The popt changes came from upstream popt. We have Solaris and FreeBSD CI
tests, along with linux, but don't have a method for testing other
platforms. If you submit a PR to fix this, please consider a way we can
test the fix in CI.
Cheers, Tridge
On Wed, 15 Jan 2025 at 14:35, <rsbec...@nexbridge.com> wrote:
> Another issue here in findme.c. strlcpy() is a BSD-only method and
> definitely not portable.
>
> Please consider other platforms when creating patches. I can provide a
> patch to this
>
> patch also.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-boun...@lists.samba.org> *On Behalf Of *Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:46 PM
> *To:* 'rsync.project' <rsync.proj...@gmail.com>
> *Cc:* rsync@lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> Here is my fix for the situation:
>
>
>
> *diff --git a/popt/findme.c b/popt/findme.c*
>
> *index ac4cbae..4fe8a18 100644*
>
> *--- a/popt/findme.c*
>
> *+++ b/popt/findme.c*
>
> @@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)
>
> if (path == NULL) return NULL;
>
>
>
> bufsize = strlen(path) + 1;
>
> +#if defined __TANDEM
>
> + start = pathbuf = malloc(bufsize);
>
> +#else
>
> start = pathbuf = alloca(bufsize);
>
> +#endif
>
> if (pathbuf == NULL) return NULL; /* XXX can't happen */
>
> strlcpy(pathbuf, path, bufsize);
>
> bufsize += sizeof "/" - 1 + strlen(argv0);
>
> buf = malloc(bufsize);
>
> +#if defined __TANDEM
>
> + if (buf == NULL) {
>
> + free(start);
>
> + return NULL; /* XXX can't happen */
>
> + }
>
> +#else
>
> if (buf == NULL) return NULL; /* XXX can't happen */
>
> +#endif
>
>
>
> chptr = NULL;
>
> /*@-branchstate@*/
>
> @@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)
>
> *chptr = '\0';
>
> snprintf(buf, bufsize, "%s/%s", start, argv0);
>
>
>
> +#if defined __TANDEM
>
> + if (!access(buf, X_OK)) {
>
> + free(start);
>
> + return buf;
>
> + }
>
> +#else
>
> if (!access(buf, X_OK))
>
> return buf;
>
> +#endif
>
>
>
> if (chptr)
>
> start = chptr + 1;
>
> @@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)
>
>
>
> free(buf);
>
>
>
> +#if defined __TANDEM
>
> + free(start);
>
> +#endif
>
> return NULL;
>
> }
>
>
>
> I would respectfully ask that it be included ASAP.
>
>
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-boun...@lists.samba.org> *On Behalf Of *Randall S.
> Becker via rsync
> *Sent:* January 14, 2025 6:09 PM
> *To:* 'rsync.project' <rsync.proj...@gmail.com>
> *Cc:* rsync@lists.samba.org
> *Subject:* RE: new release 3.4.0 - critical security release
>
>
>
> This happens on NonStop x86 and ia64. I have been building/packaging Rsync
> for years – almost a decade in fact. I think this happened once before this
> year, in fact.
>
>
>
> It is equivalent to the more portable malloc/free, which I would prefer to
> have in this series even if it has to be wrapped in a #if defined
> (__TANDEM) block.
>
>
>
> This call is considered not portable and allocates on the stack instead of
> the heap. This can cause performance issues as memory management on the
> heap is generally given more attention by runtimes. The reason it is not
> supported on NonStop is that the c99 compiler does not generate code for
> allocating on the stack on this machine.
>
>
>
> Please forgive me here, but adding a new dependency for a critical
> security fix is rather painful.
>
>
>
> --Randall
>
>
>
>
>
> *From:* rsync.project <rsync.proj...@gmail.com>
> *Sent:* January 14, 2025 4:31 PM
> *To:* rsbec...@nexbridge.com
> *Cc:* rsync@lists.samba.org
> *Subject:* Re: new release 3.4.0 - critical security release
>
>
>
> the alloca comes from the new popt release. What system are you having an
> issue with?
>
>
>
>
>
> On Wed, 15 Jan 2025 at 07:16, <rsbec...@nexbridge.com> wrote:
>
> A new dependency was added since 3.3, alloca(), which is not portable. Is
> there a way around this?
>
> Thanks,
>
> Randall
>
>
>
> *From:* rsync <rsync-boun...@lists.samba.org> *On Behalf Of *rsync.project
> via rsync
> *Sent:* January 14, 2025 2:49 PM
> *To:* rsync-annou...@lists.samba.org
> *Cc:* rsync@lists.samba.org
> *Subject:* new release 3.4.0 - critical security release
>
>
>
> We have just released version 3.4.0 of rsync. This release fixes 6
> security vulnerabilities found by two groups of security researchers.
>
>
>
> You can find the new release links here:
>
>
>
> - https://rsync.samba.org/
>
> - https://download.samba.org/pub/rsync/src/
>
>
>
> For details on the vulnerabilities please see this CERT advisory:
>
>
>
> https://kb.cert.org/vuls/id/952657
>
>
>
> The various distros should be doing security releases today
>
> Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
> Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
> discovering these vulnerabilities and working with the rsync project to
> develop and test fixes.
>
>
>
> Also many thanks to Wayne Davison for assisting with the release process
> as this is the first release I've done since 2002 when Wayne took over as
> the rsync maintainer.
>
>
>
> Andrew Tridgell
>
> rsync maintainer (again!)
>
>
>
>
>
>
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
