rsync - Jan 2025 - new release 3.4.0 - critical security release

Another issue here in findme.c. strlcpy() is a BSD-only method and definitely
not portable.

Please consider other platforms when creating patches. I can provide a patch to
this

patch also.

 

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org> On Behalf Of Randall S.
Becker via rsync
Sent: January 14, 2025 6:46 PM
To: 'rsync.project' <rsync.project at gmail.com>
Cc: rsync at lists.samba.org
Subject: RE: new release 3.4.0 - critical security release

 

Here is my fix for the situation:

 

diff --git a/popt/findme.c b/popt/findme.c

index ac4cbae..4fe8a18 100644

--- a/popt/findme.c

+++ b/popt/findme.c

@@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)

     if (path == NULL) return NULL;

 

     bufsize = strlen(path) + 1;

+#if defined __TANDEM

+    start = pathbuf = malloc(bufsize);

+#else

     start = pathbuf = alloca(bufsize);

+#endif

     if (pathbuf == NULL) return NULL;  /* XXX can't happen */

     strlcpy(pathbuf, path, bufsize);

     bufsize += sizeof "/" - 1 + strlen(argv0);

     buf = malloc(bufsize);

+#if defined __TANDEM

+    if (buf == NULL) {

+       free(start);

+       return NULL;    /* XXX can't happen */

+    }

+#else

     if (buf == NULL) return NULL;      /* XXX can't happen */

+#endif

 

     chptr = NULL;

     /*@-branchstate@*/

@@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)

            *chptr = '\0';

        snprintf(buf, bufsize, "%s/%s", start, argv0);

 

+#if defined __TANDEM

+       if (!access(buf, X_OK)) {

+           free(start);

+           return buf;

+       }

+#else

        if (!access(buf, X_OK))

            return buf;

+#endif

 

        if (chptr)

            start = chptr + 1;

@@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)

 

     free(buf);

 

+#if defined __TANDEM

+    free(start);

+#endif

     return NULL;

}

 

I would respectfully ask that it be included ASAP.

 

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org> On Behalf Of Randall S.
Becker via rsync
Sent: January 14, 2025 6:09 PM
To: 'rsync.project' <rsync.project at gmail.com>
Cc: rsync at lists.samba.org
Subject: RE: new release 3.4.0 - critical security release

 

This happens on NonStop x86 and ia64. I have been building/packaging Rsync for
years ? almost a decade in fact. I think this happened once before this year, in
fact.

 

It is equivalent to the more portable malloc/free, which I would prefer to have
in this series even if it has to be wrapped in a #if defined (__TANDEM) block.

 

This call is considered not portable and allocates on the stack instead of the
heap. This can cause performance issues as memory management on the heap is
generally given more attention by runtimes. The reason it is not supported on
NonStop is that the c99 compiler does not generate code for allocating on the
stack on this machine.

 

Please forgive me here, but adding a new dependency for a critical security fix
is rather painful.

 

--Randall

 

 

From: rsync.project <rsync.project at gmail.com> 
Sent: January 14, 2025 4:31 PM
To: rsbecker at nexbridge.com
Cc: rsync at lists.samba.org
Subject: Re: new release 3.4.0 - critical security release

 

the alloca comes from the new popt release. What system are you having an issue
with?

 

 

On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com <mailto:rsbecker
at nexbridge.com> > wrote:

A new dependency was added since 3.3, alloca(), which is not portable. Is there
a way around this?

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org <mailto:rsync-bounces at
lists.samba.org> > On Behalf Of rsync.project via rsync
Sent: January 14, 2025 2:49 PM
To: rsync-announce at lists.samba.org <mailto:rsync-announce at
lists.samba.org>
Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> 
Subject: new release 3.4.0 - critical security release

 

We have just released version 3.4.0 of rsync. This release fixes 6 security
vulnerabilities found by two groups of security researchers.

 

You can find the new release links here:

 

 - https://rsync.samba.org/

 - https://download.samba.org/pub/rsync/src/

 

For details on the vulnerabilities please see this CERT advisory:

 

https://kb.cert.org/vuls/id/952657

 

The various distros should be doing security releases today

Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google
Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering these
vulnerabilities and working with the rsync project to develop and test fixes.

 

Also many thanks to Wayne Davison for assisting with the release process as this
is the first release I've done since 2002 when Wayne took over as the rsync
maintainer.

 

Andrew Tridgell

rsync maintainer (again!)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20250114/96fbebe8/attachment.htm>

FYI: I think this is just missing #include ?rsync.h? in popt/findme.c

 

From: rsbecker at nexbridge.com <rsbecker at nexbridge.com> 
Sent: January 14, 2025 10:35 PM
To: rsbecker at nexbridge.com; 'rsync.project' <rsync.project at
gmail.com>
Cc: rsync at lists.samba.org
Subject: RE: new release 3.4.0 - critical security release

 

Another issue here in findme.c. strlcpy() is a BSD-only method and definitely
not portable.

Please consider other platforms when creating patches. I can provide a patch to
this

patch also.

 

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org <mailto:rsync-bounces at
lists.samba.org> > On Behalf Of Randall S. Becker via rsync
Sent: January 14, 2025 6:46 PM
To: 'rsync.project' <rsync.project at gmail.com
<mailto:rsync.project at gmail.com> >
Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> 
Subject: RE: new release 3.4.0 - critical security release

 

Here is my fix for the situation:

 

diff --git a/popt/findme.c b/popt/findme.c

index ac4cbae..4fe8a18 100644

--- a/popt/findme.c

+++ b/popt/findme.c

@@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)

     if (path == NULL) return NULL;

 

     bufsize = strlen(path) + 1;

+#if defined __TANDEM

+    start = pathbuf = malloc(bufsize);

+#else

     start = pathbuf = alloca(bufsize);

+#endif

     if (pathbuf == NULL) return NULL;  /* XXX can't happen */

     strlcpy(pathbuf, path, bufsize);

     bufsize += sizeof "/" - 1 + strlen(argv0);

     buf = malloc(bufsize);

+#if defined __TANDEM

+    if (buf == NULL) {

+       free(start);

+       return NULL;    /* XXX can't happen */

+    }

+#else

     if (buf == NULL) return NULL;      /* XXX can't happen */

+#endif

 

     chptr = NULL;

     /*@-branchstate@*/

@@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)

            *chptr = '\0';

        snprintf(buf, bufsize, "%s/%s", start, argv0);

 

+#if defined __TANDEM

+       if (!access(buf, X_OK)) {

+           free(start);

+           return buf;

+       }

+#else

        if (!access(buf, X_OK))

            return buf;

+#endif

 

        if (chptr)

            start = chptr + 1;

@@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)

 

     free(buf);

 

+#if defined __TANDEM

+    free(start);

+#endif

     return NULL;

}

 

I would respectfully ask that it be included ASAP.

 

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org <mailto:rsync-bounces at
lists.samba.org> > On Behalf Of Randall S. Becker via rsync
Sent: January 14, 2025 6:09 PM
To: 'rsync.project' <rsync.project at gmail.com
<mailto:rsync.project at gmail.com> >
Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> 
Subject: RE: new release 3.4.0 - critical security release

 

This happens on NonStop x86 and ia64. I have been building/packaging Rsync for
years ? almost a decade in fact. I think this happened once before this year, in
fact.

 

It is equivalent to the more portable malloc/free, which I would prefer to have
in this series even if it has to be wrapped in a #if defined (__TANDEM) block.

 

This call is considered not portable and allocates on the stack instead of the
heap. This can cause performance issues as memory management on the heap is
generally given more attention by runtimes. The reason it is not supported on
NonStop is that the c99 compiler does not generate code for allocating on the
stack on this machine.

 

Please forgive me here, but adding a new dependency for a critical security fix
is rather painful.

 

--Randall

 

 

From: rsync.project <rsync.project at gmail.com <mailto:rsync.project at
gmail.com> >
Sent: January 14, 2025 4:31 PM
To: rsbecker at nexbridge.com <mailto:rsbecker at nexbridge.com> 
Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> 
Subject: Re: new release 3.4.0 - critical security release

 

the alloca comes from the new popt release. What system are you having an issue
with?

 

 

On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com <mailto:rsbecker
at nexbridge.com> > wrote:

A new dependency was added since 3.3, alloca(), which is not portable. Is there
a way around this?

Thanks,

Randall

 

From: rsync <rsync-bounces at lists.samba.org <mailto:rsync-bounces at
lists.samba.org> > On Behalf Of rsync.project via rsync
Sent: January 14, 2025 2:49 PM
To: rsync-announce at lists.samba.org <mailto:rsync-announce at
lists.samba.org>
Cc: rsync at lists.samba.org <mailto:rsync at lists.samba.org> 
Subject: new release 3.4.0 - critical security release

 

We have just released version 3.4.0 of rsync. This release fixes 6 security
vulnerabilities found by two groups of security researchers.

 

You can find the new release links here:

 

 - https://rsync.samba.org/

 - https://download.samba.org/pub/rsync/src/

 

For details on the vulnerabilities please see this CERT advisory:

 

https://kb.cert.org/vuls/id/952657

 

The various distros should be doing security releases today

Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google
Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering these
vulnerabilities and working with the rsync project to develop and test fixes.

 

Also many thanks to Wayne Davison for assisting with the release process as this
is the first release I've done since 2002 when Wayne took over as the rsync
maintainer.

 

Andrew Tridgell

rsync maintainer (again!)

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20250114/60c2b92e/attachment.htm>

The popt changes came from upstream popt. We have Solaris and FreeBSD CI
tests, along with linux, but don't have a method for testing other
platforms. If you submit a PR to fix this, please consider a way we can
test the fix in CI.
Cheers, Tridge

On Wed, 15 Jan 2025 at 14:35, <rsbecker at nexbridge.com> wrote:
> Another issue here in findme.c. strlcpy() is a BSD-only method and
> definitely not portable.
>
> Please consider other platforms when creating patches. I can provide a
> patch to this
>
> patch also.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of
*Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:46 PM
> *To:* 'rsync.project' <rsync.project at gmail.com>
> *Cc:* rsync at lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> Here is my fix for the situation:
>
>
>
> *diff --git a/popt/findme.c b/popt/findme.c*
>
> *index ac4cbae..4fe8a18 100644*
>
> *--- a/popt/findme.c*
>
> *+++ b/popt/findme.c*
>
> @@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)
>
>      if (path == NULL) return NULL;
>
>
>
>      bufsize = strlen(path) + 1;
>
> +#if defined __TANDEM
>
> +    start = pathbuf = malloc(bufsize);
>
> +#else
>
>      start = pathbuf = alloca(bufsize);
>
> +#endif
>
>      if (pathbuf == NULL) return NULL;  /* XXX can't happen */
>
>      strlcpy(pathbuf, path, bufsize);
>
>      bufsize += sizeof "/" - 1 + strlen(argv0);
>
>      buf = malloc(bufsize);
>
> +#if defined __TANDEM
>
> +    if (buf == NULL) {
>
> +       free(start);
>
> +       return NULL;    /* XXX can't happen */
>
> +    }
>
> +#else
>
>      if (buf == NULL) return NULL;      /* XXX can't happen */
>
> +#endif
>
>
>
>      chptr = NULL;
>
>      /*@-branchstate@*/
>
> @@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)
>
>             *chptr = '\0';
>
>         snprintf(buf, bufsize, "%s/%s", start, argv0);
>
>
>
> +#if defined __TANDEM
>
> +       if (!access(buf, X_OK)) {
>
> +           free(start);
>
> +           return buf;
>
> +       }
>
> +#else
>
>         if (!access(buf, X_OK))
>
>             return buf;
>
> +#endif
>
>
>
>         if (chptr)
>
>             start = chptr + 1;
>
> @@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)
>
>
>
>      free(buf);
>
>
>
> +#if defined __TANDEM
>
> +    free(start);
>
> +#endif
>
>      return NULL;
>
> }
>
>
>
> I would respectfully ask that it be included ASAP.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of
*Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:09 PM
> *To:* 'rsync.project' <rsync.project at gmail.com>
> *Cc:* rsync at lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> This happens on NonStop x86 and ia64. I have been building/packaging Rsync
> for years ? almost a decade in fact. I think this happened once before this
> year, in fact.
>
>
>
> It is equivalent to the more portable malloc/free, which I would prefer to
> have in this series even if it has to be wrapped in a #if defined
> (__TANDEM) block.
>
>
>
> This call is considered not portable and allocates on the stack instead of
> the heap. This can cause performance issues as memory management on the
> heap is generally given more attention by runtimes. The reason it is not
> supported on NonStop is that the c99 compiler does not generate code for
> allocating on the stack on this machine.
>
>
>
> Please forgive me here, but adding a new dependency for a critical
> security fix is rather painful.
>
>
>
> --Randall
>
>
>
>
>
> *From:* rsync.project <rsync.project at gmail.com>
> *Sent:* January 14, 2025 4:31 PM
> *To:* rsbecker at nexbridge.com
> *Cc:* rsync at lists.samba.org
> *Subject:* Re: new release 3.4.0 - critical security release
>
>
>
> the alloca comes from the new popt release. What system are you having an
> issue with?
>
>
>
>
>
> On Wed, 15 Jan 2025 at 07:16, <rsbecker at nexbridge.com> wrote:
>
> A new dependency was added since 3.3, alloca(), which is not portable. Is
> there a way around this?
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-bounces at lists.samba.org> *On Behalf Of
*rsync.project
> via rsync
> *Sent:* January 14, 2025 2:49 PM
> *To:* rsync-announce at lists.samba.org
> *Cc:* rsync at lists.samba.org
> *Subject:* new release 3.4.0 - critical security release
>
>
>
> We have just released version 3.4.0 of rsync. This release fixes 6
> security vulnerabilities found by two groups of security researchers.
>
>
>
> You can find the new release links here:
>
>
>
>  - https://rsync.samba.org/
>
>  - https://download.samba.org/pub/rsync/src/
>
>
>
> For details on the vulnerabilities please see this CERT advisory:
>
>
>
> https://kb.cert.org/vuls/id/952657
>
>
>
> The various distros should be doing security releases today
>
> Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
> Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
> discovering these vulnerabilities and working with the rsync project to
> develop and test fixes.
>
>
>
> Also many thanks to Wayne Davison for assisting with the release process
> as this is the first release I've done since 2002 when Wayne took over
as
> the rsync maintainer.
>
>
>
> Andrew Tridgell
>
> rsync maintainer (again!)
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.samba.org/pipermail/rsync/attachments/20250115/50e8741b/attachment.htm>