Here is my fix for the situation:
diff --git a/popt/findme.c b/popt/findme.c
index ac4cbae..4fe8a18 100644
--- a/popt/findme.c
+++ b/popt/findme.c
@@ -25,12 +25,23 @@ const char * findProgramPath(const char * argv0)
if (path == NULL) return NULL;
bufsize = strlen(path) + 1;
+#if defined __TANDEM
+ start = pathbuf = malloc(bufsize);
+#else
start = pathbuf = alloca(bufsize);
+#endif
if (pathbuf == NULL) return NULL; /* XXX can't happen */
strlcpy(pathbuf, path, bufsize);
bufsize += sizeof "/" - 1 + strlen(argv0);
buf = malloc(bufsize);
+#if defined __TANDEM
+ if (buf == NULL) {
+ free(start);
+ return NULL; /* XXX can't happen */
+ }
+#else
if (buf == NULL) return NULL; /* XXX can't happen */
+#endif
chptr = NULL;
/*@-branchstate@*/
@@ -39,8 +50,15 @@ const char * findProgramPath(const char * argv0)
*chptr = '\0';
snprintf(buf, bufsize, "%s/%s", start, argv0);
+#if defined __TANDEM
+ if (!access(buf, X_OK)) {
+ free(start);
+ return buf;
+ }
+#else
if (!access(buf, X_OK))
return buf;
+#endif
if (chptr)
start = chptr + 1;
@@ -51,5 +69,8 @@ const char * findProgramPath(const char * argv0)
free(buf);
+#if defined __TANDEM
+ free(start);
+#endif
return NULL;
}
I would respectfully ask that it be included ASAP.
Thanks,
Randall
From: rsync <[email protected]> On Behalf Of Randall S. Becker via
rsync
Sent: January 14, 2025 6:09 PM
To: 'rsync.project' <[email protected]>
Cc: [email protected]
Subject: RE: new release 3.4.0 - critical security release
This happens on NonStop x86 and ia64. I have been building/packaging Rsync for
years – almost a decade in fact. I think this happened once before this year,
in fact.
It is equivalent to the more portable malloc/free, which I would prefer to have
in this series even if it has to be wrapped in a #if defined (__TANDEM) block.
This call is considered not portable and allocates on the stack instead of the
heap. This can cause performance issues as memory management on the heap is
generally given more attention by runtimes. The reason it is not supported on
NonStop is that the c99 compiler does not generate code for allocating on the
stack on this machine.
Please forgive me here, but adding a new dependency for a critical security fix
is rather painful.
--Randall
From: rsync.project <[email protected]>
Sent: January 14, 2025 4:31 PM
To: [email protected]
Cc: [email protected]
Subject: Re: new release 3.4.0 - critical security release
the alloca comes from the new popt release. What system are you having an issue
with?
On Wed, 15 Jan 2025 at 07:16, <[email protected]
<mailto:[email protected]> > wrote:
A new dependency was added since 3.3, alloca(), which is not portable. Is there
a way around this?
Thanks,
Randall
From: rsync <[email protected]
<mailto:[email protected]> > On Behalf Of rsync.project via rsync
Sent: January 14, 2025 2:49 PM
To: [email protected] <mailto:[email protected]>
Cc: [email protected] <mailto:[email protected]>
Subject: new release 3.4.0 - critical security release
We have just released version 3.4.0 of rsync. This release fixes 6 security
vulnerabilities found by two groups of security researchers.
You can find the new release links here:
- https://rsync.samba.org/
- https://download.samba.org/pub/rsync/src/
For details on the vulnerabilities please see this CERT advisory:
https://kb.cert.org/vuls/id/952657
The various distros should be doing security releases today
Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google
Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering these
vulnerabilities and working with the rsync project to develop and test fixes.
Also many thanks to Wayne Davison for assisting with the release process as
this is the first release I've done since 2002 when Wayne took over as the
rsync maintainer.
Andrew Tridgell
rsync maintainer (again!)
--
Please use reply-all for most replies to avoid omitting the mailing list.
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
