Accepting request 230314 from home:vitezslav_cizek:branches:network

- fix for CVE-2014-2855 (bnc#873740)
  * a denial of service via CPU consumption
  * added rsync-CVE-2014-2855.patch

OBS-URL: https://build.opensuse.org/request/show/230314
OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=31

rsync-CVE-2014-2855.patch

@@ -0,0 +1,84 @@
+From 0dedfbce2c1b851684ba658861fe9d620636c56a Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayned@samba.org>
+Date: Sun, 13 Apr 2014 13:44:58 -0700
+Subject: [PATCH] Avoid infinite wait reading secrets file.
+
+---
+ authenticate.c |   24 +++++++++++++-----------
+ 1 files changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/authenticate.c b/authenticate.c
+index 3381b8c..c92746c 100644
+--- a/authenticate.c
++++ b/authenticate.c
+@@ -102,15 +102,16 @@ static const char *check_secret(int module, const char *user, const char *group,
+ 	char pass2[MAX_DIGEST_LEN*2];
+ 	const char *fname = lp_secrets_file(module);
+ 	STRUCT_STAT st;
+-	int fd, ok = 1;
++	int ok = 1;
+ 	int user_len = strlen(user);
+ 	int group_len = group ? strlen(group) : 0;
+ 	char *err;
++	FILE *fh;
+ 
+-	if (!fname || !*fname || (fd = open(fname, O_RDONLY)) < 0)
++	if (!fname || !*fname || (fh = fopen(fname, "r")) == NULL)
+ 		return "no secrets file";
+ 
+-	if (do_fstat(fd, &st) == -1) {
++	if (do_fstat(fileno(fh), &st) == -1) {
+ 		rsyserr(FLOG, errno, "fstat(%s)", fname);
+ 		ok = 0;
+ 	} else if (lp_strict_modes(module)) {
+@@ -123,29 +124,30 @@ static const char *check_secret(int module, const char *user, const char *group,
+ 		}
+ 	}
+ 	if (!ok) {
+-		close(fd);
++		fclose(fh);
+ 		return "ignoring secrets file";
+ 	}
+ 
+ 	if (*user == '#') {
+ 		/* Reject attempt to match a comment. */
+-		close(fd);
++		fclose(fh);
+ 		return "invalid username";
+ 	}
+ 
+ 	/* Try to find a line that starts with the user (or @group) name and a ':'. */
+ 	err = "secret not found";
+-	while ((user || group) && read_line_old(fd, line, sizeof line, 1)) {
+-		const char **ptr, *s;
++	while ((user || group) && fgets(line, sizeof line, fh) != NULL) {
++		const char **ptr, *s = strtok(line, "\n\r");
+ 		int len;
+-		if (*line == '@') {
++		if (!s)
++			continue;
++		if (*s == '@') {
+ 			ptr = &group;
+ 			len = group_len;
+-			s = line+1;
++			s++;
+ 		} else {
+ 			ptr = &user;
+ 			len = user_len;
+-			s = line;
+ 		}
+ 		if (!*ptr || strncmp(s, *ptr, len) != 0 || s[len] != ':')
+ 			continue;
+@@ -158,7 +160,7 @@ static const char *check_secret(int module, const char *user, const char *group,
+ 		*ptr = NULL; /* Don't look for name again. */
+ 	}
+ 
+-	close(fd);
++	fclose(fh);
+ 
+ 	memset(line, 0, sizeof line);
+ 	memset(pass2, 0, sizeof pass2);
+-- 
+1.7.0.4
+
+

rsync.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Apr 15 14:57:34 UTC 2014 - vcizek@suse.com
+
+- fix for CVE-2014-2855 (bnc#873740)
+  * a denial of service via CPU consumption
+  * added rsync-CVE-2014-2855.patch
+
 -------------------------------------------------------------------
 Fri Oct 25 12:25:26 UTC 2013 - vcizek@suse.com
 

rsync.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package rsync
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -43,6 +43,7 @@ Source11:       http://rsync.samba.org/ftp/rsync/src/rsync-patches-%{version}.ta
 Source12:       %{name}.keyring
 Patch3:         system-zlib.diff
 Patch4:         0001-use-lp_num_modules-instead-of-the-removed-lp_numserv.patch
+Patch5:         rsync-CVE-2014-2855.patch
 BuildRequires:  autoconf
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
@@ -86,6 +87,7 @@ rm -f zlib/*.h
 %patch3
 %endif
 %patch4 -p1
+%patch5 -p1
 patch -p1 < patches/acls.diff
 patch -p1 < patches/xattrs.diff
 patch -p1 < patches/slp.diff