGMTyrzQPCA
+0hYqp9QZvS3Ney1kpimkKS3ozXGQUY+9hrpvo0Xa/J1bRvBQQTq+svLXMBFjGHyk
+Jz5HxWviIOYYHO2UhSEjpSzsYupps4HLgdeC17fZNBhR51v53FGdtIu8v84jrDsa
+n4bCwXgEEwECACIFAlnFrIoCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ
+EBuySZeoU19v7+gP/RyjN35PGwyhGApZNHo8pBfq720RI39LMZ6RXWo2qYIMGQBV
+nQmMMv/hlOaTvEiZ/LB589O9CuueGiWr3WVkw2N7+cnx5bSS1RV6OPEBV9ZPbcAD
+jUrlCe63g0SSvfED//RWpwQB9srx5h+AvshrtJI8jFF/tbEvI+8twJlBSJbJs8KW
+/t8vB+9yILSn4tkMy2xWm0CU8IIZDtvAYJLJECJCEqZop/8r2++j9b8F62AmrxLe
+SIgIcML+JOH6UXQmnu/tQuVZf2/uYMmn+hzCtvfawfNbzE5ERiXMczJSM1adhr91
+b4KFj4vfiXa9JpHNSpAAfeSO9eFylzTsK35Y+LcVO3xIeK40FMIBcox0pFFowf3s
+klk0NjYJJ1dvuPMH6dAPX5vfSZQH7uFQnxIA7fYyRp6Y2NwJDOtJhs8471nkYsw/
+Pw69Optun7fG0NXupKSrEZaZq44AoY8QvynMExZGoEYC2oVnFEya4pmqBJRyc7Sy
+9Y7eaacstTgVg5KhfEsRPpY939LwmH6XPf5YgiVMjw2duGttK09NAr7Lv50CznTJ
+bOl4xYVrac1mrF+VB+f6M6LkfvadjOQ2/vdHbLfo8PqloUJMu20krOXENFqBtXyA
+k8EtwGcgp3s1nHihjbRw8SnpEPAZsIwlvTsyNxI26VDsSiNoY3A1PVdTQ37fwsGP
+BBMBAgAiBQJZxayKAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAhCRAbskmX
+qFNfbxYhBJ/vES3OGaDcfogsuBuySZeoU19v7+gP/RyjN35PGwyhGApZNHo8pBfq
+720RI39LMZ6RXWo2qYIMGQBVnQmMMv/hlOaTvEiZ/LB589O9CuueGiWr3WVkw2N7
++cnx5bSS1RV6OPEBV9ZPbcADjUrlCe63g0SSvfED//RWpwQB9srx5h+AvshrtJI8
+jFF/tbEvI+8twJlBSJbJs8KW/t8vB+9yILSn4tkMy2xWm0CU8IIZDtvAYJLJECJC
+EqZop/8r2++j9b8F62AmrxLeSIgIcML+JOH6UXQmnu/tQuVZf2/uYMmn+hzCtvfa
+wfNbzE5ERiXMczJSM1adhr91b4KFj4vfiXa9JpHNSpAAfeSO9eFylzTsK35Y+LcV
+O3xIeK40FMIBcox0pFFowf3sklk0NjYJJ1dvuPMH6dAPX5vfSZQH7uFQnxIA7fYy
+Rp6Y2NwJDOtJhs8471nkYsw/Pw69Optun7fG0NXupKSrEZaZq44AoY8QvynMExZG
+oEYC2oVnFEya4pmqBJRyc7Sy9Y7eaacstTgVg5KhfEsRPpY939LwmH6XPf5YgiVM
+jw2duGttK09NAr7Lv50CznTJbOl4xYVrac1mrF+VB+f6M6LkfvadjOQ2/vdHbLfo
+8PqloUJMu20krOXENFqBtXyAk8EtwGcgp3s1nHihjbRw8SnpEPAZsIwlvTsyNxI2
+6VDsSiNoY3A1PVdTQ37fwsFcBBABCgAGBQJZxa2aAAoJELJMpj9uu+hNx5UQALPz
+yu1QRLiPW99XvJxt2ikpkSeWQxJSyyUy38/FButoMRyATqY8Z4mPHtXaCSpKw7SP
+d1fJR7CZIdAkpsBj/hvSW9Xy+TCGxd7A4ecI3n3fwLnEyZ/vMmgnBsWVwuEQnMhu
+vr7uk2kkdbuZirmeBMOGbYsHEMGx0O30VziWi59NmtVrcIMb2HzWqtIpfbfErSJP
+HjQX3AsJ3/dnNMLsNwv96xXx8y6Xi7DZau1VouJkNJnt4+jxEWby/5ttIIQ0OKIZ
+nS36R1srCBxj4iEK3F9a8JOa2OTUshTwvFnRs5vMyKYPK5nI4YljzEDOrEfWUqyO
+ikZPmZJEJGDJ/gVCOFNDwgHJaWHolVQzMbjNcj4AiDjA0W5TaJ5T55IfqeoA2cko
+qzp+tcgETHsdcdsCd/V+4w1qzBmJjYdIraSW0CYIsVUhaQOt50Ya3noqz+n6ZEve
+lSSbQoZkOZwAd1AHq2ibdOmHd3JVnpKpB2irZUaWN8y+Ju5TOviXoBL+ZWoG+3Ad
+Oj68Am2t8Y9hJvjSIOKpef4CJZ5whU7MtKMtzDENWb7HYkvLf1IjWn34u80QlNn8
+uDbDHoxF1s7xyVvg03r5CzvfhOhXTlzYJEhOEn5VQMkZJQ4RlKyVnLBIYN0uidIn
+1STEMnRVTKCR99OGWF8balTNbzwJnaYOHJL1bFBSwkYEEBECAAYFAlnFrxgACgkQ
+bf9zMVhTZ5G4mwCgn6YnhVJh+y3B8HJcy3B0eSqn12IAnA+2XSxpS3LfnpKLbEAk
+YGbRtDO/wl0EEBECAB0WIQQASMiwJtTJbw5YnC9shZ+xS5aoxQUCZ4bC/AAKCRBs
+hZ+xS5aoxVgHAJ9rjm2pKx4k+VN+LWertcAoRHlBwQCg5QTqZQafRqf6/uA9R4kI
+xRazYX7CwXMEEAEKAB0WIQRx+/F75+UtDCoskUTwthRgsExLVgUCZ4bMVAAKCRDw
+thRgsExLVo1PD/9f055Rby4I4A75UHWZ4um76wX0OiU9nq6FVi01a7sT8VOM8sxM
+XnDXZvFfWXsRj98jBYsWZ6XA4JJiW3cvrdDPdjxgJDO7tS4nLWztvCnLxrWoKYkI
+sIy9XgF5TCcsMNsSqDzq1j78s18N0JMuKKeBZSxSSIhu/jl83v4w2LY0vakdQv0e
+hx0qNAPsZ5jrcTtvGycDFa360cVmMny1WP9+TsabSuIO7vQt5FnRMXvKW0xmSmc9
+HmcaszBKd+lrmM2T8DsoAB6lS30DOAibZfEfN3IgOWpK5YzV6a/UxnESKykpUBKg
+889IssfGuQQsir29pFcI0HO3BTnpUQY2o6wkPubPduxsaHYdyl9VJtf8bW3Z6EIY
+44HpzPhovGvMrzd06W59TIPu0wxWaoNjZQiGUIkGkqAELXL99YfJQnkEDObxKuzS
+Ju7nJ2WJIA3jvavcigCchBTojG+8knrkIzl+xEPiQDVJ+LZGBlN6Ql4EFuukBnjf
+85pLaOPd2svQF73RCpsjxwT13lmXzXiRnGgKb3F3smbXimIxkSqax26P8S+mC6+p
+C4Xt0j8+zfIL+iqhPedGhH/IvMqRqqQDzjya3YzCh0nIR7mrFV9oH3Nje+s0sGNe
+LrW7KkAFBgbdy2Ts/HI+l2uupsRn1OEZEyIRB4wHZqtrEUE7L2FqStyRh8JdBBAR
+CgAdFiEEAEjIsCbUyW8OWJwvbIWfsUuWqMUFAmeGzLQACgkQbIWfsUuWqMU/FgCe
+KC0HvywEeTaT8dmQh3QiMNQlRtMAniZcHMlZl11+z5Aw8UEuUBzdQyV3zsFNBFnF
+rIoBEACeU7lE8sgD5BPro6GLzzfsQ1PsN/im4quzDmR66YaHEsZPf5p+cLPY3aZR
+zgXTw5+zH5rsy6D/WwxjH265RRZsymfYwiwS9+gcTxP+qyEs8kUHQn0u5iVGK0pf
+MO4lUObKEDUa/QGSYtssVv0nwuR/fkwSCpFJNiJ+f3bgpCY+4bWHFj0vINR0slSU
+VqyW80cXhED9sgBCkx6fXA9///QMcRkzQM/99N0yO5iDrz6WdJ/4YvgIngezocOV
+nds8RKNGoqKgqkxicsNZuAyzplTTKXqlhLNsVwpkcurmYCdq7QjjcypAn8HTvQoY
+++n5sY7h+xCTE5dgcQH3NOdeyRvymFs8f+EcCVLISZdCt077FouZ4n9Xa2bhTZEY
+PDEdpQM3OYtolvIPjOGB2ONacBndwW//eUhB+YOgIj2dOyRNPwlo6xagtgbXCZo1
+ksEU7tYJKIqDETs5DWFJ58amIRRx8lQki6PABionf2dmawt2C31IY//F9OccWsfn
+CkFGg+Q3aAUWYov1ImmPH2E9TMgTq93S+ntMBKUzDGZDo/wJOaT9tHyVFq29B/Jh
+Ri5Zhb6rh7OxSKhC0miK0fkK+EzENvm7nB+e4H916Syb1vrS7TUpy6XIv64rgAHN
+zFboWiolreYpOhrJ5u2jpuYrVzev0usHfzhf2osi7fNRH0RDLwARAQABwsFfBBgB
+AgAJBQJZxayKAhsMAAoJEBuySZeoU19vofIP/10Fpnrkl5tpNLffXYYN8XkyQBDF
+e+fDsrcb1lC8fBwWZdceReceptT/OWA2FMsBOK2BCORFRH8xJMc8Qg/Vf/B9pOlJ
+wEBQ7Q4NJDdL5AJcPzKF6q5IsdOehK3esJusC2FHviudIG2uTdQM8CY3syNQR3eQ
+HhrJ9+aCoNTDT9MS6M5MkYJThnLSyxNU3AyVblaq7LkDlbFPDnB2q9wPkygI+miC
+i7645TBzBM8ljkgxC4OlM+s6O/gWawIzJNKwtSBMlyXUcORP0OzGgwnth8Ad5MBB
+Y45JXi4CfhqWP8tbkG/VGGudnpeswGsXRH9oVtzWwTbVwC0A8jmBCntqMdNSXSbg
+oM3F14O9kvrFy0RXm4k77qkaXVLbJOuq5wCjTzEFDH8pjeZnGDuwpVRBJZxpGLr7
+1oXASroJ3OK6TSLXxAoEzGwBW6y17nX5x5acSQj+lbUO4qWfPDKhiJMnjuEa92/k
+5nkyzeZhB37MsIhN5E7bSKavpKK6KP9raEJv3tjspKvghoLfzQj3zsbqZehKFI4Y
+Jq5KGqhUEOl3dL/FenobZgRbB3cqOgzN1LSx1oD30nxLSRrouhc/u47hToA75Qgm
+yV8OsDZoBe4R36db+arZOmrS5uvZ1I2ZUK+OynPgV6pZhxC4hljD6M25P0fopL4J
+tK9NYcSQQ3X8LC4SwsF2BBgBAgAJBQJZxayKAhsMACEJEBuySZeoU19vFiEEn+8R
+Lc4ZoNx+iCy4G7JJl6hTX2+h8g//XQWmeuSXm2k0t99dhg3xeTJAEMV758OytxvW
+ULx8HBZl1x5F5x6m1P85YDYUywE4rYEI5EVEfzEkxzxCD9V/8H2k6UnAQFDtDg0k
+N0vkAlw/MoXqrkix056Erd6wm6wLYUe+K50gba5N1AzwJjezI1BHd5AeGsn35oKg
+1MNP0xLozkyRglOGctLLE1TcDJVuVqrsuQOVsU8OcHar3A+TKAj6aIKLvrjlMHME
+zyWOSDELg6Uz6zo7+BZrAjMk0rC1IEyXJdRw5E/Q7MaDCe2HwB3kwEFjjkleLgJ+
+GpY/y1uQb9UYa52el6zAaxdEf2hW3NbBNtXALQDyOYEKe2ox01JdJuCgzcXXg72S
++sXLRFebiTvuqRpdUtsk66rnAKNPMQUMfymN5mcYO7ClVEElnGkYuvvWhcBKugnc
+4rpNItfECgTMbAFbrLXudfnHlpxJCP6VtQ7ipZ88MqGIkyeO4Rr3b+TmeTLN5mEH
+fsywiE3kTttIpq+koroo/2toQm/e2Oykq+CGgt/NCPfOxupl6EoUjhgmrkoaqFQQ
+6Xd0v8V6ehtmBFsHdyo6DM3UtLHWgPfSfEtJGui6Fz+7juFOgDvlCCbJXw6wNmgF
+7hHfp1v5qtk6atLm69nUjZlQr47Kc+BXqlmHELiGWMPozbk/R+ikvgm0r01hxJBD
+dfwsLhI=
+=whzx
 -----END PGP PUBLIC KEY BLOCK-----

rsync.spec

@@ -35,7 +35,7 @@
 %endif
 
 Name:           rsync
-Version:        3.3.0
+Version:        3.4.0
 Release:        0
 Summary:        Versatile tool for fast incremental file transfer
 License:        GPL-3.0-or-later
@@ -55,28 +55,10 @@ Source11:       https://rsync.samba.org/ftp/rsync/src/rsync-patches-%{version}.t
 Source12:       %{name}.keyring
 Source13:       rsyncd
 Patch0:         rsync-no-libattr.patch
-Patch1:         rsync-gcc14.patch
 Patch2:         rsync-usr-etc.patch
 Patch3:         rsync-run-dir.patch
 # https://github.com/RsyncProject/rsync/pull/639
 Patch5:         rsyncd-return-from-list-command-with-0.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12084 bsc#1234100
-Patch6:         rsync-CVE-2024-12084-overflow-01.patch
-Patch7:         rsync-CVE-2024-12084-overflow-02.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12085 bsc#1234101
-Patch8:         rsync-CVE-2024-12085.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12086 bsc#1234102
-Patch9:         rsync-CVE-2024-12086_01.patch
-Patch10:        rsync-CVE-2024-12086_02.patch
-Patch11:        rsync-CVE-2024-12086_03.patch
-Patch12:        rsync-CVE-2024-12086_04.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12087 bsc#1234103
-Patch13:        rsync-CVE-2024-12087_01.patch
-Patch14:        rsync-CVE-2024-12087_02.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12088 bsc#1234104
-Patch15:        rsync-CVE-2024-12088.patch
-# PATCH-FIX-UPSTREAM: rsync CVE-2024-12088 bsc#1235475
-Patch16:        rsync-CVE-2024-12747.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  c++_compiler

rsyncd-return-from-list-command-with-0.patch

@@ -15,11 +15,11 @@ Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
  clientserver.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/clientserver.c b/clientserver.c
+Index: rsync-3.4.0/clientserver.c
-index 7c897abc..c507ea91 100644
+===================================================================
---- a/clientserver.c
+--- rsync-3.4.0.orig/clientserver.c
-+++ b/clientserver.c
++++ rsync-3.4.0/clientserver.c
-@@ -1371,7 +1371,7 @@ int start_daemon(int f_in, int f_out)
+@@ -1377,7 +1377,7 @@ int start_daemon(int f_in, int f_out)
  		rprintf(FLOG, "module-list request from %s (%s)\n",
  			host, addr);
  		send_listing(f_out);
@@ -28,6 +28,3 @@ index 7c897abc..c507ea91 100644
  	}
  
  	if (*line == '#') {
--- 
-2.46.0
-