rsync has some really serious CVEs[1], but the 3.4.0 release with the fixes has regressions[2] that will break things for people. What to do?
[1]: https://www.openwall.com/lists/oss-security/2025/01/14/3
[2]: https://github.com/RsyncProject/rsync/issues/702
The obvious answer is:
- add the regression to the testsuite
- fix the regression
- submit a pull request
- move on
Too bad I have meetings...
Someone else added a test to the test suite, good enough to help me git bisect and fix the issue.
PR submitted: https://github.com/RsyncProject/rsync/pull/705
@ncopa "Mitigation: Disable SHA* support by compiling with
CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST."
@dalias what will break if I do that?
@ncopa Probably nothing but I'm not 100% sure how negotiation works.
@ncopa Thanks, really kind of you
@ncopa can you just patch the CVEs?
@fossdd 6 of them. sure. but its gonna take time.
@ncopa ah damn. why didnt they just created more patch releases for older releases
@fossdd @ncopa debian seems to have backported the fixes on bookworm for 3.2.7:
https://security-tracker.debian.org/tracker/DSA-5843-1
@craftyguy @fossdd Then they have backported the regression and have a broken `rsync -aH`.
Regression introduced with the fix for
https://security-tracker.debian.org/tracker/CVE-2024-12087
@craftyguy @fossdd
What really annoys me is that i don't seem to be able to get this thing built due to changes in how man pages are generated/bundled.
@craftyguy @fossdd correct. agree