Conversation

Notices

1. Embed this notice
   Natanael Copa (ncopa@fosstodon.org)'s status on Wednesday, 15-Jan-2025 17:57:45 JST Natanael Copa

   rsync has some really serious CVEs[1], but the 3.4.0 release with the fixes has regressions[2] that will break things for people. What to do?

   [1]: https://www.openwall.com/lists/oss-security/2025/01/14/3
   [2]: https://github.com/RsyncProject/rsync/issues/702

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 15-Jan-2025 17:57:45 JST Rich Felker

     in reply to

     @ncopa "Mitigation: Disable SHA* support by compiling with
     CFLAGS=-DDISABLE_SHA512_DIGEST and CFLAGS=-DDISABLE_SHA256_DIGEST."

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 15-Jan-2025 18:05:07 JST Rich Felker

     in reply to

     @ncopa Probably nothing but I'm not 100% sure how negotiation works.

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Wednesday, 15-Jan-2025 18:05:08 JST Natanael Copa

     in reply to

     • Rich Felker

     @dalias what will break if I do that?

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Wednesday, 15-Jan-2025 23:47:28 JST Natanael Copa

     in reply to

     The obvious answer is:

     - add the regression to the testsuite
     - fix the regression
     - submit a pull request
     - move on

     Too bad I have meetings...

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Wednesday, 15-Jan-2025 23:47:28 JST Natanael Copa

     in reply to

     Someone else added a test to the test suite, good enough to help me git bisect and fix the issue.
     PR submitted: https://github.com/RsyncProject/rsync/pull/705

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Clayton (craftyguy@freeradical.zone)'s status on Thursday, 16-Jan-2025 01:11:35 JST Clayton

     in reply to

     @ncopa @fossdd lol... wow, what a mess.

   • Embed this notice
     Clayton (craftyguy@freeradical.zone)'s status on Thursday, 16-Jan-2025 01:11:36 JST Clayton

     in reply to

     • fossdd @ FOSDEM

     @fossdd @ncopa debian seems to have backported the fixes on bookworm for 3.2.7:
     https://security-tracker.debian.org/tracker/DSA-5843-1

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Thursday, 16-Jan-2025 01:11:36 JST Natanael Copa

     in reply to

     • Clayton
     • fossdd @ FOSDEM

     @craftyguy @fossdd Then they have backported the regression and have a broken `rsync -aH`.

     Regression introduced with the fix for
     https://security-tracker.debian.org/tracker/CVE-2024-12087

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Thursday, 16-Jan-2025 01:11:36 JST Natanael Copa

     in reply to

     • Clayton
     • fossdd @ FOSDEM

     @craftyguy @fossdd yup. they do got the regression: https://github.com/RsyncProject/rsync/issues/697#issuecomment-2591892385

   • Embed this notice
     fossdd @ FOSDEM (fossdd@chaos.social)'s status on Thursday, 16-Jan-2025 01:11:38 JST fossdd @ FOSDEM

     in reply to

     @ncopa ah damn. why didnt they just created more patch releases for older releases

   • Embed this notice
     Natanael Copa (ncopa@fosstodon.org)'s status on Thursday, 16-Jan-2025 01:11:39 JST Natanael Copa

     in reply to

     • fossdd @ FOSDEM

     @fossdd 6 of them. sure. but its gonna take time.

   • Embed this notice
     fossdd @ FOSDEM (fossdd@chaos.social)'s status on Thursday, 16-Jan-2025 01:11:40 JST fossdd @ FOSDEM

     in reply to

     @ncopa can you just patch the CVEs?