On 6/1/26 1:12 PM, Salvatore Bonaccorso wrote:
Control: tags -1 + moreinfo
Hi
On Sun, May 31, 2026 at 06:15:57PM -0300, Aquila Macedo wrote:
Package: release.debian.org
Control: affects -1 + src:rsync
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected]
Severity: normal
[ Reason ]
This update fixes CVE-2026-45232, a minor/no-dsa client-side issue in
RSYNC_PROXY handling.
When rsync connects through an HTTP proxy using RSYNC_PROXY, an overlong
proxy response line could trigger a one-byte out-of-bounds stack write. The
write is a fixed NUL byte, so the practical impact is limited, but the
vulnerable code is present in bookworm.
[ Impact ]
Clients using RSYNC_PROXY could crash or misbehave when receiving an
overlong HTTP proxy response line from a malicious proxy or MITM.
[ Tests ]
The package built successfully in Salsa CI:
https://salsa.debian.org/aquila/rsync/-/pipelines/1098495
The targeted upstream regression test added by this patch also passed:
PASS proxy-response-line-too-long
See: https://salsa.debian.org/aquila/rsync/-/jobs/9693182#L3264
The change was also reviewed and approved on Salsa by Samuel Henrique, one
of the rsync maintainers.
[ Risks ]
Low. The patch is small, comes from upstream's v3.2.7 security patch branch,
and only rejects an invalid overlong HTTP proxy response line.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Import the upstream v3.2.7-sec-patches fix to reject overlong HTTP proxy
response lines.
No upstream version bump and no unrelated fixes are included.
diff -Nru rsync-3.2.7-1+deb12u5/debian/changelog
rsync-3.2.7-1+deb12u6/debian/changelog
--- rsync-3.2.7-1+deb12u5/debian/changelog 2026-05-20 02:10:17.000000000
-0400
+++ rsync-3.2.7-1+deb12u6/debian/changelog 2026-05-24 17:23:41.000000000
-0400
@@ -1,3 +1,12 @@
+rsync (3.2.7-1+deb12u6) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Import upstream patch to reject overlong HTTP proxy response lines,
+ avoiding a one byte out of bounds stack write when using RSYNC_PROXY.
+ (CVE-2026-45232).
+
+ -- Aquila Macedo Costa <[email protected]> Sun, 24 May 2026 18:23:41 -0300
Why are you fixing this for bookworm while there is no update for
trixie-pu, and have you coordinates this with the maintainer? I'm
asking this because of a similar approach done for libsdl2-image, cf.
#1134510.
So at the very minimum before having a bookworm update there should be
a similar update as well for trixie.
Regards,
Salvatore
Hi Salvatore,
Thanks for taking a look.
The motivation here was to help with bookworm cleanup ahead of the
transition from normal Debian support to LTS, as part of the ongoing
BSP: https://wiki.debian.org/BSP/2026/05-07/Brazil
I was looking at small no-dsa CVEs still open in bookworm, and this one
looked like a targeted low-risk fix with an upstream regression test.
That said, you're right that trixie should not be skipped. I'll prepare
the matching trixie-pu for CVE-2026-45232 first/in parallel, and I'll
not upload the bookworm update before the trixie side is handled.
Regarding maintainer coordination, this was coordinated on Salsa. Samuel
Henrique reviewed and approved the rsync MR.
https://salsa.debian.org/debian/rsync/-/merge_requests/37
I mentioned the approval in the request, but I should have made that
more visible.
Thanks,
Aquila Macedo
