Skip to content

[AutoPR- Security] Patch rsync for CVE-2025-10158 [MEDIUM] #115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
Draft

[AutoPR- Security] Patch rsync for CVE-2025-10158 [MEDIUM] #115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions SPECS/rsync/CVE-2025-10158.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
From d3b3aebf7c8bd982cf9419a3a2185875ca5716b8 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <[email protected]>
Date: Sat, 23 Aug 2025 17:26:53 +1000
Subject: [PATCH] fixed an invalid access to files array

this was found by Calum Hutton from Rapid7. It is a real bug, but
analysis shows it can't be leverged into an exploit. Worth fixing
though.

Many thanks to Calum and Rapid7 for finding and reporting this

Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
Upstream-reference: https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f.patch
---
sender.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/sender.c b/sender.c
index a4d46c3..b1588b7 100644
--- a/sender.c
+++ b/sender.c
@@ -262,6 +262,8 @@ void send_files(int f_in, int f_out)

if (ndx - cur_flist->ndx_start >= 0)
file = cur_flist->files[ndx - cur_flist->ndx_start];
+ else if (cur_flist->parent_ndx < 0)
+ exit_cleanup(RERR_PROTOCOL);
else
file = dir_flist->files[cur_flist->parent_ndx];
if (F_PATHNAME(file)) {
--
2.45.4

6 changes: 5 additions & 1 deletion SPECS/rsync/rsync.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
Summary: Fast incremental file transfer.
Name: rsync
Version: 3.4.1
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv3+
Vendor: Microsoft Corporation
Distribution: Azure Linux
Group: Appication/Internet
URL: https://rsync.samba.org/
Source0: https://download.samba.org/pub/rsync/src/%{name}-%{version}.tar.gz
Patch0: CVE-2025-10158.patch
BuildRequires: lz4-devel
BuildRequires: systemd-rpm-macros
BuildRequires: zlib-devel
Expand Down Expand Up @@ -60,6 +61,9 @@ EOF
%{_sysconfdir}/rsyncd.conf

%changelog
* Wed Nov 19 2025 Azure Linux Security Servicing Account <[email protected]> - 3.4.1-2
- Patch for CVE-2025-10158

* Wed Jan 15 2025 Henry Beberman <[email protected]> - 3.4.1-1
- Upgrade to version 3.4.1 to fix CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747

Expand Down
Loading