> Sent: Friday, January 17, 2025 at 2:11 PM
> From: "Andy Smith" <a...@strugglers.net>
> To: debian-user@lists.debian.org
> Subject: Re: A warning about rsync in stable: it became broken 3 days ago, is
> now fixed
>
> Hi,
>
> On Fri, Jan 17, 2025 at 03:42:48AM +0100, poc...@homemail.com wrote:
> > > From: "Andy Smith" <a...@strugglers.net>
> > > You can verify this at:
> > >
> > > https://security-tracker.debian.org/tracker/source-package/rsync
> >
> > https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-rsync-could-allow-for-remote-code-execution_2025-007
>
> Okay, I'll try one more time.
>
> The link you gave above talks about the following security issues:
>
> CVE-2024-12085
> CVE-2024-12086
> CVE-2024-12087
> CVE-2024-12088
> CVE-2024-12747
>
> The link that I gave you shows that all of the above already have fixes
> backported to Debian stable-security.
>
> Since there is no new information here and I am just re-stating what has
> already been shown to you, I wonder if the problem here is that you
> don't understand what backporting is?
>
> The version of rsync that was first released in Debian 12 is what will
> be in Debian 12 forever. Barring some exceptional circumstances there
> will never be a newer release of rsync in Debian 12. There will never be
> version 3.4.1 of rsync in Debian 12. Any security issues found in the
> version of rsync that is in Debian 12 will have fixes backported to it.
>
> So it follows that just because the program's --version says 3.2.7, it
> does not mean that it is still vulnerable to all issues found between
> 3.2.7 and 3.4.1 inclusive. You would have to look at the Debian package
> version and check which fixes have been backported.
>
> Thanks,
Has the following been Fixed or back ported to 3.2.7?
fixed handling of -H flag with conflict in internal flag values
fixed a user after free in logging of failed rename
fixed build on systems without openat()
removed dependency on alloca() in bundled popt
Fixed the included popt to avoid a memory error on modern gcc versions.
Fixed an incorrect extern variable's type that caused an ACL issue on macOS.
Fixed IPv6 configure check
Updated included popt to version 1.19.
Fixed a bug with --sparse --inplace where a trailing gap in the source file
would not clear out the trailing data in the destination file.
Fixed an buffer overflow in the checksum2 code if SHA1 is being used for the
checksum2 algorithm.
Fixed an issue when rsync is compiled using _FORTIFY_SOURCE so that the extra
tests don't complain about a strlcpy() limit value (which was too large, even
though it wasn't possible for the larger value to cause an overflow).
Add a backtick to the list of characters that the filename quoting needs to
escape using backslashes.
Fixed a string-comparison issue in the internal handling of --progress (a
locale such as tr_TR.utf-8 needed the internal triggering of --info options to
use upper-case flag names to ensure that they match).
Make sure that a local transfer marks the sender side as trusted.
Change the argv handling to work with a newer popt library -- one that likes
to free more data than it used to.
Rsync now calls OpenSSL_add_all_algorithms() when compiled against an older
openssl library.
Fixed a problem in the daemon auth for older protocols (29 and before) if the
openssl library is being used to compute MD4 checksums.
Fixed an old stats bug that counted devices as symlinks
Enhanced rrsync with the -no-overwrite option that allows you to ensure that
existing files on your restricted but writable directory can't be modified.
Changed the mapfrom & mapto perl scripts (in the support dir) into a single
python script named idmap. Converted a couple more perl scripts into python.
Changed the mnt-excl perl script (in the support dir) into a python script.
