--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: trixie-pu: package rsync/3.4.1+ds1-5+deb13u1
- From: Matheus Polkorny <mpolkorny@gmail.com>
- Date: Sat, 06 Dec 2025 12:41:59 -0300
- Message-id: <176503571988.44828.10773675638042140528.reportbug@polkorny>
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: rsync@packages.debian.org
Control: affects -1 + src:rsync
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
The reason is to fix CVE-2025-10158 [1], A malicious client
acting as the receiver of an rsync file transfer can
trigger an out of bounds read of a heap based buffer,
via a negative array index. Bug: #1121442
[ Impact ]
The primary impact is Denial of Service (DoS): a malicious client
(with read access to an rsync module) can remotely crash the rsync
daemon by exploiting an Out-of-Bounds (OOB) heap read.
[ Tests ]
Verify that the patched rsync daemon does not crash when the
client attempts to use the specific protocol sequence that
previously led to the negative array index.
[ Risks ]
The risk of not applying this fix is medium. The vulnerability
allows an attacker to cause a denial-of-service (DoS).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The fix essentially added a security validation check to the file
handling logic on the server side (sender.c).
The original code failed to verify if the variable holding
the parent directory index (cur_flist->parent_ndx) was
negative before accessing an array.
[ Other info ]
@samueloph has reviewed this backport and will sponsor it.
[1] https://security-tracker.debian.org/tracker/CVE-2025-10158
--
Thanks,
Polkorny
diff -Nru rsync-3.4.1+ds1/debian/changelog rsync-3.4.1+ds1/debian/changelog
--- rsync-3.4.1+ds1/debian/changelog 2025-07-26 06:26:07.000000000 -0300
+++ rsync-3.4.1+ds1/debian/changelog 2025-11-27 21:29:04.000000000 -0300
@@ -1,3 +1,14 @@
+rsync (3.4.1+ds1-5+deb13u1) trixie; urgency=medium
+
+ * Team upload.
+ * d/p/CVE-2025-10158.patch: Import upstream patch to fix CVE-2025-10158
+
+ A malicious client acting as the receiver of an rsync file transfer
+ can trigger an out of bounds read of a heap based buffer,
+ via a negative array index.
+
+ -- Matheus Polkorny <mpolkorny@gmail.com> Thu, 27 Nov 2025 21:29:04 -0300
+
rsync (3.4.1+ds1-5) unstable; urgency=medium
* Team upload.
diff -Nru rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch
--- rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch 1969-12-31 21:00:00.000000000 -0300
+++ rsync-3.4.1+ds1/debian/patches/CVE-2025-10158.patch 2025-11-27 21:29:04.000000000 -0300
@@ -0,0 +1,26 @@
+From: Andrew Tridgell <andrew@tridgell.net>
+Date: Sat, 23 Aug 2025 17:26:53 +1000
+Subject: fixed an invalid access to files array
+
+this was found by Calum Hutton from Rapid7. It is a real bug, but
+analysis shows it can't be leverged into an exploit. Worth fixing
+though.
+
+Many thanks to Calum and Rapid7 for finding and reporting this
+---
+ sender.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sender.c b/sender.c
+index a4d46c3..b1588b7 100644
+--- a/sender.c
++++ b/sender.c
+@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)
+
+ if (ndx - cur_flist->ndx_start >= 0)
+ file = cur_flist->files[ndx - cur_flist->ndx_start];
++ else if (cur_flist->parent_ndx < 0)
++ exit_cleanup(RERR_PROTOCOL);
+ else
+ file = dir_flist->files[cur_flist->parent_ndx];
+ if (F_PATHNAME(file)) {
diff -Nru rsync-3.4.1+ds1/debian/patches/series rsync-3.4.1+ds1/debian/patches/series
--- rsync-3.4.1+ds1/debian/patches/series 2025-07-26 06:26:07.000000000 -0300
+++ rsync-3.4.1+ds1/debian/patches/series 2025-11-27 21:29:04.000000000 -0300
@@ -3,3 +3,4 @@
env_shebang.patch
fix_rrsync_man_generation.patch
fix-flaky-hardlinks-test.patch
+CVE-2025-10158.patch
--- End Message ---