Bug 57883 - rsync: Multiple issues (5.0)
Summary: rsync: Multiple issues (5.0)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: Security updates
Version: UCS 5.0
Hardware: All Linux
: P3 normal
Target Milestone: UCS 5.0-9-errata
Assignee: Quality Assurance
QA Contact: Felix Botner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-20 09:47 CET by Quality Assurance
Modified: 2025-01-22 17:04 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2025-01-20 09:47:24 CET 
New Debian rsync 3.1.3-6+deb10u2A~5.0.9.202501200947 fixes:
This update addresses the following issues:
3.1.3-6+deb10u1 (Sun, 12 Jan 2025 19:03:02 +0100)
* Non-maintainer upload by the ELTS Team.
* CVE-2024-12085 prevent information leak off the stack
* CVE-2024-12086 - refuse fuzzy options when fuzzy not selected - added  secure_relative_open() - receiver: use secure_relative_open() for basis  file - disallow ../ elements in relpath for secure_relative_open
* CVE-2024-12087 - Refuse a duplicate dirlist. - range check dir_ndx before  use
* CVE-2024-12088 make --safe-links stricter
* CVE-2024-12747 fixed symlink race condition in sender
3.1.3-6+deb10u2 (Fri, 17 Jan 2025 22:03:02 +0100)
* fix for upstream regression of CVE-2024-12087 FLAG_GOT_DIR_FLIST collission  with FLAG_HLINKED
* fix use-after-free in generator
Comment 1 Felix Botner univentionstaff 2025-01-20 12:46:39 CET 
updated patch 01_dirs_update_option
13284df0a02bba07249609687f966d68b0387768
Comment 2 Quality Assurance univentionstaff 2025-01-21 10:00:16 CET 
--- mirror/ftp/pool/main/r/rsync/rsync_3.1.3-6A~5.0.0.202006030949.dsc
+++ apt/ucs_5.0-0-errata5.0-9/source/rsync_3.1.3-6+deb10u2A~5.0.0.202501201057.dsc
@@ -1,7 +1,32 @@
-3.1.3-6A~5.0.0.202006030949 [Wed, 03 Jun 2020 09:49:22 +0200] Univention builddaemon <buildd@univention.de>:
+3.1.3-6+deb10u2A~5.0.0.202501201057 [Mon, 20 Jan 2025 10:57:01 -0000] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
-    01_dirs_update_option
+    01_dirs_update_option.patch
+
+3.1.3-6+deb10u2 [Fri, 17 Jan 2025 22:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the ELTS Team.
+  * fix for upstream regression of CVE-2024-12087
+    FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
+  * fix use-after-free in generator
+
+3.1.3-6+deb10u1 [Sun, 12 Jan 2025 19:03:02 +0100] Thorsten Alteholz <debian@alteholz.de>:
+
+  * Non-maintainer upload by the ELTS Team.
+  * CVE-2024-12085
+    prevent information leak off the stack
+  * CVE-2024-12086
+    - refuse fuzzy options when fuzzy not selected
+    - added secure_relative_open()
+    - receiver: use secure_relative_open() for basis file
+    - disallow ../ elements in relpath for secure_relative_open
+  * CVE-2024-12087
+    - Refuse a duplicate dirlist.
+    - range check dir_ndx before use
+  * CVE-2024-12088
+    make --safe-links stricter
+  * CVE-2024-12747
+    fixed symlink race condition in sender
 
 3.1.3-6 [Fri, 15 Mar 2019 11:25:01 +0100] Paul Slootman <paul@debian.org>:
 

<http://piuparts.knut.univention.de/5.0-9/#3707218285517442912>
Comment 3 Felix Botner univentionstaff 2025-01-22 09:37:26 CET 
OK: bug
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-9] 4d8ed3e2c3bd | Bug #57883: rsync 3.1.3-6+deb10u2A~5.0.0.202501201057