Hi Yoann, Thanks for the reminder.
Yes, I am already working on the required rsync fixes for wrynose first, as suggested, and plan to send the wrynose series in the next 2-3 days. Once that is posted, I will follow up on this series accordingly. Regards, Ashish ________________________________ From: Yoann Congal <[email protected]> Sent: 06 July 2026 22:49 To: Yoann Congal <[email protected]>; Ashishkumar Parmar -X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) <[email protected]>; [email protected] <[email protected]> Cc: xe-linux-external (Internal Group) <[email protected]> Subject: Re: [OE-core][scarthgap][PATCH 1/6] rsync: Fix CVE-2026-29518 On Mon Jun 22, 2026 at 1:31 PM CEST, Yoann Congal wrote: > On Fri Jun 12, 2026 at 2:13 PM CEST, Ashishkumar Parmar X (asparmar - E > INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: >> From: Ashishkumar Parmar <[email protected]> >> >> Pick the upstream backport [1] for CVE-2026-29518 as mentioned in [3], >> where a non-chrooted rsync daemon could be exposed to a parent path >> TOCTOU race that allowed file access outside the module. >> >> Also include the dependent upstream fix that followed the CVE fix: >> - CVE-2026-29518_p2.patch [2] secures sender read-path opens by >> opening files from the module root, closing the same race on the >> read side. >> >> [1] >> https://github.com/RsyncProject/rsync/commit/1a5ad81add1004354a3d8ba841b94ffe19cd2505 >> [2] >> https://github.com/RsyncProject/rsync/commit/99b36291d06ca66229942c7a525a1f5566f10c85 >> [3] https://www.cve.org/CVERecord?id=CVE-2026-29518 >> >> Signed-off-by: Ashishkumar Parmar <[email protected]> >> --- > > Hello, > > It looks like this whole series is needed for wrynose (rsync 3.4.1). > Can you send fixes there first, and, then, ping here? Hello Ashishkumar, Gentle ping for this patch series. Do you plan to send the needed wrynose series? Regards, > > Thanks! > >> .../rsync/files/CVE-2026-29518_p1.patch | 330 ++++++++++++++++++ >> .../rsync/files/CVE-2026-29518_p2.patch | 73 ++++ >> meta/recipes-devtools/rsync/rsync_3.2.7.bb | 2 + >> 3 files changed, 405 insertions(+) >> create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-29518_p1.patch >> create mode 100644 meta/recipes-devtools/rsync/files/CVE-2026-29518_p2.patch -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240375): https://lists.openembedded.org/g/openembedded-core/message/240375 Mute This Topic: https://lists.openembedded.org/mt/119772227/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
