From 814aea5ad477adbb073d1a47e7ecf42d169b0b85961ada8c88f7be53971ba0ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ismail=20D=C3=B6nmez?= <ismail@i10z.com>
Date: Tue, 3 Feb 2015 07:22:35 +0000
Subject: [PATCH] Accepting request 283799 from
 home:vitezslav_cizek:branches:network

- fix for CVE-2014-9512 (bnc#915410)
  * path spoofing attack vulnerability
  * added rsync-CVE-2014-9512.patch

OBS-URL: https://build.opensuse.org/request/show/283799
OBS-URL: https://build.opensuse.org/package/show/network/rsync?expand=0&rev=41
---
 rsync-CVE-2014-9512.patch | 104 ++++++++++++++++++++++++++++++++++++++
 rsync.changes             |   7 +++
 rsync.spec                |   4 +-
 3 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 rsync-CVE-2014-9512.patch

diff --git a/rsync-CVE-2014-9512.patch b/rsync-CVE-2014-9512.patch
new file mode 100644
index 0000000..2ef249c
--- /dev/null
+++ b/rsync-CVE-2014-9512.patch
@@ -0,0 +1,104 @@
+commit 962f8b90045ab331fc04c9e65f80f1a53e68243b
+Author: Wayne Davison <wayned@samba.org>
+Date:   Wed Dec 31 12:41:03 2014 -0800
+
+    Complain if an inc-recursive path is not right for its dir.
+    This ensures that a malicious sender can't use a just-sent
+    symlink as a trasnfer path.
+
+diff --git a/flist.c b/flist.c
+index c24672e..92e4b65 100644
+--- a/flist.c
++++ b/flist.c
+@@ -2435,8 +2435,9 @@ struct file_list *send_file_list(int f, int argc, char *argv[])
+ 	return flist;
+ }
+ 
+-struct file_list *recv_file_list(int f)
++struct file_list *recv_file_list(int f, int dir_ndx)
+ {
++	const char *good_dirname = NULL;
+ 	struct file_list *flist;
+ 	int dstart, flags;
+ 	int64 start_read;
+@@ -2492,6 +2493,23 @@ struct file_list *recv_file_list(int f)
+ 		flist_expand(flist, 1);
+ 		file = recv_file_entry(f, flist, flags);
+ 
++		if (inc_recurse) {
++			static const char empty_dir[] = "\0";
++			const char *cur_dir = file->dirname ? file->dirname : empty_dir;
++			if (relative_paths && *cur_dir == '/')
++				cur_dir++;
++			if (cur_dir != good_dirname) {
++				const char *d = dir_ndx >= 0 ? f_name(dir_flist->files[dir_ndx], NULL) : empty_dir;
++				if (strcmp(cur_dir, d) != 0) {
++					rprintf(FERROR,
++						"ABORTING due to invalid dir prefix from sender: %s (should be: %s)\n",
++						cur_dir, d);
++					exit_cleanup(RERR_PROTOCOL);
++				}
++				good_dirname = cur_dir;
++			}
++		}
++
+ 		if (S_ISREG(file->mode)) {
+ 			/* Already counted */
+ 		} else if (S_ISDIR(file->mode)) {
+@@ -2615,7 +2633,7 @@ void recv_additional_file_list(int f)
+ 			rprintf(FINFO, "[%s] receiving flist for dir %d\n",
+ 				who_am_i(), ndx);
+ 		}
+-		flist = recv_file_list(f);
++		flist = recv_file_list(f, ndx);
+ 		flist->parent_ndx = ndx;
+ 	}
+ }
+diff --git a/io.c b/io.c
+index b9a9bd0..a868fa9 100644
+--- a/io.c
++++ b/io.c
+@@ -1685,7 +1685,7 @@ void wait_for_receiver(void)
+ 				rprintf(FINFO, "[%s] receiving flist for dir %d\n",
+ 					who_am_i(), ndx);
+ 			}
+-			flist = recv_file_list(iobuf.in_fd);
++			flist = recv_file_list(iobuf.in_fd, ndx);
+ 			flist->parent_ndx = ndx;
+ #ifdef SUPPORT_HARD_LINKS
+ 			if (preserve_hard_links)
+diff --git a/main.c b/main.c
+index e7a13f7..713b818 100644
+--- a/main.c
++++ b/main.c
+@@ -1009,7 +1009,7 @@ static void do_server_recv(int f_in, int f_out, int argc, char *argv[])
+ 		filesfrom_fd = -1;
+ 	}
+ 
+-	flist = recv_file_list(f_in);
++	flist = recv_file_list(f_in, -1);
+ 	if (!flist) {
+ 		rprintf(FERROR,"server_recv: recv_file_list error\n");
+ 		exit_cleanup(RERR_FILESELECT);
+@@ -1183,7 +1183,7 @@ int client_run(int f_in, int f_out, pid_t pid, int argc, char *argv[])
+ 
+ 	if (write_batch && !am_server)
+ 		start_write_batch(f_in);
+-	flist = recv_file_list(f_in);
++	flist = recv_file_list(f_in, -1);
+ 	if (inc_recurse && file_total == 1)
+ 		recv_additional_file_list(f_in);
+ 
+diff --git a/rsync.c b/rsync.c
+index 68ff6b1..c3ecc51 100644
+--- a/rsync.c
++++ b/rsync.c
+@@ -364,7 +364,7 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag_ptr, uchar *type_ptr,
+ 		}
+ 		/* Send all the data we read for this flist to the generator. */
+ 		start_flist_forward(ndx);
+-		flist = recv_file_list(f_in);
++		flist = recv_file_list(f_in, ndx);
+ 		flist->parent_ndx = ndx;
+ 		stop_flist_forward();
+ 	}
diff --git a/rsync.changes b/rsync.changes
index c81c74c..4e80351 100644
--- a/rsync.changes
+++ b/rsync.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Feb  2 18:42:25 UTC 2015 - vcizek@suse.com
+
+- fix for CVE-2014-9512 (bnc#915410)
+  * path spoofing attack vulnerability
+  * added rsync-CVE-2014-9512.patch
+
 -------------------------------------------------------------------
 Fri Nov 14 09:19:05 UTC 2014 - dimstar@opensuse.org
 
diff --git a/rsync.spec b/rsync.spec
index 53385fa..1d93623 100644
--- a/rsync.spec
+++ b/rsync.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package rsync
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -42,6 +42,7 @@ Source10:       http://rsync.samba.org/ftp/rsync/src/rsync-%{version}.tar.gz.asc
 Source11:       http://rsync.samba.org/ftp/rsync/src/rsync-patches-%{version}.tar.gz.asc
 Source12:       %{name}.keyring
 Patch3:         system-zlib.diff
+Patch4:         rsync-CVE-2014-9512.patch
 BuildRequires:  autoconf
 BuildRequires:  libacl-devel
 BuildRequires:  openslp-devel
@@ -79,6 +80,7 @@ for backups and mirroring and as an improved copy command for everyday use.
 rm -f zlib/*.h
 %patch3
 %endif
+%patch4 -p1
 patch -p1 < patches/acls.diff
 patch -p1 < patches/xattrs.diff
 patch -p1 < patches/slp.diff