Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rsync for openSUSE:Factory checked in at 2026-05-24 19:34:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rsync (Old) and /work/SRC/openSUSE:Factory/.rsync.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rsync" Sun May 24 19:34:27 2026 rev:97 rq:1354430 version:3.4.3 Changes: -------- --- /work/SRC/openSUSE:Factory/rsync/rsync.changes 2026-05-13 17:20:50.395033475 +0200 +++ /work/SRC/openSUSE:Factory/.rsync.new.2084/rsync.changes 2026-05-24 19:34:41.656921848 +0200 @@ -1,0 +2,107 @@ +Thu May 21 06:37:59 UTC 2026 - David Anes <[email protected]> + +- Fixed some warnings while building the rpm. + +- Added patches: + - rsync-python-3.6-tests.patch: + Small patch to support running tests on python 3.6+: + - rsync-openat2-glibc-missing.patch: + Small patch to build on kernels >= 5.6+ where openat2 + is not defined in glibc. + +- Removed patches already upstream: + - rsync-no-libattr.patch + - rsync-CVE-2025-10158.patch + - rsync-CVE-2026-41035.patch + - rsync341-gcc15-bool.patch + +- Removed support for the unmaintained rsync-patches archive, + which in turn removes support for SLP. These patches are not + being shipped anymore. + +- Update to 3.4.3: + + - SECURITY FIXES: + + Six CVEs are fixed in this release. Three of the six + (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require + non-default daemon configuration to reach: the first and + third need use chroot = no for a module, the second needs + daemon chroot = ... set in rsyncd.conf. + + Two (CVE-2026-43618, CVE-2026-43620) are reachable from a + normal pull or a normal authenticated daemon connection. + The sixth (CVE-2026-45232) is reachable only when RSYNC_PROXY + is set and the proxy (or a MITM) returns a pathological + response. + + Complete list of changes: https://download.samba.org/pub/rsync/NEWS#3.4.3 + + - CVE-2026-29518, bsc#1264511: Symlink-Race TOCTOU in Daemon (use chroot = no) + + TOCTOU symlink race condition allowing local privilege + escalation in daemon mode without chroot. An rsync daemon + configured with "use chroot = no" was exposed to a + time-of-check / time-of-use race on parent path components. + + - CVE-2026-43617, bsc#1264515: Authorization Bypass via Hostname Resolution + + Hostname/ACL bypass on an rsync daemon configured with + daemon chroot = /X in rsyncd.conf when the chroot tree + lacks DNS resolution support. The reverse-DNS lookup of + the connecting client was performed after the daemon chroot + had been entered; if /X did not contain the libc resolver + fixtures (/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, + NSS service modules) the lookup failed and the connecting + hostname was set to "UNKNOWN", causing hostname-based deny + rules to silently fail open. IP-based ACLs are unaffected. + The per-module use chroot setting is unrelated to this + issue. The fix performs the lookup before entering the + daemon chroot. + + - CVE-2026-43618, bsc#1264512: Integer Overflow Information Disclosure + + Integer overflow in the compressed-token decoder enabling + remote memory disclosure to an authenticated daemon peer. + + Workaround for older releases: refuse options = compress in rsyncd.conf. + + - CVE-2026-43619, bsc#1264514: Symlink Race Condition via Path-Based Syscalls + + Symlink races on path-based system calls in "use chroot=no" + daemon mode (generalisation of CVE-2026-29518). Earlier + fixes for symlink races on the receiver's open() call + missed the same race class on every other path-based system + call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, + mknod, link, rmdir and lstat. + + Default "use chroot = yes" is not exposed. + + - CVE-2026-43620, bsc#1264513: Out-of-Bounds Array Read via recv_files() + + Out-of-bounds read in the receiver's recv_files() enabling + remote denial-of-service of any client pulling from a + malicious server (incomplete fix of commit 797e17f). + + Workaround for older releases: --no-inc-recursive on the client. + + - CVE-2026-45232, bsc#1265296: Off-by-one stack OOB write in HTTP CONNECT proxy + response parsing + + Off-by-one out-of-bounds stack write in the rsync client's + HTTP CONNECT proxy handler (establish_proxy_connection() in + socket.c). The fix detects the "buffer filled without finding + \n" case explicitly by position and refuses the response with + "proxy response line too long". + + - In addition to the six CVE fixes, this release adds defence-in-depth + hardening on several adjacent paths. + + - BUG FIXES: + + - Fixed a regression introduced by the 3.4.0 secure_relative_open(). + +- Complete list of fixes in version 3.4.2: + - https://download.samba.org/pub/rsync/NEWS#3.4.2 + +------------------------------------------------------------------- Old: ---- rsync-3.4.1.tar.gz rsync-3.4.1.tar.gz.asc rsync-CVE-2025-10158.patch rsync-CVE-2026-41035.patch rsync-no-libattr.patch rsync-patches-3.4.1.tar.gz rsync-patches-3.4.1.tar.gz.asc rsync341-gcc15-bool.patch New: ---- rsync-3.4.3.tar.gz rsync-3.4.3.tar.gz.asc rsync-openat2-glibc-missing.patch rsync-python-3.6-tests.patch ----------(Old B)---------- Old: - rsync-no-libattr.patch - rsync-CVE-2025-10158.patch - rsync-CVE-2026-41035.patch Old: - rsync-CVE-2025-10158.patch - rsync-CVE-2026-41035.patch - rsync341-gcc15-bool.patch Old:- Removed patches already upstream: - rsync-no-libattr.patch - rsync-CVE-2025-10158.patch Old: - rsync-CVE-2026-41035.patch - rsync341-gcc15-bool.patch ----------(Old E)---------- ----------(New B)---------- New: Small patch to support running tests on python 3.6+: - rsync-openat2-glibc-missing.patch: Small patch to build on kernels >= 5.6+ where openat2 New:- Added patches: - rsync-python-3.6-tests.patch: Small patch to support running tests on python 3.6+: ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rsync.spec ++++++ --- /var/tmp/diff_new_pack.OeLxp7/_old 2026-05-24 19:34:42.752966693 +0200 +++ /var/tmp/diff_new_pack.OeLxp7/_new 2026-05-24 19:34:42.752966693 +0200 @@ -28,21 +28,15 @@ %bcond_with gcc11 %endif -%if 0%{?suse_version} < 1600 -%bcond_without slp -%else -%bcond_with slp -%endif - Name: rsync -Version: 3.4.1 +Version: 3.4.3 Release: 0 Summary: Versatile tool for fast incremental file transfer License: GPL-3.0-or-later Group: Productivity/Networking/Other URL: https://rsync.samba.org/ Source: https://rsync.samba.org/ftp/rsync/src/rsync-%{version}.tar.gz -Source1: https://rsync.samba.org/ftp/rsync/src/rsync-patches-%{version}.tar.gz +Source1: rsyncd Source2: logrotate.rsync Source3: rsyncd.socket Source4: rsyncd.rc @@ -51,22 +45,16 @@ Source8: rsyncd.service Source9: [email protected] Source10: https://rsync.samba.org/ftp/rsync/src/rsync-%{version}.tar.gz.asc -Source11: https://rsync.samba.org/ftp/rsync/src/rsync-patches-%{version}.tar.gz.asc Source12: %{name}.keyring -Source13: rsyncd -Patch0: rsync-no-libattr.patch -Patch2: rsync-usr-etc.patch -Patch3: rsync-run-dir.patch + +Patch1: rsync-usr-etc.patch +Patch2: rsync-run-dir.patch # https://github.com/RsyncProject/rsync/pull/639 -Patch5: rsyncd-return-from-list-command-with-0.patch -# https://github.com/RsyncProject/rsync/pull/716 -Patch6: rsync341-gcc15-bool.patch -# bsc#1254441, CVE-2025-10158: rsync: Out of bounds array access via negative index -# https://github.com/RsyncProject/rsync/commit/797e17fc4a6f15e3b1756538a9f812b63942686f -Patch7: rsync-CVE-2025-10158.patch -# bsc#1262223, CVE-2026-41035: rsync: count of entries mismatch can lead to a use-after-free -# https://github.com/RsyncProject/rsync/pull/875 -Patch8: rsync-CVE-2026-41035.patch +Patch3: rsyncd-return-from-list-command-with-0.patch +Patch4: rsync-python-3.6-tests.patch +Patch5: rsync-openat2-glibc-missing.patch + +BuildRequires: %{pythons} BuildRequires: autoconf BuildRequires: automake BuildRequires: c++_compiler @@ -83,9 +71,6 @@ %if %{with gcc11} BuildRequires: gcc11-c++ %endif -%if %{with slp} -BuildRequires: openslp-devel -%endif BuildRequires: pkgconfig(openssl) Requires(post): grep Requires(post): sed @@ -102,14 +87,10 @@ for backups and mirroring and as an improved copy command for everyday use. %prep -%setup -q -b 1 -rm -f zlib/*.h zlib/*.c - -%if %{with slp} -patch -p1 < patches/slp.diff -%endif +%autosetup -p1 -%autopatch -p1 +# we don't bundle vendored zlib +rm -f zlib/*.h zlib/*.c %build autoreconf -fiv @@ -120,6 +101,7 @@ export CFLAGS="%{optflags} -fPIC -DPIC -fPIE" export CXXFLAGS="$CFLAGS" export LDFLAGS="-Wl,-z,relro,-z,now -fPIE -pie" + %configure \ --with-included-popt=no \ --with-included-zlib=no \ @@ -133,9 +115,6 @@ %ifarch x86_64 --enable-roll-simd \ %endif -%if %{with slp} - --enable-slp \ -%endif --enable-acl-support \ --enable-xattr-support %make_build reconfigure @@ -152,7 +131,7 @@ install -d %{buildroot}%{_sysconfdir}/init.d install -d %{buildroot}%{_sysconfdir}/xinetd.d install -d %{buildroot}%{_sbindir} -install -m 755 %{SOURCE13} %{buildroot}%{_sbindir}/rsyncd +install -m 755 %{SOURCE1} %{buildroot}%{_sbindir}/rsyncd install -m 755 support/rsyncstats %{buildroot}%{_bindir} %if 0%{?suse_version} > 1500 install -d %{buildroot}%{_distconfdir}/logrotate.d @@ -176,7 +155,7 @@ chmod -x support/* %pre -%service_add_pre rsyncd.service +%service_add_pre rsyncd.service rsyncd.socket %if 0%{?suse_version} > 1500 # Prepare for migration to /usr/etc; save any old .rpmsave for i in logrotate.d/rsync rsyncd.conf rsyncd.secrets; do @@ -193,13 +172,13 @@ %endif %preun -%service_del_preun rsyncd.service +%service_del_preun rsyncd.service rsyncd.socket %post -%service_add_post rsyncd.service +%service_add_post rsyncd.service rsyncd.socket %postun -%service_del_postun rsyncd.service +%service_del_postun rsyncd.service rsyncd.socket %files %license COPYING ++++++ rsync-3.4.1.tar.gz -> rsync-3.4.3.tar.gz ++++++ ++++ 19808 lines of diff (skipped) ++++++ rsync-openat2-glibc-missing.patch ++++++ Index: rsync-3.4.3/syscall.c =================================================================== --- rsync-3.4.3.orig/syscall.c +++ rsync-3.4.3/syscall.c @@ -36,6 +36,10 @@ #ifdef __linux__ #include <sys/syscall.h> #include <linux/openat2.h> +#ifndef SYS_openat2 +/* Note: Most 64-bit and 32-bit architectures (x86, ARM, RISC-V, PowerPC, s390x, LoongArch) use 437. Alpha uses 547, MIPS uses 443/543. */ +#define SYS_openat2 437 +#endif #endif #include "ifuncs.h" ++++++ rsync-python-3.6-tests.patch ++++++ Index: rsync-3.4.3/runtests.py =================================================================== --- rsync-3.4.3.orig/runtests.py +++ rsync-3.4.3/runtests.py @@ -72,12 +72,12 @@ def find_setfacl_nodef(scratchbase): ['setfacl', '-s', 'u::7,g::5,o:5', scratchbase], ]: try: - subprocess.run(cmd, capture_output=True, timeout=5) + subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=5) return cmd[:2] if cmd[0] == 'setacl' else cmd[:2] except (FileNotFoundError, subprocess.TimeoutExpired): continue try: - r = subprocess.run(['setfacl', '--help'], capture_output=True, text=True, timeout=5) + r = subprocess.run(['setfacl', '--help'], stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True, timeout=5) if '-k,' in r.stdout or '-k,' in r.stderr: return ['setfacl', '-k'] except (FileNotFoundError, subprocess.TimeoutExpired): @@ -122,11 +122,11 @@ def get_testuser(): for cmd in ['/usr/bin/whoami', '/usr/ucb/whoami', '/bin/whoami']: if os.path.isfile(cmd): try: - return subprocess.check_output([cmd], text=True).strip() + return subprocess.check_output([cmd], universal_newlines=True).strip() except subprocess.CalledProcessError: pass try: - return subprocess.check_output(['id', '-un'], text=True).strip() + return subprocess.check_output(['id', '-un'], universal_newlines=True).strip() except (FileNotFoundError, subprocess.CalledProcessError): return os.environ.get('LOGNAME', os.environ.get('USER', 'UNKNOWN')) @@ -134,11 +134,11 @@ def get_testuser(): def prep_scratch(scratchdir, srcdir, tooldir, setfacl_nodef): """Prepare a scratch directory for a test.""" if os.path.isdir(scratchdir): - subprocess.run(['chmod', '-R', 'u+rwX', scratchdir], capture_output=True) - subprocess.run(['rm', '-rf', scratchdir], capture_output=True) + subprocess.run(['chmod', '-R', 'u+rwX', scratchdir], stdout=subprocess.PIPE, stderr=subprocess.PIPE) + subprocess.run(['rm', '-rf', scratchdir], stdout=subprocess.PIPE, stderr=subprocess.PIPE) os.makedirs(scratchdir, exist_ok=True) if setfacl_nodef: - subprocess.run(setfacl_nodef + [scratchdir], capture_output=True) + subprocess.run(setfacl_nodef + [scratchdir], stdout=subprocess.PIPE, stderr=subprocess.PIPE) try: os.chmod(scratchdir, os.stat(scratchdir).st_mode & ~0o2000) # clear setgid except OSError: @@ -323,7 +323,7 @@ def main(): print(f' srcdir={srcdir}') print(f' TLS_ARGS={tls_args}') print(f' testuser={testuser}') - print(f' os={subprocess.check_output(["uname", "-a"], text=True).strip()}') + print(f' os={subprocess.check_output(["uname", "-a"], universal_newlines=True).strip()}') print(f' preserve_scratch={"yes" if args.preserve_scratch else "no"}') if args.valgrind: print(f' valgrind=enabled (logs in valgrind.*.log)') @@ -382,13 +382,13 @@ def main(): if tr.result == 0: passed += 1 if not args.preserve_scratch and os.path.isdir(scratchdir): - subprocess.run(['rm', '-rf', scratchdir], capture_output=True) + subprocess.run(['rm', '-rf', scratchdir], stdout=subprocess.PIPE, stderr=subprocess.PIPE) return False elif tr.result == 77: skipped_list.append(tr.testbase) skipped += 1 if not args.preserve_scratch and os.path.isdir(scratchdir): - subprocess.run(['rm', '-rf', scratchdir], capture_output=True) + subprocess.run(['rm', '-rf', scratchdir], stdout=subprocess.PIPE, stderr=subprocess.PIPE) return False elif tr.result == 78: failed += 1
