From patchwork Thu Apr 30 18:36:48 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9781 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4g62vY4t0Tz3x95 for ; Thu, 30 Apr 2026 18:36:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4g62vY2TRwz7Jb for ; Thu, 30 Apr 2026 18:36:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4g62vX18lvz34Ct for ; Thu, 30 Apr 2026 18:36:56 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4g62vT3gxKz33j4 for ; Thu, 30 Apr 2026 18:36:53 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4g62vS4q9Gz7Jj; Thu, 30 Apr 2026 18:36:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1777574212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UmHOOgaU0JgY/MKMMEQjwX5AXp5fszvG9Fq5/caldHQ=; b=+BV1/U4DLtT+FpL87gLe0wlWDW34SbPOAQ/Q8awW0uN3Mw4E7onz8TLG4WKj1IfoV0fR2i pve0j15sZfEGeXBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1777574212; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=UmHOOgaU0JgY/MKMMEQjwX5AXp5fszvG9Fq5/caldHQ=; b=EkGyxndP/2UPyOGrQUEP3KJoz5WkIFlJdEshjYCj28cmCYuvhcGeWZfCxBF7t32GHxKPXN 7EorFTFnrNYOnBzNFcTTtvx39vhK3L+wMhwbMyIegYwTITs834d0LiI5SWnu5jEu3JJwHE nCaVT1ZXhlaywnfM8CG6ebS5+2bdVfweQL/M1eW0zpqIj5Sljel63io4h9+YHI9uIcn2r0 hipfRFwEcLdfDGnln2PNaklIeU58+5dBHS+lO/t9/q66qq/zyR2qZq20wJwoQxdZb4ymFA fxXTLn/rjONUJbyPLZRQy2Vo7JoaNyTZFc7Ljvt2ErZeiX0Dq6+RGDrpFwxf9w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] rsync: Update to version 3.4.2 Date: Thu, 30 Apr 2026 20:36:48 +0200 Message-ID: <20260430183648.2774994-5-adolf.belka@ipfire.org> In-Reply-To: <20260430183648.2774994-1-adolf.belka@ipfire.org> References: <20260430183648.2774994-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 3.4.1 to 3.4.2 - No change to rootfile - Changelog 3.4.2 SECURITY RELATED: Several security-relevant defects were reported and fixed since 3.4.1. None were assigned a CVE — rsync's fork-per-connection design scopes the impact of each of these to the attacker's own connection, which is equivalent to the client closing the socket itself — but they are fixed here as a matter of hygiene and to reduce the chances of a future exploitable combination. Many thanks to the external researchers who reported these issues. - Fixed a signed integer overflow in the PROXY protocol v2 header parser: a negative `len` field could bypass the size check and cause a stack buffer overflow in `read_buf()`. Reported by John Walker of ZeroPath. - Fixed an invalid access to the files array. Reported by Calum Hutton of Rapid7. - Reject negative token values in the compressed-stream token decoder; a negative value could cause callers to misinterpret a missing data pointer as literal data. Reported by Will Sergeant. - Fixed the element count passed to the xattr `qsort()` (see https://www.openwall.com/lists/oss-security/2026/04/16/2). - Fixed a buffer underflow in `clean_fname()`, and added a regression test. - Fixed an uninitialized `mul_one` in the AVX2 get_checksum1 path (undefined behaviour), and added a SIMD-checksum self-test that cross-checks SSE2, SSSE3 and AVX2 against the C reference on both aligned and unaligned buffers. - Fixed an uninitialized `buf1` on the first call to `get_checksum2()` in the MD4 path (fixes #673). - Zero all new memory from internal allocations: `my_alloc()` now uses `calloc`, and `expand_item_list()` zeros the expanded portion after `realloc`. This gives more predictable behaviour if stale or uninitialised memory is ever accidentally read. BUG FIXES: - Call `tzset()` before chroot so that log timestamps continue to reflect the configured local timezone after the daemon chroots (glibc needs `/etc/localtime`, which is unreachable post-chroot). - Use the correct time when writing to the log file. - Do not clear `DISPLAY` unconditionally. - Fixed a Y2038 bug in `syscall.c` by replacing the `Int32x32To64` macro (which truncates its arguments to 32 bits) with a plain 64-bit multiplication. - Fixed ACL ID mapping for non-root users (closes #618). - Fixed handling of objects with many xattrs on FreeBSD. - Fixed `--open-noatime` not taking effect when opening regular files: `O_NOATIME` is now also passed to `do_open_nofollow()`, which has been used for regular files since the CVE fix "fixed symlink race condition in sender". - Ignore "directory has vanished" errors. - Fixed the removal of multiple leading slashes. - Added the missing `--dirs` long option. - Fixed a segfault if `poptGetContext()` returns NULL (e.g. under OOM) by not passing NULL to `poptReadDefaultConfig()`. Reported by Ronnie Sahlberg; found with `malloc-fail-tester`. - Fixed a build error on ia64 NonStop (which treats missing prototypes as an error, not a warning). - Fixed a flaky hardlinks test (fixes #735). ENHANCEMENTS: - Added multi-threaded `zstd` compression, gated by a new `--compress-threads=N` option, with validation and man-page coverage. - Documented the `temp dir` parameter in the rsyncd.conf man page (fixes #820). - Improved rendering of interior dashes in long-option names in `md-convert` (perhaps fixes #686). PORTABILITY / BUILD: - Fixed glibc 2.43 const-preserving overloads of `strtok()`, `strchr()` etc. by declaring the affected locals with the right constness. Contributed by Holger Hoffstätte. - Converted the bundled zlib 1.2.8 from K&R-style function definitions to ANSI prototypes, so it builds with clang 16+. - Avoid using `bool` as an identifier; it is a keyword in C23. - `configure.ac`: check for xattr functions in libc first and only fall back to `-lattr`, avoiding spurious overlinking when `-lattr` happens to be installed. Contributed by Eli Schwartz. - Made the build reproducible by honouring `SOURCE_DATE_EPOCH` for the manpage date. - Removed obsolete `popt/findme.c` and `popt/findme.h` that upstream popt 1.14 folded into `popt.c` (fixes #710). Contributed by Alan Coopersmith. INTERNAL: - Made many module-global variables `const` so they can live in `.rodata` and enable additional compiler optimization. DEVELOPER RELATED: - Replaced `runtests.sh` with `runtests.py`, a Python test runner that supports `--valgrind` (with per-process log files so valgrind output no longer interferes with output comparisons) and `-j/--parallel` execution for roughly a 7× speed-up on typical hardware. - Added a SIMD checksum self-test and a `clean-fname-underflow` regression test. - Various CI fixes for macOS and Cygwin (including adding `simd-checksum` to the expected-skipped lists on platforms without SIMD), and tests now run on `ubuntu-latest`. - removed support for the unmaintained rsync-patches archive Signed-off-by: Adolf Belka --- lfs/rsync | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/lfs/rsync b/lfs/rsync index 789b100bd..6053dca82 100644 --- a/lfs/rsync +++ b/lfs/rsync @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2025 IPFire Team # +# Copyright (C) 2007-2026 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Versatile tool for fast incremental file transfer -VER = 3.4.1 +VER = 3.4.2 THISAPP = rsync-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = rsync -PAK_VER = 21 +PAK_VER = 22 DEPS = libxxhash @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 79c1cad697547059ee241e20c26d7f97bed3ad062deb856d31a617fead333a2d9f62c7c47c1efaf70033dbc358fe547d034c35e8181abb51a1fc893557882bc7 +$(DL_FILE)_BLAKE2 = bfc8aa3dc3b75de5e81519eab6d505ebd4d05ebc79c3336ebc925486fa6267cd13a37844d0817183cec68215788bc07e4a281f716bcd0bc7d93daa995df9122c install : $(TARGET) @@ -81,18 +81,14 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - # Replace shebang in rsync-ssl cd $(DIR_APP) && sed -i -e "s@^#!.*@#!/bin/bash@" rsync-ssl - cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --without-included-popt \ - --without-included-zlib \ - --enable-xxhash - + --prefix=/usr \ + --without-included-popt \ + --without-included-zlib \ + --enable-xxhash cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) cd $(DIR_APP) && make install - @rm -rf $(DIR_APP) @$(POSTBUILD)