* [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387
@ 2021-06-12 12:02 Fabrice Fontaine
2021-06-12 14:26 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Fabrice Fontaine @ 2021-06-12 12:02 UTC (permalink / raw)
To: buildroot
A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly
validates certificate with host mismatch vulnerability. A remote,
unauthenticated attacker could exploit the flaw by performing a
man-in-the-middle attack using a valid certificate for another hostname
which could compromise confidentiality and integrity of data transmitted
using rsync-ssl. The highest threat from this vulnerability is to data
confidentiality and integrity. This flaw affects rsync versions before
3.2.4.
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
...n-the-certificate-when-using-openssl.patch | 29 +++++++++++++++++++
package/rsync/rsync.mk | 2 ++
2 files changed, 31 insertions(+)
create mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
new file mode 100644
index 0000000000..13edeff944
--- /dev/null
+++ b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
@@ -0,0 +1,29 @@
+From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 12:16:08 -0400
+Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
+ openssl.
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+[Retrieved from:
+https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859]
+---
+ rsync-ssl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975a..46701af1 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+ fi
+
+ if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+ elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+ else
+--
+2.25.1
+
diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
index 3ebf3a6883..32e5827739 100644
--- a/package/rsync/rsync.mk
+++ b/package/rsync/rsync.mk
@@ -20,6 +20,8 @@ RSYNC_CONF_OPTS = \
--disable-lz4 \
--disable-asm
+RSYNC_IGNORE_CVES += CVE-2020-14387
+
ifeq ($(BR2_PACKAGE_ACL),y)
RSYNC_DEPENDENCIES += acl
else
--
2.30.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387
2021-06-12 12:02 [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387 Fabrice Fontaine
@ 2021-06-12 14:26 ` Peter Korsgaard
2021-06-20 14:11 ` Peter Korsgaard
0 siblings, 1 reply; 3+ messages in thread
From: Peter Korsgaard @ 2021-06-12 14:26 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly
> validates certificate with host mismatch vulnerability. A remote,
> unauthenticated attacker could exploit the flaw by performing a
> man-in-the-middle attack using a valid certificate for another hostname
> which could compromise confidentiality and integrity of data transmitted
> using rsync-ssl. The highest threat from this vulnerability is to data
> confidentiality and integrity. This flaw affects rsync versions before
> 3.2.4.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> ...n-the-certificate-when-using-openssl.patch | 29 +++++++++++++++++++
> package/rsync/rsync.mk | 2 ++
> 2 files changed, 31 insertions(+)
> create mode 100644 package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> diff --git a/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> new file mode 100644
> index 0000000000..13edeff944
> --- /dev/null
> +++ b/package/rsync/0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> @@ -0,0 +1,29 @@
> +From c3f7414c450faaf6a8281cc4a4403529aeb7d859 Mon Sep 17 00:00:00 2001
> +From: Matt McCutchen <matt@mattmccutchen.net>
> +Date: Wed, 26 Aug 2020 12:16:08 -0400
> +Subject: [PATCH] rsync-ssl: Verify the hostname in the certificate when using
> + openssl.
> +
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +[Retrieved from:
> +https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859]
> +---
> + rsync-ssl | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/rsync-ssl b/rsync-ssl
> +index 8101975a..46701af1 100755
> +--- a/rsync-ssl
> ++++ b/rsync-ssl
> +@@ -129,7 +129,7 @@ function rsync_ssl_helper {
> + fi
> +
> + if [[ $RSYNC_SSL_TYPE == openssl ]]; then
> +- exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
> ++ exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
> + elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
> + exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
> + else
> +--
> +2.25.1
> +
> diff --git a/package/rsync/rsync.mk b/package/rsync/rsync.mk
> index 3ebf3a6883..32e5827739 100644
> --- a/package/rsync/rsync.mk
> +++ b/package/rsync/rsync.mk
> @@ -20,6 +20,8 @@ RSYNC_CONF_OPTS = \
> --disable-lz4 \
> --disable-asm
> +RSYNC_IGNORE_CVES += CVE-2020-14387
Committed after adding a
# 0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
Comment in front of this, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387
2021-06-12 14:26 ` Peter Korsgaard
@ 2021-06-20 14:11 ` Peter Korsgaard
0 siblings, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-06-20 14:11 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
Hi,
>> +RSYNC_IGNORE_CVES += CVE-2020-14387
> Committed after adding a
> # 0001-rsync-ssl-Verify-the-hostname-in-the-certificate-when-using-openssl.patch
> Comment in front of this, thanks.
Committed to 2021.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-20 14:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-12 12:02 [Buildroot] [PATCH 1/1] package/rsync: fix CVE-2020-14387 Fabrice Fontaine
2021-06-12 14:26 ` Peter Korsgaard
2021-06-20 14:11 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.