pool/rsync
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

merge into: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main
...
pull from: pool:factory
Branches Tags
pool:factory pool:slfo-1.2 pool:slfo-main

3 Commits
slfo-1.2 ... factory

Author SHA256 Message Date
Ana Guerrero
477fcd76e2 Accepting request 1323385 from network 
OBS-URL: https://build.opensuse.org/request/show/1323385
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rsync?expand=0&rev=95
 2025-12-18 17:30:42 +00:00
David Anes
e20d4d8c69 Fix changelog missing proper patch name. 
OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=141
 2025-12-17 15:20:08 +00:00
Angel Yankov
8f992957f7 - Security update (CVE-2025-10158, bsc#1254441): rsync: Out of 
bounds array access via negative index
  - Add CVE-2025-10158.patch

OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=140
 2025-12-17 07:33:00 +00:00
3 changed files with 38 additions and 1 deletions
Expand all files Collapse all files

27
rsync-CVE-2025-10158.patch Normal file
View File

@@ -0,0 +1,27 @@
From 797e17fc4a6f15e3b1756538a9f812b63942686f Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Sat, 23 Aug 2025 17:26:53 +1000
Subject: [PATCH] fixed an invalid access to files array
this was found by Calum Hutton from Rapid7. It is a real bug, but
analysis shows it can't be leverged into an exploit. Worth fixing
though.
Many thanks to Calum and Rapid7 for finding and reporting this
---
sender.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sender.c b/sender.c
index a4d46c39e..b1588b701 100644
--- a/sender.c
+++ b/sender.c
@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
if (ndx - cur_flist->ndx_start >= 0)
file = cur_flist->files[ndx - cur_flist->ndx_start];
+ else if (cur_flist->parent_ndx < 0)
+ exit_cleanup(RERR_PROTOCOL);
else
file = dir_flist->files[cur_flist->parent_ndx];
if (F_PATHNAME(file)) {

7
rsync.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Tue Dec 16 12:40:48 UTC 2025 - David Anes <david.anes@suse.com>
- Security update (CVE-2025-10158, bsc#1254441): rsync: Out of
bounds array access via negative index
- Add rsync-CVE-2025-10158.patch
-------------------------------------------------------------------
Fri Mar 28 13:58:41 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>

5
rsync.spec
View File

@@ -1,7 +1,7 @@
#
# spec file for package rsync
#
# Copyright (c) 2025 SUSE LLC
# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -61,6 +61,9 @@ Patch3: rsync-run-dir.patch
Patch5: rsyncd-return-from-list-command-with-0.patch
# https://github.com/RsyncProject/rsync/pull/716
Patch6: rsync341-gcc15-bool.patch
# bsc#1254441, CVE-2025-10158: rsync: Out of bounds array access via negative index
# https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f
Patch7: rsync-CVE-2025-10158.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: c++_compiler