On 6/1/26 4:03 PM, Salvatore Bonaccorso wrote:
Hi Aquila,
On Mon, Jun 01, 2026 at 02:47:47PM -0300, Aquila Macedo wrote:
On 6/1/26 1:12 PM, Salvatore Bonaccorso wrote:
Control: tags -1 + moreinfo
Hi
On Sun, May 31, 2026 at 06:15:57PM -0300, Aquila Macedo wrote:
Package: release.debian.org
Control: affects -1 + src:rsync
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: pu
Tags: bookworm
X-Debbugs-Cc: [email protected]
Severity: normal
[ Reason ]
This update fixes CVE-2026-45232, a minor/no-dsa client-side issue in
RSYNC_PROXY handling.
When rsync connects through an HTTP proxy using RSYNC_PROXY, an overlong
proxy response line could trigger a one-byte out-of-bounds stack write. The
write is a fixed NUL byte, so the practical impact is limited, but the
vulnerable code is present in bookworm.
[ Impact ]
Clients using RSYNC_PROXY could crash or misbehave when receiving an
overlong HTTP proxy response line from a malicious proxy or MITM.
[ Tests ]
The package built successfully in Salsa CI:
https://salsa.debian.org/aquila/rsync/-/pipelines/1098495
The targeted upstream regression test added by this patch also passed:
PASS proxy-response-line-too-long
See: https://salsa.debian.org/aquila/rsync/-/jobs/9693182#L3264
The change was also reviewed and approved on Salsa by Samuel Henrique, one
of the rsync maintainers.
[ Risks ]
Low. The patch is small, comes from upstream's v3.2.7 security patch branch,
and only rejects an invalid overlong HTTP proxy response line.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Import the upstream v3.2.7-sec-patches fix to reject overlong HTTP proxy
response lines.
No upstream version bump and no unrelated fixes are included.
diff -Nru rsync-3.2.7-1+deb12u5/debian/changelog
rsync-3.2.7-1+deb12u6/debian/changelog
--- rsync-3.2.7-1+deb12u5/debian/changelog 2026-05-20 02:10:17.000000000
-0400
+++ rsync-3.2.7-1+deb12u6/debian/changelog 2026-05-24 17:23:41.000000000
-0400
@@ -1,3 +1,12 @@
+rsync (3.2.7-1+deb12u6) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Import upstream patch to reject overlong HTTP proxy response lines,
+ avoiding a one byte out of bounds stack write when using RSYNC_PROXY.
+ (CVE-2026-45232).
+
+ -- Aquila Macedo Costa <[email protected]> Sun, 24 May 2026 18:23:41 -0300
Why are you fixing this for bookworm while there is no update for
trixie-pu, and have you coordinates this with the maintainer? I'm
asking this because of a similar approach done for libsdl2-image, cf.
#1134510.
So at the very minimum before having a bookworm update there should be
a similar update as well for trixie.
Regards,
Salvatore
Hi Salvatore,
Thanks for taking a look.
The motivation here was to help with bookworm cleanup ahead of the
transition from normal Debian support to LTS, as part of the ongoing BSP:
https://wiki.debian.org/BSP/2026/05-07/Brazil
I was looking at small no-dsa CVEs still open in bookworm, and this one
looked like a targeted low-risk fix with an upstream regression test.
That said, you're right that trixie should not be skipped. I'll prepare the
matching trixie-pu for CVE-2026-45232 first/in parallel, and I'll not upload
the bookworm update before the trixie side is handled.
Regarding maintainer coordination, this was coordinated on Salsa. Samuel
Henrique reviewed and approved the rsync MR.
https://salsa.debian.org/debian/rsync/-/merge_requests/37
I mentioned the approval in the request, but I should have made that more
visible.
I stand corrected, I hope you can take my apologies.
Then my only remaining concern is what we outlined about the missing
corresponding trixie update as well, but which is outlined above.
Thank you!
Regards,
Salvatore
Hi Salvatore,
No worries, and thanks for taking another look.
I've now opened the matching trixie-pu request for CVE-2026-45232:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138659
I'll wait for the trixie side to be handled before proceeding with the
bookworm upload.
Thanks,
Aquila Macedo
