Hi Aquila, On Mon, Jun 01, 2026 at 02:47:47PM -0300, Aquila Macedo wrote: > > On 6/1/26 1:12 PM, Salvatore Bonaccorso wrote: > > Control: tags -1 + moreinfo > > > > Hi > > > > On Sun, May 31, 2026 at 06:15:57PM -0300, Aquila Macedo wrote: > > > Package: release.debian.org > > > Control: affects -1 + src:rsync > > > X-Debbugs-Cc: [email protected] > > > User: [email protected] > > > Usertags: pu > > > Tags: bookworm > > > X-Debbugs-Cc: [email protected] > > > Severity: normal > > > > > > [ Reason ] > > > This update fixes CVE-2026-45232, a minor/no-dsa client-side issue in > > > RSYNC_PROXY handling. > > > > > > When rsync connects through an HTTP proxy using RSYNC_PROXY, an overlong > > > proxy response line could trigger a one-byte out-of-bounds stack write. > > > The > > > write is a fixed NUL byte, so the practical impact is limited, but the > > > vulnerable code is present in bookworm. > > > > > > [ Impact ] > > > Clients using RSYNC_PROXY could crash or misbehave when receiving an > > > overlong HTTP proxy response line from a malicious proxy or MITM. > > > > > > [ Tests ] > > > The package built successfully in Salsa CI: > > > > > > https://salsa.debian.org/aquila/rsync/-/pipelines/1098495 > > > > > > The targeted upstream regression test added by this patch also passed: > > > > > > PASS proxy-response-line-too-long > > > > > > See: https://salsa.debian.org/aquila/rsync/-/jobs/9693182#L3264 > > > > > > The change was also reviewed and approved on Salsa by Samuel Henrique, one > > > of the rsync maintainers. > > > > > > [ Risks ] > > > Low. The patch is small, comes from upstream's v3.2.7 security patch > > > branch, > > > and only rejects an invalid overlong HTTP proxy response line. > > > > > > [ Checklist ] > > > [x] *all* changes are documented in the d/changelog > > > [x] I reviewed all changes and I approve them > > > [x] attach debdiff against the package in (old)stable > > > [x] the issue is verified as fixed in unstable > > > > > > [ Changes ] > > > Import the upstream v3.2.7-sec-patches fix to reject overlong HTTP proxy > > > response lines. > > > > > > No upstream version bump and no unrelated fixes are included. > > > diff -Nru rsync-3.2.7-1+deb12u5/debian/changelog > > > rsync-3.2.7-1+deb12u6/debian/changelog > > > --- rsync-3.2.7-1+deb12u5/debian/changelog 2026-05-20 > > > 02:10:17.000000000 -0400 > > > +++ rsync-3.2.7-1+deb12u6/debian/changelog 2026-05-24 > > > 17:23:41.000000000 -0400 > > > @@ -1,3 +1,12 @@ > > > +rsync (3.2.7-1+deb12u6) bookworm; urgency=medium > > > + > > > + * Non-maintainer upload. > > > + * Import upstream patch to reject overlong HTTP proxy response lines, > > > + avoiding a one byte out of bounds stack write when using RSYNC_PROXY. > > > + (CVE-2026-45232). > > > + > > > + -- Aquila Macedo Costa <[email protected]> Sun, 24 May 2026 18:23:41 > > > -0300 > > Why are you fixing this for bookworm while there is no update for > > trixie-pu, and have you coordinates this with the maintainer? I'm > > asking this because of a similar approach done for libsdl2-image, cf. > > #1134510. > > > > So at the very minimum before having a bookworm update there should be > > a similar update as well for trixie. > > > > Regards, > > Salvatore > > > Hi Salvatore, > > Thanks for taking a look. > > The motivation here was to help with bookworm cleanup ahead of the > transition from normal Debian support to LTS, as part of the ongoing BSP: > https://wiki.debian.org/BSP/2026/05-07/Brazil > > I was looking at small no-dsa CVEs still open in bookworm, and this one > looked like a targeted low-risk fix with an upstream regression test. > > That said, you're right that trixie should not be skipped. I'll prepare the > matching trixie-pu for CVE-2026-45232 first/in parallel, and I'll not upload > the bookworm update before the trixie side is handled. > > Regarding maintainer coordination, this was coordinated on Salsa. Samuel > Henrique reviewed and approved the rsync MR. > > https://salsa.debian.org/debian/rsync/-/merge_requests/37 > > I mentioned the approval in the request, but I should have made that more > visible.
I stand corrected, I hope you can take my apologies. Then my only remaining concern is what we outlined about the missing corresponding trixie update as well, but which is outlined above. Thank you! Regards, Salvatore
