[notify] rsync: fix for CVE-2007-4091

http://www.securityfocus.com/bid/25336 http://c-skills.blogspot.com/2007/08/cve-2007-4091.html
2007-08-24 08:33:40 +02:00 · 2007-08-24 08:33:40 +02:00 · 4222576ab7
commit 4222576ab7
parent 1162c85b0a
3 changed files with 68 additions and 3 deletions
--- a/rsync/.md5sum
+++ b/rsync/.md5sum
@ -1,3 +1,4 @@
+46fcea1ac64c9e075d0338f8e35b1af6  rsync-2.6.9-fname-obo.diff
 996d8d8831dbca17910094e56dcb5942  rsync-2.6.9.tar.gz
 f8dcfe5cf2afef1ea90107a6ff4540cd  rsync.driver
 a71995f22768c931c5649a1336d25ffb  rsyncd
--- a/rsync/Pkgfile
+++ b/rsync/Pkgfile
@ -5,18 +5,22 @@

 name=rsync
 version=2.6.9
-release=1
+release=2
 source=(http://rsync.samba.org/ftp/$name/$name-$version.tar.gz \
-        rsyncd.conf rsyncd rsync.driver)
+        rsyncd.conf rsyncd rsync.driver \
+        $name-$version-fname-obo.diff)

 build () {
    cd $name-$version
+
+    patch -p1 -i $SRC/$name-$version-fname-obo.diff
+
    ./configure --prefix=/usr \
                --mandir=/usr/man \
                --with-rsh=ssh
    make
    make DESTDIR=$PKG install
-    
+
    mkdir -p $PKG/etc/{rc.d,ports/drivers} $PKG/var/log
    install -m 755 $SRC/rsyncd $PKG/etc/rc.d
    install -m 644 $SRC/rsyncd.conf $PKG/etc
--- a/rsync/rsync-2.6.9-fname-obo.diff
+++ b/rsync/rsync-2.6.9-fname-obo.diff
@ -0,0 +1,60 @@
+--- rsync-2.6.9.orig/sender.c	2006-09-20 03:53:32.000000000 +0200
+++ rsync-2.6.9/sender.c	2007-07-25 15:33:05.000000000 +0200
+@@ -123,6 +123,7 @@
+ 	char fname[MAXPATHLEN];
+ 	struct file_struct *file;
+ 	unsigned int offset;
+	size_t l = 0;
+ 
+ 	if (ndx < 0 || ndx >= the_file_list->count)
+ 		return;
+@@ -133,6 +134,20 @@
+ 				    file->dir.root, "/", NULL);
+ 	} else
+ 		offset = 0;
+
+	l = offset + 1;
+	if (file) {
+		if (file->dirname)
+			l += strlen(file->dirname);
+		if (file->basename)
+			l += strlen(file->basename);
+	}
+
+	if (l >= sizeof(fname)) {
+		rprintf(FERROR, "Overlong pathname\n");
+		exit_cleanup(RERR_FILESELECT);
+	}
+
+ 	f_name(file, fname + offset);
+ 	if (remove_source_files) {
+ 		if (do_unlink(fname) == 0) {
+@@ -224,6 +239,7 @@
+ 	enum logcode log_code = log_before_transfer ? FLOG : FINFO;
+ 	int f_xfer = write_batch < 0 ? batch_fd : f_out;
+ 	int i, j;
+	size_t l = 0;
+ 
+ 	if (verbose > 2)
+ 		rprintf(FINFO, "send_files starting\n");
+@@ -259,6 +275,20 @@
+ 				fname[offset++] = '/';
+ 		} else
+ 			offset = 0;
+
+		l = offset + 1;
+		if (file) {
+			if (file->dirname)
+				l += strlen(file->dirname);
+			if (file->basename)
+				l += strlen(file->basename);
+		}
+
+		if (l >= sizeof(fname)) {
+			rprintf(FERROR, "Overlong pathname\n");
+			exit_cleanup(RERR_FILESELECT);
+		}
+
+ 		fname2 = f_name(file, fname + offset);
+ 
+ 		if (verbose > 2)