deepin-community · Zeno-sole · May 13, 2026 · May 12, 2026 · May 13, 2026
diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,13 @@
+rsync (3.4.1+ds1-7deepin1) unstable; urgency=medium
+
+  * d/p/CVE-2026-41035.patch: Import upstream patch to fix CVE-2026-41035
+
+    In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted
+    length value during a qsort call, leading to a receiver use-after-free.
+    (Closes: #1134617)
+
+ -- hudeng <hudeng@deepin.org>  Sun, 11 May 2026 10:52:00 +0800
+
 rsync (3.4.1+ds1-7) unstable; urgency=medium
 
   * Team upload.

diff --git a/debian/patches/CVE-2026-41035.patch b/debian/patches/CVE-2026-41035.patch
@@ -0,0 +1,34 @@
+From bb0a8118c2d2ab01140bac5e4e327e5e1ef90c9c Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <bugs@samba.org>
+Date: Wed, 22 Apr 2026 09:57:45 +1000
+Subject: [PATCH] xattrs: fixed count in qsort
+
+this fixes the count passed to the sort of the xattr list. This issue
+was reported here:
+
+https://www.openwall.com/lists/oss-security/2026/04/16/2
+
+the bug is not exploitable due to the fork-per-connection design of
+rsync, the attack is the equivalent of the user closing the socket
+themselves.
+---
+ xattrs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/xattrs.c b/xattrs.c
+index 26e50a6f9..65166eed9 100644
+--- a/xattrs.c
++++ b/xattrs.c
+@@ -860,8 +860,8 @@ void receive_xattr(int f, struct file_struct *file)
+ 		rxa->num = num;
+ 	}
+
+-	if (need_sort && count > 1)
+-		qsort(temp_xattr.items, count, sizeof (rsync_xa), rsync_xal_compare_names);
++	if (need_sort && temp_xattr.count > 1)
++		qsort(temp_xattr.items, temp_xattr.count, sizeof (rsync_xa), rsync_xal_compare_names);
+
+ 	ndx = rsync_xal_store(&temp_xattr); /* adds item to rsync_xal_l */
+
+-- 
+2.43.0
diff --git a/debian/patches/series b/debian/patches/series
@@ -6,3 +6,4 @@ fix-flaky-hardlinks-test.patch
 reproducible-build.patch
 gcc_15.patch
 CVE-2025-10158.patch
+CVE-2026-41035.patch