From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387
Date: Sat, 12 Jun 2021 16:26:52 +0200 [thread overview]
Message-ID: <87wnqzduqb.fsf@dell.be.48ers.dk> (raw)
In-Reply-To: <20210612120210.53537-1-fontaine.fabrice@gmail.com> (Fabrice Fontaine's message of "Sat, 12 Jun 2021 14:02:10 +0200")
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly
> validates certificate with host mismatch vulnerability. A remote,
> unauthenticated attacker could exploit the flaw by performing a
> man-in-the-middle attack using a valid certificate for another hostname
> which could compromise confidentiality and integrity of data transmitted
> using rsync-ssl. The highest threat from this vulnerability is to data
> confidentiality and integrity. This flaw affects rsync versions before
> 3.2.4.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...n-the-certificate-when-using-openssl.patch | 29 +++++++++++++++++++
> package/rsync/rsync.mk | 2 ++
> 2 files changed, 31 insertions(+)
> create mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> new file mode 100644
> index 0000000000..13edeff944
> --- /dev/null
> +++ b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> @@ -0,0 +1,29 @@
> +From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
> +From: Matt McCutchen <matt@mattmccutchen.net>
> +Date: Wed, 26 Aug 2020 12:16:08 -0400
> +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
> + openssl.
> +
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +[Retrieved from:
> +https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859]
> +---
> + rsync-ssl | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/rsync-ssl b/rsync-ssl
> +index 8101975a..46701af1 100755
> +--- a/rsync-ssl
> ++++ b/rsync-ssl
> +@@ -129,7 +129,7 @@ function rsync_ssl_helper {
> + fi
> +
> + if [[ $RSYNC_SSL_TYPE == openssl ]]; then
> +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
> ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
> + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
> + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
> + else
> +--
> +2.25.1
> +
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 3ebf3a6883..32e5827739 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -20,6 +20,8 @@ RSYNC_CONF_OPTS = \
> --disable-lz4 \
> --disable-asm
> +RSYNC_IGNORE_CVES += CVE-2020-14387
Committed after adding a
# 0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
Comment in front of this, thanks.
--
Bye, Peter Korsgaard
next prev parent reply other threads:[~2021-06-12 14:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-12 12:02 [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387 Fabrice Fontaine
2021-06-12 14:26 ` Peter Korsgaard [this message]
2021-06-20 14:11 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnqzduqb.fsf@dell.be.48ers.dk \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.