From ae2f301e322341e5b61234c5250c7ad48c487399 Mon Sep 17 00:00:00 2001 From: deepin-ci-robot Date: Tue, 12 May 2026 14:51:16 +0800 Subject: [PATCH 1/2] fix(rsync): CVE-2026-41035 use-after-free in receive_xattr * d/p/CVE-2026-41035.patch: Import upstream patch to fix CVE-2026-41035 In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. (Closes: #1134617) Co-Author: hudeng --- debian/changelog | 10 +++++++++ debian/patches/CVE-2026-41035.patch | 34 +++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 45 insertions(+) create mode 100644 debian/patches/CVE-2026-41035.patch diff --git a/debian/changelog b/debian/changelog index 9913f41..933ae5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +rsync (3.4.1+ds1-8) unstable; urgency=medium + + * d/p/CVE-2026-41035.patch: Import upstream patch to fix CVE-2026-41035 + + In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted + length value during a qsort call, leading to a receiver use-after-free. + (Closes: #1134617) + + -- hudeng Sun, 11 May 2026 10:52:00 +0800 + rsync (3.4.1+ds1-7) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2026-41035.patch b/debian/patches/CVE-2026-41035.patch new file mode 100644 index 0000000..7c3c697 --- /dev/null +++ b/debian/patches/CVE-2026-41035.patch @@ -0,0 +1,34 @@ +From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001 +From: Andrew Tridgell +Date: Wed, 22 Apr 2026 09:57:45 +1000 +Subject: [PATCH] xattrs: fixed count in qsort + +this fixes the count passed to the sort of the xattr list. This issue +was reported here: + +https://www.openwall.com/lists/oss-security/2026/04/16/2 + +the bug is not exploitable due to the fork-per-connection design of +rsync, the attack is the equivalent of the user closing the socket +themselves. +--- + xattrs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/xattrs.c b/xattrs.c +index 26e50a6f9..65166eed9 100644 +--- a/xattrs.c ++++ b/xattrs.c +@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file) + rxa->num = num; + } + +- if (need_sort && count > 1) +- qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names); ++ if (need_sort && temp_xattr.count > 1) ++ qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names); + + ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */ + +-- +2.43.0 diff --git a/debian/patches/series b/debian/patches/series index d85b6c4..52046eb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ fix-flaky-hardlinks-test.patch reproducible-build.patch gcc_15.patch CVE-2025-10158.patch +CVE-2026-41035.patch From 80f1f3982198a391ea348ad6061fe2942a666349 Mon Sep 17 00:00:00 2001 From: lichenggang Date: Wed, 13 May 2026 11:13:05 +0800 Subject: [PATCH 2/2] feat: update changelog --- debian/changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 933ae5e..424a67c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -rsync (3.4.1+ds1-8) unstable; urgency=medium +rsync (3.4.1+ds1-7deepin1) unstable; urgency=medium * d/p/CVE-2026-41035.patch: Import upstream patch to fix CVE-2026-41035