From patchwork Sat Jun 12 12:02:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabrice Fontaine X-Patchwork-Id: 1491271 Return-Path: X-Original-To: incoming-buildroot@patchwork.ozlabs.org Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=busybox.net (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=buildroot-bounces@busybox.net; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=gy/2YMVl; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4G2GYD0nS5z9sTD for ; Sat, 12 Jun 2021 22:02:24 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 88E9A83C8C; Sat, 12 Jun 2021 12:02:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n8aZkM2KZDEB; Sat, 12 Jun 2021 12:02:20 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by smtp1.osuosl.org (Postfix) with ESMTP id DF047833CA; Sat, 12 Jun 2021 12:02:19 +0000 (UTC) X-Original-To: buildroot@lists.busybox.net Delivered-To: buildroot@osuosl.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by ash.osuosl.org (Postfix) with ESMTP id EDE891BF909 for ; Sat, 12 Jun 2021 12:02:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id EA35D605ED for ; Sat, 12 Jun 2021 12:02:17 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Authentication-Results: smtp3.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4diuZs1G3hR for ; Sat, 12 Jun 2021 12:02:17 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) by smtp3.osuosl.org (Postfix) with ESMTPS id DA1DE60605 for ; Sat, 12 Jun 2021 12:02:16 +0000 (UTC) Received: by mail-wr1-x436.google.com with SMTP id o3so8846710wri.8 for ; Sat, 12 Jun 2021 05:02:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=84i0OqHz4Cxse9UvYI7uZHpQ/hxJ16XAa8DoDdFDLDc=; b=gy/2YMVlvcXXrFApR7ylsrD5eISUZCKRLsOk1lsT+Oe7Nnqadcf1vZjpUkzfPVdCju Jx6UEp1/+cLN+MKWNdSKHfURC/EyvOCKHqMjR2ILT523PWmgdRCoWhWEPhsrWlKOazPR qSN3qvX7GD57ffhy7tkaIHNto5jRTo/zH/I4maqAzGsz4R4cdUCeD13UJjzLSMbBcNtE OomKALeeuOq0LCI5VVlQFRjqw+MyY90Ac2Se6qjDmCdxiegmNJeojett3dElxeef7kL6 v15zw5X73rkqcYla89Yn84eU3TEyprs1zIlEt2V54ZQiM66chiubKpTx2wsXOgpWbCjJ KqiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=84i0OqHz4Cxse9UvYI7uZHpQ/hxJ16XAa8DoDdFDLDc=; b=KMHBApoA94fry7n3euF2bCnWBXgD9teH42shqkTBx7UDnFja239XW/wz+Qu/gXe+RR Tm3LfPcC5PRRmVwrZZp8fx4pCePIne7feLrVBripY+r8LvLad3+TcKRXwO4epzpKgWD3 xRmsrEhyBmfFLXbEJTPZfhiywU2WhtNMizHPih4hhiCpzDzbdgdEz+Qaaf+jEQEC3fTn KrR3tH4VUFzkFMY+ZAYQfsfjS9Go+dAbRrG7WVHGIPDb+WV+4WRjBsZrJHrJIotm74s1 2phaKGietqQ00K1hvrU4SCw//CA+BtrDsq6xEoaWUVKuIdEcHmsGTXwLtKCu83XmWjYC Wv9Q== X-Gm-Message-State: AOAM533wpo2CQEmZXx+ji56XS8oqNymvN5dCkbhgoG/VUbKYfwSOHftT KOYXNcbEbOdKhqBjB2alMvv3UnsbNci8Zg== X-Google-Smtp-Source: ABdhPJynbM0kLxuAsRrMVBH8E5XkwTLrfH9olVlIRhZIPakUzvLeotm0S6wHQQmnZLgKNrz6lLVv2A== X-Received: by 2002:adf:f748:: with SMTP id z8mr9107964wrp.115.1623499334883; Sat, 12 Jun 2021 05:02:14 -0700 (PDT) Received: from kali.home (lfbn-ren-1-1383-171.w86-229.abo.wanadoo.fr. [86.229.230.171]) by smtp.gmail.com with ESMTPSA id s62sm15869062wms.13.2021.06.12.05.02.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 12 Jun 2021 05:02:14 -0700 (PDT) From: Fabrice Fontaine To: buildroot@buildroot.org Date: Sat, 12 Jun 2021 14:02:10 +0200 Message-Id: <20210612120210.53537-1-fontaine.fabrice@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Subject: [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387 X-BeenThere: buildroot@busybox.net X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion and development of buildroot List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Fabrice Fontaine Errors-To: buildroot-bounces@busybox.net Sender: "buildroot" A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4. Signed-off-by: Fabrice Fontaine --- ...n-the-certificate-when-using-openssl.patch | 29 +++++++++++++++++++ package/rsync/rsync.mk | 2 ++ 2 files changed, 31 insertions(+) create mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch new file mode 100644 index 0000000000..13edeff944 --- /dev/null +++ b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch @@ -0,0 +1,29 @@ +From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001 +From: Matt McCutchen +Date: Wed, 26 Aug 2020 12:16:08 -0400 +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using + openssl. + +Signed-off-by: Fabrice Fontaine +[Retrieved from: +https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859] +--- + rsync-ssl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rsync-ssl b/rsync-ssl +index 8101975a..46701af1 100755 +--- a/rsync-ssl ++++ b/rsync-ssl +@@ -129,7 +129,7 @@ function rsync_ssl_helper { + fi + + if [[ $RSYNC_SSL_TYPE == openssl ]]; then +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port + else +-- +2.25.1 + diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk index 3ebf3a6883..32e5827739 100644 --- a/package/rsync/rsync.mk +++ b/package/rsync/rsync.mk @@ -20,6 +20,8 @@ RSYNC_CONF_OPTS = \ --disable-lz4 \ --disable-asm +RSYNC_IGNORE_CVES += CVE-2020-14387 + ifeq ($(BR2_PACKAGE_ACL),y) RSYNC_DEPENDENCIES += acl else