If we are going to do something in advance of their release I'd prefer pre1
than a patch as at least it will be more obvious to the user from the
version number.
Changing MASTER_SITES like that will prevent portroach from picking up new
normal releases (which seems particularly important given the experimental
nature of this release), if committing this it might be better to add
src-preview after the existing MASTER_SITES instead so that portroach still
looks in the main dir (there will be a 404 but port fetching should just
move on).
I am a bit unsure about using this until upstream are happy enough to make
it a full release. OTOH the real problematic case - syncing specific files
into your home directory from an untrusted server and having e.g. a
.profile come along for the ride - is quite bad, even if it does seem like
something that wouldn't get done often because it seems a bit of an
obviously dodgy thing to do in the first place.
--
Sent from a phone, apologies for poor formatting.
On 6 August 2022 04:57:55 Nam Nguyen <namn@berkeley.edu> wrote:
> "T.J. Townsend" writes:
>
>>> https://www.openwall.com/lists/oss-security/2022/08/02/1
>>> https://github.com/WayneD/rsync/commit/b7231c7d02.patch
>
> Here is a diff that updates to 3.2.5pre1 to cover tj@'s backported fix +
> additional related fixes. This way, no local patches are needed. I am a
> bit concerned about the stability of rsync 3.2.5 since it is a
> prerelease and the "false alerts" from the announcement. It might be
> worth it in this case?
>
> announcement:
> https://lists.samba.org/archive/rsync-announce/2022/000112.html
>
>>
>> Updated diff that also fixes CVE-2022-37434 in the bundled zlib:
>
> zlib fix is not needed because inflateGetHeader is not called. "NOTE:
> only applications that call inflateGetHeader are affected."
>
> see: https://www.cve.org/CVERecord?id=CVE-2022-37434
>
> OK?
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/rsync/Makefile,v
> retrieving revision 1.93
> diff -u -p -u -p -r1.93 Makefile
> --- Makefile 23 May 2022 00:24:58 -0000 1.93
> +++ Makefile 6 Aug 2022 03:42:44 -0000
> @@ -1,6 +1,6 @@
> COMMENT = mirroring/synchronization over low bandwidth links
>
> -DISTNAME = rsync-3.2.4
> +DISTNAME = rsync-3.2.5pre1
> CATEGORIES = net
> HOMEPAGE = https://rsync.samba.org/
>
> @@ -12,8 +12,7 @@ PERMIT_PACKAGE = Yes
>
> WANTLIB = c crypto
>
> -MASTER_SITES = https://rsync.samba.org/ftp/rsync/src/ \
> - https://ftp.funet.fi/pub/mirrors/samba.org/pub/rsync/src/
> +MASTER_SITES = https://rsync.samba.org/ftp/rsync/src-previews/
>
> MODULES = lang/python
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/rsync/distinfo,v
> retrieving revision 1.32
> diff -u -p -u -p -r1.32 distinfo
> --- distinfo 23 May 2022 00:24:58 -0000 1.32
> +++ distinfo 6 Aug 2022 03:42:44 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (rsync-3.2.4.tar.gz) = b3YYONCAUrC2V5z39nN9k+R/AfTaBMXSTTRHt/Kl+tE=
> -SIZE (rsync-3.2.4.tar.gz) = 1114853
> +SHA256 (rsync-3.2.5pre1.tar.gz) = wBhH4x3zI183EQMLxNIP3xkhi0zTzTthj0WcD0K1YjY=
> +SIZE (rsync-3.2.5pre1.tar.gz) = 1126641
No comments:
Post a Comment