FS#75558 - [rsync] Latest CVE-2022-29154 patch seems to cause other bugs

Attached to Project: Arch Linux
Opened by jake mcginty (clpwn) - Tuesday, 09 August 2022, 05:01 GMT
Last edited by Christian Hesse (eworm) - Wednesday, 10 August 2022, 12:46 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jelle van der Waa (jelly)
Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:

The latest rsync 3.2.4-2 package adds a single commit patch (b7231c7d02cfb65d291af74ff66e7d8c507ee871) from July 31st to rsync's 3.2.4 code. However, this single commit seemed to have a decent number of bugs and were followed up with what seems like a number of commits to fix new bugs introduced by this original patch. Namely:

7e5424b806e8eea053016268ad186276e9083b77
3d7015afa223494e3318495c2f5de9cb49229da9
d659610afc8a3ee53fe68a8a4bbd7fc768fcd6e9 (committed just 4 hours ago)


Without these fixes, the following example command worked on 3.2.4-1, but is currently broken on 3.2.4-2:

rsync -aPx myserver:~/folder/. ./otherfolder/.
This task depends upon

Closed by  Christian Hesse (eworm)
Wednesday, 10 August 2022, 12:46 GMT
Reason for closing:  Fixed
Additional comments about closing:  rsync 3.2.5pre2-1
Comment by John (graysky) - Tuesday, 09 August 2022, 10:31 GMT
Missing [rsync] tag in title
Comment by Kyle (2bluesc) - Tuesday, 09 August 2022, 15:33 GMT
Just encountered this bug after an update yesterday on all of my 5x remote rsync backups that run nightly. All `rsync` processes were hung at 100% CPU for many hours. These run daily for years and should've completed in 10s of minutes.

Downgrading to `rsync-3.2.4-1-x86_64.pkg.tar.zst` resolved it immediately.

Breaking update: `[2022-08-08T09:50:10-0500] [ALPM] upgraded rsync (3.2.4-1 -> 3.2.4-2)`
Downgrade: `[2022-08-09T10:26:39-0500] [ALPM] downgraded rsync (3.2.4-2 -> 3.2.4-1)`

Comment by Christian Kujau (ckujau) - Tuesday, 09 August 2022, 18:32 GMT
Same here. I'm unable to pinpoint it to a faulty Git commit in the upstream repo: both HEAD and v3.2.4 from WayneD/rsync are running just fine. I'm too stoopid to figure out what commit archlinux/svntogit-packages/commit/b4854015 in does (git apply b7231c7d02cfb65d291af74ff66e7d8c507ee871...?) to start a proper bisect here. Also, does anyone have a download link to rsync-3.2.4-1-x86_64.pkg.tar.zst? ;-)
Comment by John (graysky) - Tuesday, 09 August 2022, 19:28 GMT
The correct way to pinpoint an offending commit is with a git bisect. Tons of docs/tutorials, just google.
Comment by Christian Hesse (eworm) - Tuesday, 09 August 2022, 20:11 GMT
Does rsync 3.2.5pre2-1 work for you?
Comment by Christian Kujau (ckujau) - Tuesday, 09 August 2022, 20:14 GMT
Hehe, I know how to git bisect, and as mentioned, upstream HEAD (from today) just works, but I did not want to checkout the whole archlinux/svntogit-packages/ to start bisecting here.
Comment by Kyle (2bluesc) - Wednesday, 10 August 2022, 01:52 GMT
Tested "rsync 3.2.5pre2-1" downloaded from the testing mirror and it works for me.

Loading...