rsync: Update to 3.4.3

For details see:
https://download.samba.org/pub/rsync/NEWS#3.4.3

"SECURITY FIXES:

Six CVEs are fixed in this release. All six are assigned by VulnCheck as
CNA. Affected versions are 3.4.2 and earlier in every case. Three of the
six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default
daemon configuration to reach: the first and third need use chroot = no for
a module, the second needs daemon chroot = ... set in rsyncd.conf. Two
(CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a
normal authenticated daemon connection. The sixth (CVE-2026-45232) is
reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a
pathological response. Many thanks to the external researchers who reported
these issues.

    CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
    allowing local privilege escalation in daemon mode without chroot. An
    rsync daemon configured with "use chroot = no" was exposed to a
    time-of-check / time-of-use race on parent path components: a local
    attacker with write access to a module could replace a parent directory
    component with a symlink between the receiver's check and its open(),
    redirecting reads (basis-file disclosure) and writes (file overwrite)
    outside the module. Default "use chroot = yes" is not exposed.
    secure_relative_open() (added in 3.4.0 for CVE-2024-12086) was
    previously unused in the daemon-no-chroot case; the fix enables it
    there and reroutes the sender's read-path opens through it. Reported by
    Nullx3D (Batuhan Sancak), Damien Neil and Michael Stapelberg.

    CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an rsync
    daemon configured with daemon chroot = /X in rsyncd.conf when the
    chroot tree lacks DNS resolution support. The reverse-DNS lookup of the
    connecting client was performed after the daemon chroot had been
    entered; if /X did not contain the libc resolver fixtures
    (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules)
    the lookup failed and the connecting hostname was set to "UNKNOWN",
    causing hostname-based deny rules to silently fail open. IP-based ACLs
    are unaffected. The per-module use chroot setting is unrelated to this
    issue. The fix performs the lookup before entering the daemon chroot.
    Reported by MegaManSec.

    CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
    compressed-token decoder enabling remote memory disclosure to an
    authenticated daemon peer. The receiver accumulated a 32-bit signed
    counter without overflow checking; a malicious sender could trigger an
    overflow that, with careful manipulation, leaked process memory
    contents to the attacker -⁠-⁠ environment variables, passwords, heap
    and library pointers -⁠-⁠ significantly weakening ASLR. The fix bounds
    the counter and adds wire-input validation in several adjacent places
    (defence-in-depth). Workaround for older releases: refuse options =
    compress in rsyncd.conf. Reported by Omar Elsayed.

    CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
    system calls in "use chroot = no" daemon mode (generalisation of
    CVE-2026-29518). Earlier fixes for symlink races on the receiver's
    open() call missed the same race class on every other path-based system
    call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod,
    link, rmdir and lstat. The fix routes each affected path-based syscall
    through a parent dirfd opened under RESOLVE_BENEATH-equivalent
    kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH
    on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere).
    Default "use chroot = yes" is not exposed. Reported by Andrew Tridgell
    as a follow-on audit of CVE-2026-29518.

    CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
    receiver's recv_files() enabling remote denial-of-service of any client
    pulling from a malicious server (incomplete fix of commit 797e17f). The
    earlier parent_ndx<0 guard added to send_files() was not applied to the
    visually-identical block in recv_files(). A malicious rsync server can
    drive any connecting client into a deterministic SIGSEGV by setting
    CF_INC_RECURSE in the compatibility flags and sending a crafted file
    list and transfer record. inc_recurse is the protocol-30+ default, so
    no special options are required on the victim. Workaround for older
    releases: --no-inc-recursive on the client. Reported by Pratham Gupta.

    CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
    write in the rsync client's HTTP CONNECT proxy handler
    (establish_proxy_connection() in socket.c). After issuing the CONNECT
    request, rsync read the proxy's first response line one byte at a time
    into a 1024-byte stack buffer with the bound cp < &buffer[sizeof buffer
    - 1]. If the proxy (or a MITM in front of it) returned 1023+ bytes on
    that first line without a newline terminator, cp exited the loop
    pointing at a buffer slot the loop never wrote, leaving *cp holding
    stale stack data from the earlier snprintf() of the outgoing CONNECT
    request. The post-loop logic then wrote a single \0 one byte past the
    end of the buffer on the stack. Reach is client-side only, and only
    when RSYNC_PROXY is set so rsync tunnels an rsync:// connection through
    an HTTP CONNECT proxy. The written byte is always \0 and the offset is
    fixed by the buffer size, not attacker-chosen, so this is not an
    arbitrary-write primitive: practical impact is corruption of one
    adjacent stack byte and possible later misbehaviour or crash. The fix
    detects the "buffer filled without finding \n" case explicitly by
    position and refuses the response with "proxy response line too long".
    Reported by Aisle Research via Michal Ruprich (rsync-3.4.1-2.el10 QE).

In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative snprintf() callers, a parent block-index bounds check on the
receiver, a NULL check in read_delay_line(), a lower ceiling on
MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats()
accumulator, rejection of hyphen-prefixed remote-shell hostnames
(defence-in-depth against argv-injection in tooling that forwards untrusted
input into the hostspec position; reported by Aisle Research via Michal
Ruprich), and a NULL-check on localtime_r() in timestring() to keep a
malicious server from crashing the client by advertising a file with an
out-of-range modtime.

BUG FIXES:

    Fixed a regression introduced by the 3.4.0 secure_relative_open() CVE
    fix where legitimate directory symlinks on the receiver side (e.g. when
    using -K / --copy-dirlinks) caused "failed verification -⁠-⁠ update
    discarded" errors on delta transfers. The old code rejected every
    symlink in the path with a per-component O_NOFOLLOW walk; the receiver
    now uses kernel-enforced "stay below dirfd" path resolution where
    available. Fixes #715.

PORTABILITY / BUILD:

    secure_relative_open() now uses openat2(RESOLVE_BENEATH |
    RESOLVE_NO_MAGICLINKS) on Linux 5.6+, and openat() with
    O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+ (Sequoia) / iOS 18+. The
    kernel rejects ".." escapes, absolute symlinks, and symlinks whose
    target lies outside the starting directory, while still following
    symlinks that resolve within it -⁠-⁠ the same trade-off that fixes the
    issue #715 regression without weakening the original CVE protection.
    Other platforms (Solaris, OpenBSD, NetBSD, Cygwin) retain the previous
    per-component O_NOFOLLOW walk; on those platforms the issue #715
    regression remains visible.

    testsuite/xattrs: ignore SUNWattr_* in the Solaris xls helper.

DEVELOPER RELATED:

    Added testsuite/symlink-dirlink-basis.test (taken from PR #864 by
    Samuel Henrique) covering the issue #715 regression and several edge
    cases (--backup, --inplace, --partial-dir with protocol < 29, top-level
    files). The test skips on platforms without a RESOLVE_BENEATH
    equivalent.

    Added regression tests for the new security fixes:
    chmod-symlink-race.test, chdir-symlink-race.test,
    bare-do-open-symlink-race.test, alt-dest-symlink-race.test,
    copy-dest-source-symlink.test, sender-flist-symlink-leak.test,
    secure-relpath-validation.test, daemon-chroot-acl.test and
    daemon-refuse-compress.test. The symlink-race tests skip on Cygwin,
    Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH equivalent on those
    platforms).

    runtests.py now errors early with a clear message when any of the test
    helper programs (tls, trimslash, t_unsafe, t_chmod_secure,
    t_secure_relpath, wildtest, getgroups, getfsdev) are missing, instead
    of letting many tests fail with confusing "not found" errors.

    Added OpenBSD and NetBSD CI jobs that run make check on those
    platforms.

    Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future backports to
    the two mainstream LTS families build and test on the same CI surface
    as trunk.

    testsuite/protected-regular.test now runs unprivileged via unshare with
    user-namespace UID mapping, falling back to skip if unshare/uidmap is
    not available; previously it required real root.

    Added symlink-dirlink-basis to the Cygwin CI's expected-skipped list.

    Removed the old release system (replaced by the new release script in
    3.4.2)."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/rsync | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)