diff options
author | Sam James <sam@gentoo.org> | 2023-12-28 04:11:47 +0000 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2023-12-28 04:11:47 +0000 |
commit | 49fc4a8567531cb5d8f889832663c784d6a36ddf (patch) | |
tree | 60df65b088127f5cb251c83b51704edf6683960e | |
parent | sys-apps/cracklib-words: drop 2.9.8, 2.9.10 (diff) | |
download | gentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.tar.gz gentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.tar.bz2 gentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.zip |
net-misc/rsync: fix crash w/ FORTIFY_SOURCE=3
Closes: https://bugs.gentoo.org/917517
Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r-- | net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch | 54 | ||||
-rw-r--r-- | net-misc/rsync/rsync-3.2.7-r3.ebuild | 204 |
2 files changed, 258 insertions, 0 deletions
diff --git a/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch b/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch new file mode 100644 index 000000000000..952af573dfc7 --- /dev/null +++ b/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch @@ -0,0 +1,54 @@ +https://bugs.gentoo.org/917517 +https://github.com/WayneD/rsync/issues/511 +https://bugzilla.suse.com/show_bug.cgi?id=1214249 +https://bugzilla.redhat.com/show_bug.cgi?id=2229654 +https://src.fedoraproject.org/rpms/rsync/raw/06d55616ec86c3a68a8af917783788b928fefcc4/f/rsync-3.2.7-buffer-overflow.patch + +From 1f83963f59960150e8c46112daa8411324c1f209 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby <jslaby@suse.cz> +Date: Fri, 18 Aug 2023 08:26:20 +0200 +Subject: [PATCH] exclude: fix crashes with fortified strlcpy() + +Fortified (-D_FORTIFY_SOURCE=2 for gcc) builds make strlcpy() crash when +its third parameter (size) is larger than the buffer: + $ rsync -FFXHav '--filter=merge global-rsync-filter' Align-37-43/ xxx + sending incremental file list + *** buffer overflow detected ***: terminated + +It's in the exclude code in setup_merge_file(): + strlcpy(y, save, MAXPATHLEN); + +Note the 'y' pointer was incremented, so it no longer points to memory +with MAXPATHLEN "owned" bytes. + +Fix it by remembering the number of copied bytes into the 'save' buffer +and use that instead of MAXPATHLEN which is clearly incorrect. + +Fixes #511. +--- + exclude.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/exclude.c b/exclude.c +index ffe55b167..1a5de3b9e 100644 +--- a/exclude.c ++++ b/exclude.c +@@ -720,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex, + parent_dirscan = True; + while (*y) { + char save[MAXPATHLEN]; +- strlcpy(save, y, MAXPATHLEN); ++ /* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */ ++ size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1; + *y = '\0'; + dirbuf_len = y - dirbuf; + strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf)); +@@ -734,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex, + lp->head = NULL; + } + lp->tail = NULL; +- strlcpy(y, save, MAXPATHLEN); ++ strlcpy(y, save, copylen); + while ((*x++ = *y++) != '/') {} + } + parent_dirscan = False; diff --git a/net-misc/rsync/rsync-3.2.7-r3.ebuild b/net-misc/rsync/rsync-3.2.7-r3.ebuild new file mode 100644 index 000000000000..01c09f3cd5ca --- /dev/null +++ b/net-misc/rsync/rsync-3.2.7-r3.ebuild @@ -0,0 +1,204 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Uncomment when introducing a patch which touches configure +#RSYNC_NEEDS_AUTOCONF=1 +PYTHON_COMPAT=( python3_{9..11} ) +inherit flag-o-matic prefix python-single-r1 systemd + +DESCRIPTION="File transfer program to keep remote files into sync" +HOMEPAGE="https://rsync.samba.org/" +if [[ ${PV} == *9999 ]] ; then + EGIT_REPO_URI="https://github.com/WayneD/rsync.git" + inherit autotools git-r3 + + REQUIRED_USE="${PYTHON_REQUIRED_USE}" +else + VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/waynedavison.asc + inherit verify-sig + + if [[ -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then + inherit autotools + fi + + if [[ ${PV} == *_pre* ]] ; then + SRC_DIR="src-previews" + else + SRC_DIR="src" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi + + SRC_URI="https://rsync.samba.org/ftp/rsync/${SRC_DIR}/${P/_/}.tar.gz + verify-sig? ( https://rsync.samba.org/ftp/rsync/${SRC_DIR}/${P/_/}.tar.gz.asc )" + S="${WORKDIR}"/${P/_/} +fi + +LICENSE="GPL-3" +SLOT="0" +IUSE="acl examples iconv lz4 rrsync ssl stunnel system-zlib xattr xxhash zstd" +REQUIRED_USE+=" examples? ( ${PYTHON_REQUIRED_USE} )" +REQUIRED_USE+=" rrsync? ( ${PYTHON_REQUIRED_USE} )" + +RDEPEND=" + >=dev-libs/popt-1.5 + acl? ( virtual/acl ) + examples? ( + ${PYTHON_DEPS} + dev-lang/perl + ) + lz4? ( app-arch/lz4:= ) + rrsync? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep ' + dev-python/bracex[${PYTHON_USEDEP}] + ') + ) + ssl? ( dev-libs/openssl:= ) + system-zlib? ( sys-libs/zlib ) + xattr? ( kernel_linux? ( sys-apps/attr ) ) + xxhash? ( >=dev-libs/xxhash-0.8 ) + zstd? ( >=app-arch/zstd-1.4:= ) + iconv? ( virtual/libiconv )" +DEPEND="${RDEPEND}" +BDEPEND=" + examples? ( ${PYTHON_DEPS} ) + rrsync? ( ${PYTHON_DEPS} ) +" + +if [[ ${PV} == *9999 ]] ; then + BDEPEND+=" ${PYTHON_DEPS} + $(python_gen_cond_dep ' + dev-python/commonmark[${PYTHON_USEDEP}] + ')" +else + BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-waynedavison )" +fi + +PATCHES=( + "${FILESDIR}"/${P}-flist-memcmp-ub.patch + "${FILESDIR}"/${P}-fortify-source-3.patch +) + +pkg_setup() { + # - USE=examples needs Python itself at runtime, but nothing else + # - 9999 needs commonmark at build time + if [[ ${PV} == *9999 ]] || use examples || use rrsync; then + python-single-r1_pkg_setup + fi +} + +src_prepare() { + default + + if [[ ${PV} == *9999 || -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then + eaclocal -I m4 + eautoconf -o configure.sh + eautoheader && touch config.h.in + fi + + if use examples || use rrsync; then + python_fix_shebang support/ + fi + + if [[ -f rrsync.1 ]]; then + # If the pre-build rrsync.1 man page exists, then link to it + # from support/rrsync.1 to avoid rsync's build system attempting + # re-creating the man page (bug #883049). + ln -s ../rrsync.1 support/rrsync.1 || die + fi +} + +src_configure() { + local myeconfargs=( + --with-rsyncd-conf="${EPREFIX}"/etc/rsyncd.conf + --without-included-popt + --enable-ipv6 + $(use_enable acl acl-support) + $(use_enable iconv) + $(use_enable lz4) + $(use_with rrsync) + $(use_enable ssl openssl) + $(use_with !system-zlib included-zlib) + $(use_enable xattr xattr-support) + $(use_enable xxhash) + $(use_enable zstd) + ) + + # https://github.com/WayneD/rsync/pull/428 + if is-flagq -fsanitize=undefined ; then + sed -E -i \ + -e 's:#define CAREFUL_ALIGNMENT (0|1):#define CAREFUL_ALIGNMENT 1:' \ + byteorder.h || die + append-flags -DCAREFUL_ALIGNMENT + fi + + econf "${myeconfargs[@]}" +} + +src_install() { + emake DESTDIR="${D}" install + + newconfd "${FILESDIR}"/rsyncd.conf.d rsyncd + newinitd "${FILESDIR}"/rsyncd.init.d-r1 rsyncd + + dodoc NEWS.md README.md TODO tech_report.tex + + insinto /etc + newins "${FILESDIR}"/rsyncd.conf-3.0.9-r1 rsyncd.conf + + insinto /etc/logrotate.d + newins "${FILESDIR}"/rsyncd.logrotate rsyncd + + insinto /etc/xinetd.d + newins "${FILESDIR}"/rsyncd.xinetd-3.0.9-r1 rsyncd + + # Install stunnel helpers + if use stunnel ; then + emake DESTDIR="${D}" install-ssl-daemon + fi + + # Install the useful contrib scripts + if use examples ; then + # The 'rrsync' script is installed conditionally via the 'rrysnc' + # USE flag, and not via the 'examples' USE flag. + rm support/rrsync* || die + + exeinto /usr/share/rsync + doexe support/* + + rm -f "${ED}"/usr/share/rsync/{Makefile*,*.c} + fi + + eprefixify "${ED}"/etc/{,xinetd.d}/rsyncd* + + systemd_newunit packaging/systemd/rsync.service rsyncd.service +} + +pkg_postinst() { + if grep -Eqis '^[[:space:]]use chroot[[:space:]]*=[[:space:]]*(no|0|false)' \ + "${EROOT}"/etc/rsyncd.conf "${EROOT}"/etc/rsync/rsyncd.conf ; then + ewarn "You have disabled chroot support in your rsyncd.conf. This" + ewarn "is a security risk which you should fix. Please check your" + ewarn "/etc/rsyncd.conf file and fix the setting 'use chroot'." + fi + + if use stunnel ; then + einfo "Please install \">=net-misc/stunnel-4\" in order to use stunnel feature." + einfo + einfo "You maybe have to update the certificates configured in" + einfo "${EROOT}/etc/stunnel/rsync.conf" + fi + + if use system-zlib ; then + ewarn "Using system-zlib is incompatible with <rsync-3.1.1 when" + ewarn "using the --compress option." + ewarn + ewarn "When syncing with >=rsync-3.1.1 built with bundled zlib," + ewarn "and the --compress option, add --new-compress (-zz)." + ewarn + ewarn "For syncing the portage tree, add:" + ewarn "PORTAGE_RSYNC_EXTRA_OPTS=\"--new-compress\" to make.conf" + fi +} |