Bug 30798

Summary: CVE-2022-29154 patch introduced a bug in rsync with file lists that don't end with a newline (Was:Luckybackup bug with new version of rsync)
Product: Mageia Reporter: Etienne Etienne <etienne15000>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: fri, marja11, nicolas.salguero, smelror, yvesbrungard
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://github.com/WayneD/rsync/issues/350
Whiteboard: MGA8TOO
Source RPM: rsync-3.2.2-2.1.mga8, rsync-3.2.5-1.mga9 CVE:
Status comment:

Description Etienne Etienne 2022-09-01 21:23:47 CEST 
With Luckybackup : backup ends without copying any file and each task for which a copy should have been done is concluded with an error message of type:
"ERROR: rejecting excluded file-list name: Folder/. luckybackup-snaphots rsync error: protocol incompatibility (code 2) at flist. c(932) [Receiver=3.2.2] "

So I uninstall the current version of rsync (3.2.2-2.1.mga8x86_64) and everything the ccm required me to remove with (13 packages including luckybackup), then I manually install a previous version (3.2.2-2.mga8x86_64, found on website rpmfind) and reinstall luckybackup.
It works!

Reinstalling all previously deleted packages (with rsync): it still works.

Update of rsync: bug reappearance!
Comment 2 Morgan Leijström 2022-09-01 22:02:08 CEST 
Thank  you for the report

FWIW you could have used
 urpmi --downgrade --search-media 'Release' rsync
to easily downgrade to the version in Mageia release media :)

CC: (none) => fri

Comment 3 Marja Van Waes 2022-09-01 23:54:05 CEST 
This looks very much like:

https://github.com/WayneD/rsync/issues/350
https://github.com/WayneD/rsync/issues/356
https://github.com/WayneD/rsync/issues/360
are about the same issue

Issue 350's summary:
Regression: files in the --files-from list are randomly rejected after the CVE-2022-29154 patch 

In issue 360 it is explained:

> If you have a file-list that contains at least two items and no newline at the
> end, rsync 3.2.5 will refuse to sync the final item in the file list.

> Workaround is to add a final newline.

The patch for newer rsync than our Mga8 one is here:
https://github.com/WayneD/rsync/commit/a182507bef2d0cd92052b3c5ebaf1d98278e0dad

And Wayne writes in issue 356 how he thinks older rsync versions should be fixed, other than just cherry-picking this patch :-þ
https://github.com/WayneD/rsync/issues/356#issuecomment-1220044765 (I assume all previous security patches were already applied, so that that comment be ignored)

rsync 3.2.6 will be released soon and contain the fix

Assigning to all packagers collectively, since this package has no registered maintainer.

CC: (none) => marja11, nicolas.salguero, smelror
Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO
See Also: (none) => https://github.com/WayneD/rsync/issues/350
Assignee: bugsquad => pkg-bugs
Summary: Luckybackup bug with new version of rsync => CVE-2022-29154 patch introduced a bug in rsync with file lists that don't end with a newline (Was:Luckybackup bug with new version of rsync)
Source RPM: rsync-3.2.2-2.1.mga8.x86_64 => rsync-3.2.2-2.1.mga8, rsync-3.2.5-1.mga9

Comment 4 papoteur 2022-09-10 11:34:19 CEST 
New rsync 3.2.6 is just published
However tests fails when applying this patch:
%__patch -p1 -b -z .dir-del < patches/backup-dir-dels.diff

acl_patch doesn't exist anymore.

CC: (none) => yves.brungard_mageia

Comment 5 papoteur 2022-09-13 08:39:48 CEST 
3.2.6 is building:
- disabling patches/backup-dir-dels.diff because test "backup" fails with it
- disabling acl_patch which no more exists

I don't know what was the aim of these patches.

I applied also a patch from commit a739b1289bbba7bd56caeb7b06d9b7f1883c0a3b which should really fix this bug.
Comment 6 papoteur 2022-09-13 08:50:16 CEST 
To test:
rsync-3.2.6-1.mga9
Comment 7 Morgan Leijström 2022-10-11 09:23:51 CEST 
Anything to test on mga8?