From 1349e0e9fcaffb78596b7aa2eaeba436f6949318 Mon Sep 17 00:00:00 2001
From: Sheila Aman <sheila@vulpine.house>
Date: Tue, 27 Jul 2021 11:58:20 +0000
Subject: system/rsync: upgrade to 3.2.3

---
 system/rsync/APKBUILD             | 18 ++++++++++++------
 system/rsync/CVE-2020-14387.patch | 21 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 6 deletions(-)
 create mode 100644 system/rsync/CVE-2020-14387.patch

(limited to 'system/rsync')

diff --git a/system/rsync/APKBUILD b/system/rsync/APKBUILD
index f48b55099..a436eaed8 100644
--- a/system/rsync/APKBUILD
+++ b/system/rsync/APKBUILD
@@ -1,24 +1,28 @@
 # Contributor: Natanael Copa <ncopa@alpinelinux.org>
 # Maintainer: Sheila Aman <sheila@vulpine.house>
 pkgname=rsync
-pkgver=3.1.3
-pkgrel=2
+pkgver=3.2.3
+pkgrel=0
 pkgdesc="File transfer program to keep remote files in sync"
 url="https://rsync.samba.org/"
 arch="all"
 license="GPL-3.0+"
 depends=""
 checkdepends="fakeroot"
-makedepends="perl acl-dev attr-dev popt-dev zlib-dev"
+makedepends="perl acl-dev attr-dev lz4-dev openssl-dev popt-dev zlib-dev
+	zstd-dev"
 subpackages="$pkgname-doc $pkgname-openrc rrsync::noarch"
 source="https://download.samba.org/pub/$pkgname/$pkgname-$pkgver.tar.gz
 	rsyncd.initd
 	rsyncd.confd
 	rsyncd.conf
 	rsyncd.logrotate
+	CVE-2020-14387.patch
 	"
 
 # secfixes:
+#   3.2.3-r0:
+#     - CVE-2020-14387
 #   3.1.3-r2:
 #     - CVE-2016-9840
 #     - CVE-2016-9841
@@ -37,7 +41,8 @@ build() {
 		--localstatedir=/var \
 		--enable-acl-support \
 		--enable-xattr-support \
-		--with-included-zlib=no
+		--with-included-zlib=no \
+		--disable-xxhash
 	make
 }
 
@@ -62,8 +67,9 @@ rrsync() {
 	install -D -m 755 "$builddir"/support/rrsync "$subpkgdir"/usr/bin/rrsync
 }
 
-sha512sums="8385f4c0ea37e7a1da3cf45794154f5bc4d1c49bc625ba3b5f85adaf3eafe6d71c15bdcb1410bde731e5d4c19aff3331606637462fa27a68dc3e13192dd78f99  rsync-3.1.3.tar.gz
+sha512sums="48b68491f3ef644dbbbfcaec5ab90a1028593e02d50367ce161fd9d3d0bd0a3628bc57c5e5dec4be3a1d213f784f879b8a8fcdfd789ba0f99837cba16e1ae70e  rsync-3.2.3.tar.gz
 638d87c9a753b35044f6321ccd09d2c0addaab3c52c40863eb6905905576b5268bec67b496df81225528c9e39fbd92e9225d7b3037ab1fda78508d452c78158f  rsyncd.initd
 c7527e289c81bee5e4c14b890817cdb47d14f0d26dd8dcdcbe85c7199cf27c57a0b679bdd1b115bfe00de77b52709cc5d97522a47f63c1bb5104f4a7220c9961  rsyncd.confd
 3db8a2b364fc89132af6143af90513deb6be3a78c8180d47c969e33cb5edde9db88aad27758a6911f93781e3c9846aeadc80fffc761c355d6a28358853156b62  rsyncd.conf
-b8d6c0bb467a5c963317dc55478d2c10874564cd264d943d4a42037e2fce134fe001fabc92af5c6b5775e84dc310b1c8da147afaa61c99e5663c36580d8651a5  rsyncd.logrotate"
+b8d6c0bb467a5c963317dc55478d2c10874564cd264d943d4a42037e2fce134fe001fabc92af5c6b5775e84dc310b1c8da147afaa61c99e5663c36580d8651a5  rsyncd.logrotate
+cebd8b23db8fb095e35e133ab828efecc385e159e429b3c2366f411572cdebb3444be0f60b42b2ce3d34476f1ebb4f194933d699978db385ac40c4fba6767991  CVE-2020-14387.patch"
diff --git a/system/rsync/CVE-2020-14387.patch b/system/rsync/CVE-2020-14387.patch
new file mode 100644
index 000000000..7ed5e7a48
--- /dev/null
+++ b/system/rsync/CVE-2020-14387.patch
@@ -0,0 +1,21 @@
+From: Matt McCutchen <matt@mattmccutchen.net>
+Date: Wed, 26 Aug 2020 16:16:08 +0000 (-0400)
+Subject: rsync-ssl: Verify the hostname in the certificate when using openssl.
+X-Git-Url: http://git.samba.org/?p=rsync.git;a=commitdiff_plain;h=c3f7414;hp=4c4fce51072c9189cfb11b52aa54fed79f5741bd
+
+rsync-ssl: Verify the hostname in the certificate when using openssl.
+---
+
+diff --git a/rsync-ssl b/rsync-ssl
+index 8101975a..46701af1 100755
+--- a/rsync-ssl
++++ b/rsync-ssl
+@@ -129,7 +129,7 @@ function rsync_ssl_helper {
+     fi
+ 
+     if [[ $RSYNC_SSL_TYPE == openssl ]]; then
+-	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -connect $hostname:$port
++	exec $RSYNC_SSL_OPENSSL s_client $caopt $certopt -quiet -verify_quiet -servername $hostname -verify_hostname $hostname -connect $hostname:$port
+     elif [[ $RSYNC_SSL_TYPE == gnutls ]]; then
+ 	exec $RSYNC_SSL_GNUTLS --logfile=/dev/null $gnutls_cert_opt $gnutls_opts $hostname:$port
+     else
-- 
cgit v1.2.3-60-g2f50