diff --git a/debian/changelog b/debian/changelog index 9913f41..424a67c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +rsync (3.4.1+ds1-7deepin1) unstable; urgency=medium + + * d/p/CVE-2026-41035.patch: Import upstream patch to fix CVE-2026-41035 + + In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted + length value during a qsort call, leading to a receiver use-after-free. + (Closes: #1134617) + + -- hudeng Sun, 11 May 2026 10:52:00 +0800 + rsync (3.4.1+ds1-7) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2026-41035.patch b/debian/patches/CVE-2026-41035.patch new file mode 100644 index 0000000..7c3c697 --- /dev/null +++ b/debian/patches/CVE-2026-41035.patch @@ -0,0 +1,34 @@ +From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 26e50a6f9..65166eed9 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.43.0 diff --git a/debian/patches/series b/debian/patches/series index d85b6c4..52046eb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ fix-flaky-hardlinks-test.patch reproducible-build.patch gcc_15.patch CVE-2025-10158.patch +CVE-2026-41035.patch