From 5bc9300daaabe38316c7dce72c65ff56142fab7a Mon Sep 17 00:00:00 2001 From: zhuhong_bo Date: Tue, 13 Jan 2026 17:40:33 +0800 Subject: [PATCH] fix cve CVE-2024-12087 --- ....patch => rsync-3.1.2-CVE-2024-12085.patch | 0 rsync-3.1.2-CVE-2024-12087.patch | 45 +++++++++++++++++++ rsync.spec | 12 ++--- 3 files changed, 52 insertions(+), 5 deletions(-) rename 0001-fix-cve-CVE-2024-12085.patch => rsync-3.1.2-CVE-2024-12085.patch (100%) create mode 100644 rsync-3.1.2-CVE-2024-12087.patch diff --git a/0001-fix-cve-CVE-2024-12085.patch b/rsync-3.1.2-CVE-2024-12085.patch similarity index 100% rename from 0001-fix-cve-CVE-2024-12085.patch rename to rsync-3.1.2-CVE-2024-12085.patch diff --git a/rsync-3.1.2-CVE-2024-12087.patch b/rsync-3.1.2-CVE-2024-12087.patch new file mode 100644 index 0000000..348d156 --- /dev/null +++ b/rsync-3.1.2-CVE-2024-12087.patch @@ -0,0 +1,45 @@ +From f06f89ffab6ecc76aac8229f61ff1abe8e83efa3 Mon Sep 17 00:00:00 2001 +From: zhuhong_bo +Date: Tue, 13 Jan 2026 17:34:02 +0800 +Subject: [PATCH] rsync-3.1.2 CVE-2024-12087 + +--- + flist.c | 9 +++++++++ + rsync.h | 1 + + 2 files changed, 10 insertions(+) + +diff --git a/flist.c b/flist.c +index 75fc113..23904db 100644 +--- a/flist.c ++++ b/flist.c +@@ -2451,6 +2451,15 @@ struct file_list *recv_file_list(int f, int dir_ndx) + init_hard_links(); + #endif + ++ if (inc_recurse && dir_ndx >= 0) { ++ struct file_struct *file = dir_flist->files[dir_ndx]; ++ if (file->flags & FLAG_GOT_DIR_FLIST) { ++ rprintf(FERROR_XFER, "rsync: refusing malicious duplicate flist for dir %d\n", dir_ndx); ++ exit_cleanup(RERR_PROTOCOL); ++ } ++ file->flags |= FLAG_GOT_DIR_FLIST; ++ } ++ + flist = flist_new(0, "recv_file_list"); + + if (inc_recurse) { +diff --git a/rsync.h b/rsync.h +index 58b9cec..4f79930 100644 +--- a/rsync.h ++++ b/rsync.h +@@ -75,6 +75,7 @@ + #define FLAG_DUPLICATE (1<<4) /* sender */ + #define FLAG_MISSING_DIR (1<<4) /* generator */ + #define FLAG_HLINKED (1<<5) /* receiver/generator (checked on all types) */ ++#define FLAG_GOT_DIR_FLIST (1<<5)/* sender/receiver/generator - dir_flist only */ + #define FLAG_HLINK_FIRST (1<<6) /* receiver/generator (w/FLAG_HLINKED) */ + #define FLAG_IMPLIED_DIR (1<<6) /* sender/receiver/generator (dirs only) */ + #define FLAG_HLINK_LAST (1<<7) /* receiver/generator */ +-- +1.8.3.1 + diff --git a/rsync.spec b/rsync.spec index 5305402..803d99d 100644 --- a/rsync.spec +++ b/rsync.spec @@ -8,7 +8,7 @@ Summary: A program for synchronizing files over a network Name: rsync Version: 3.1.2 -Release: 12%{?prerelease}%{?dist}.1 +Release: 12%{?prerelease}%{?dist}.2 Group: Applications/Internet URL: http://rsync.samba.org/ @@ -36,10 +36,8 @@ Patch7: rsync-3.1.2-nfs-xattrs.patch Patch8: rsync-3.1.2-nanoseconds.patch Patch9: rsync-3.1.2-cve-2022-29154.patch Patch10: rsync-3.1.2-filtering-rules.patch - -#add by uos -Patch11: 0001-fix-cve-CVE-2024-12085.patch -#end +Patch11: rsync-3.1.2-CVE-2024-12085.patch +Patch12: rsync-3.1.2-CVE-2024-12087.patch %description Rsync uses a reliable algorithm to bring remote and host files into sync very quickly. Rsync is fast because it just sends the differences @@ -78,6 +76,7 @@ patch -p1 -i patches/copy-devices.diff %patch9 -p1 -b .cve-2022-20154 %patch10 -p1 -b .filtering-rules %patch11 -p1 -b .fix-cve-CVE-2024-12085 +%patch12 -p1 -b .fix-cve-CVE-2024-12087 %build rm -fr autom4te.cache @@ -129,6 +128,9 @@ rm -rf $RPM_BUILD_ROOT %systemd_postun_with_restart rsyncd.service %changelog +* Tue Jan 13 2026 zhuhongbo - 3.1.2-12.2 +- cve: fix cve CVE-2024-12087 + * Fri Feb 21 2025 zhuhongbo - 3.1.2-12.1 - cve: fix cve CVE-2024-12085 -- Gitee