summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2023-12-28 04:11:47 +0000
committerSam James <sam@gentoo.org>2023-12-28 04:11:47 +0000
commit49fc4a8567531cb5d8f889832663c784d6a36ddf (patch)
tree60df65b088127f5cb251c83b51704edf6683960e
parentsys-apps/cracklib-words: drop 2.9.8, 2.9.10 (diff)
downloadgentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.tar.gz
gentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.tar.bz2
gentoo-49fc4a8567531cb5d8f889832663c784d6a36ddf.zip
net-misc/rsync: fix crash w/ FORTIFY_SOURCE=3
Closes: https://bugs.gentoo.org/917517 Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r--net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch54
-rw-r--r--net-misc/rsync/rsync-3.2.7-r3.ebuild204
2 files changed, 258 insertions, 0 deletions
diff --git a/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch b/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch
new file mode 100644
index 000000000000..952af573dfc7
--- /dev/null
+++ b/net-misc/rsync/files/rsync-3.2.7-fortify-source-3.patch
@@ -0,0 +1,54 @@
+https://bugs.gentoo.org/917517
+https://github.com/WayneD/rsync/issues/511
+https://bugzilla.suse.com/show_bug.cgi?id=1214249
+https://bugzilla.redhat.com/show_bug.cgi?id=2229654
+https://src.fedoraproject.org/rpms/rsync/raw/06d55616ec86c3a68a8af917783788b928fefcc4/f/rsync-3.2.7-buffer-overflow.patch
+
+From 1f83963f59960150e8c46112daa8411324c1f209 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 18 Aug 2023 08:26:20 +0200
+Subject: [PATCH] exclude: fix crashes with fortified strlcpy()
+
+Fortified (-D_FORTIFY_SOURCE=2 for gcc) builds make strlcpy() crash when
+its third parameter (size) is larger than the buffer:
+ $ rsync -FFXHav '--filter=merge global-rsync-filter' Align-37-43/ xxx
+ sending incremental file list
+ *** buffer overflow detected ***: terminated
+
+It's in the exclude code in setup_merge_file():
+ strlcpy(y, save, MAXPATHLEN);
+
+Note the 'y' pointer was incremented, so it no longer points to memory
+with MAXPATHLEN "owned" bytes.
+
+Fix it by remembering the number of copied bytes into the 'save' buffer
+and use that instead of MAXPATHLEN which is clearly incorrect.
+
+Fixes #511.
+---
+ exclude.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/exclude.c b/exclude.c
+index ffe55b167..1a5de3b9e 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -720,7 +720,8 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
+ parent_dirscan = True;
+ while (*y) {
+ char save[MAXPATHLEN];
+- strlcpy(save, y, MAXPATHLEN);
++ /* copylen is strlen(y) which is < MAXPATHLEN. +1 for \0 */
++ size_t copylen = strlcpy(save, y, MAXPATHLEN) + 1;
+ *y = '\0';
+ dirbuf_len = y - dirbuf;
+ strlcpy(x, ex->pattern, MAXPATHLEN - (x - buf));
+@@ -734,7 +735,7 @@ static BOOL setup_merge_file(int mergelist_num, filter_rule *ex,
+ lp->head = NULL;
+ }
+ lp->tail = NULL;
+- strlcpy(y, save, MAXPATHLEN);
++ strlcpy(y, save, copylen);
+ while ((*x++ = *y++) != '/') {}
+ }
+ parent_dirscan = False;
diff --git a/net-misc/rsync/rsync-3.2.7-r3.ebuild b/net-misc/rsync/rsync-3.2.7-r3.ebuild
new file mode 100644
index 000000000000..01c09f3cd5ca
--- /dev/null
+++ b/net-misc/rsync/rsync-3.2.7-r3.ebuild
@@ -0,0 +1,204 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Uncomment when introducing a patch which touches configure
+#RSYNC_NEEDS_AUTOCONF=1
+PYTHON_COMPAT=( python3_{9..11} )
+inherit flag-o-matic prefix python-single-r1 systemd
+
+DESCRIPTION="File transfer program to keep remote files into sync"
+HOMEPAGE="https://rsync.samba.org/"
+if [[ ${PV} == *9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/WayneD/rsync.git"
+ inherit autotools git-r3
+
+ REQUIRED_USE="${PYTHON_REQUIRED_USE}"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/waynedavison.asc
+ inherit verify-sig
+
+ if [[ -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
+ inherit autotools
+ fi
+
+ if [[ ${PV} == *_pre* ]] ; then
+ SRC_DIR="src-previews"
+ else
+ SRC_DIR="src"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
+
+ SRC_URI="https://rsync.samba.org/ftp/rsync/${SRC_DIR}/${P/_/}.tar.gz
+ verify-sig? ( https://rsync.samba.org/ftp/rsync/${SRC_DIR}/${P/_/}.tar.gz.asc )"
+ S="${WORKDIR}"/${P/_/}
+fi
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="acl examples iconv lz4 rrsync ssl stunnel system-zlib xattr xxhash zstd"
+REQUIRED_USE+=" examples? ( ${PYTHON_REQUIRED_USE} )"
+REQUIRED_USE+=" rrsync? ( ${PYTHON_REQUIRED_USE} )"
+
+RDEPEND="
+ >=dev-libs/popt-1.5
+ acl? ( virtual/acl )
+ examples? (
+ ${PYTHON_DEPS}
+ dev-lang/perl
+ )
+ lz4? ( app-arch/lz4:= )
+ rrsync? (
+ ${PYTHON_DEPS}
+ $(python_gen_cond_dep '
+ dev-python/bracex[${PYTHON_USEDEP}]
+ ')
+ )
+ ssl? ( dev-libs/openssl:= )
+ system-zlib? ( sys-libs/zlib )
+ xattr? ( kernel_linux? ( sys-apps/attr ) )
+ xxhash? ( >=dev-libs/xxhash-0.8 )
+ zstd? ( >=app-arch/zstd-1.4:= )
+ iconv? ( virtual/libiconv )"
+DEPEND="${RDEPEND}"
+BDEPEND="
+ examples? ( ${PYTHON_DEPS} )
+ rrsync? ( ${PYTHON_DEPS} )
+"
+
+if [[ ${PV} == *9999 ]] ; then
+ BDEPEND+=" ${PYTHON_DEPS}
+ $(python_gen_cond_dep '
+ dev-python/commonmark[${PYTHON_USEDEP}]
+ ')"
+else
+ BDEPEND+=" verify-sig? ( sec-keys/openpgp-keys-waynedavison )"
+fi
+
+PATCHES=(
+ "${FILESDIR}"/${P}-flist-memcmp-ub.patch
+ "${FILESDIR}"/${P}-fortify-source-3.patch
+)
+
+pkg_setup() {
+ # - USE=examples needs Python itself at runtime, but nothing else
+ # - 9999 needs commonmark at build time
+ if [[ ${PV} == *9999 ]] || use examples || use rrsync; then
+ python-single-r1_pkg_setup
+ fi
+}
+
+src_prepare() {
+ default
+
+ if [[ ${PV} == *9999 || -n ${RSYNC_NEEDS_AUTOCONF} ]] ; then
+ eaclocal -I m4
+ eautoconf -o configure.sh
+ eautoheader && touch config.h.in
+ fi
+
+ if use examples || use rrsync; then
+ python_fix_shebang support/
+ fi
+
+ if [[ -f rrsync.1 ]]; then
+ # If the pre-build rrsync.1 man page exists, then link to it
+ # from support/rrsync.1 to avoid rsync's build system attempting
+ # re-creating the man page (bug #883049).
+ ln -s ../rrsync.1 support/rrsync.1 || die
+ fi
+}
+
+src_configure() {
+ local myeconfargs=(
+ --with-rsyncd-conf="${EPREFIX}"/etc/rsyncd.conf
+ --without-included-popt
+ --enable-ipv6
+ $(use_enable acl acl-support)
+ $(use_enable iconv)
+ $(use_enable lz4)
+ $(use_with rrsync)
+ $(use_enable ssl openssl)
+ $(use_with !system-zlib included-zlib)
+ $(use_enable xattr xattr-support)
+ $(use_enable xxhash)
+ $(use_enable zstd)
+ )
+
+ # https://github.com/WayneD/rsync/pull/428
+ if is-flagq -fsanitize=undefined ; then
+ sed -E -i \
+ -e 's:#define CAREFUL_ALIGNMENT (0|1):#define CAREFUL_ALIGNMENT 1:' \
+ byteorder.h || die
+ append-flags -DCAREFUL_ALIGNMENT
+ fi
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ newconfd "${FILESDIR}"/rsyncd.conf.d rsyncd
+ newinitd "${FILESDIR}"/rsyncd.init.d-r1 rsyncd
+
+ dodoc NEWS.md README.md TODO tech_report.tex
+
+ insinto /etc
+ newins "${FILESDIR}"/rsyncd.conf-3.0.9-r1 rsyncd.conf
+
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/rsyncd.logrotate rsyncd
+
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}"/rsyncd.xinetd-3.0.9-r1 rsyncd
+
+ # Install stunnel helpers
+ if use stunnel ; then
+ emake DESTDIR="${D}" install-ssl-daemon
+ fi
+
+ # Install the useful contrib scripts
+ if use examples ; then
+ # The 'rrsync' script is installed conditionally via the 'rrysnc'
+ # USE flag, and not via the 'examples' USE flag.
+ rm support/rrsync* || die
+
+ exeinto /usr/share/rsync
+ doexe support/*
+
+ rm -f "${ED}"/usr/share/rsync/{Makefile*,*.c}
+ fi
+
+ eprefixify "${ED}"/etc/{,xinetd.d}/rsyncd*
+
+ systemd_newunit packaging/systemd/rsync.service rsyncd.service
+}
+
+pkg_postinst() {
+ if grep -Eqis '^[[:space:]]use chroot[[:space:]]*=[[:space:]]*(no|0|false)' \
+ "${EROOT}"/etc/rsyncd.conf "${EROOT}"/etc/rsync/rsyncd.conf ; then
+ ewarn "You have disabled chroot support in your rsyncd.conf. This"
+ ewarn "is a security risk which you should fix. Please check your"
+ ewarn "/etc/rsyncd.conf file and fix the setting 'use chroot'."
+ fi
+
+ if use stunnel ; then
+ einfo "Please install \">=net-misc/stunnel-4\" in order to use stunnel feature."
+ einfo
+ einfo "You maybe have to update the certificates configured in"
+ einfo "${EROOT}/etc/stunnel/rsync.conf"
+ fi
+
+ if use system-zlib ; then
+ ewarn "Using system-zlib is incompatible with <rsync-3.1.1 when"
+ ewarn "using the --compress option."
+ ewarn
+ ewarn "When syncing with >=rsync-3.1.1 built with bundled zlib,"
+ ewarn "and the --compress option, add --new-compress (-zz)."
+ ewarn
+ ewarn "For syncing the portage tree, add:"
+ ewarn "PORTAGE_RSYNC_EXTRA_OPTS=\"--new-compress\" to make.conf"
+ fi
+}