We have some news to share for the request index beta feature. We’ve added more options to sort your requests, counters to the individual filters and documentation for the search functionality. Checkout the blog post for more details.

Overview

File rsync-CVE-2022-29154-trust-sender-2.patch of Package rsync.42411

Index: rsync-3.1.0/NEWS
===================================================================
--- rsync-3.1.0.orig/NEWS
+++ rsync-3.1.0/NEWS
@@ -2,6 +2,12 @@ NEWS for rsync 3.1.0 (28 Sep 2013)
 Protocol: 31 (changed)
 Changes since 3.0.9:
 
+  ENHANCEMENTS:
+
+   - The --trust-sender option was added as a way to bypass the
+     extra file-list safety checking (should that be required).
+
+
   OUTPUT CHANGES:
 
     - Output numbers in 3-digit groups by default (e.g. 1,234,567).  See the
Index: rsync-3.1.0/rsync.1
===================================================================
--- rsync-3.1.0.orig/rsync.1
+++ rsync-3.1.0/rsync.1
@@ -514,6 +514,7 @@ to the detailed description below for a
      \-\-files\-from=FILE       read list of source\-file names from FILE
  \-0, \-\-from0                 all *from/filter files are delimited by 0s
  \-s, \-\-protect\-args          no space\-splitting; wildcard chars only
+     \-\-trust-sender          trust the remote sender'\&s file list
      \-\-address=ADDRESS       bind address for outgoing socket to daemon
      \-\-port=PORT             specify double\-colon alternate port number
      \-\-sockopts=OPTIONS      specify custom TCP options
@@ -2258,6 +2259,41 @@ option to have any effect, the \fB\-g\fP
 (or implied), and the receiver will need to have permissions to set that
 group.
 .IP 
+.IP "\fB\-\-trust-sender\fP"
+Disable the extra validation of the file list from a remote sender.
+This should only be done if you trust
+the sender to not try to do something malicious, which should be the case
+if they\(cq\&re running a stock rsync.
+.IP 
+Normally when pulling files from a remote rsync, the client runs 2 extra
+validation checks:
+.RS 
+.IP o 
+Verify that additional arg items didn\(cq\&t get added at the top of the transfer.
+.IP o 
+Verify that none of the items in the file list should have been excluded.
+.RE 
+.IP 
+Note that various options can turn off one or both of these checks if the
+option interferes with the validation.  For instance:
+.RS 
+.IP o 
+Using a per-directory filter file reads filter rules that only the server
+knows about, so the filter checking is disabled.
+.IP o 
+Reading the files-from list from the server side means that the client
+doesn\(cq\&t know the arg list, so the arg checking is disabled.
+.IP o 
+Using \fB\-\-read\-batch\fP disables both checks since the batch file\(cq\&s
+contents will have been verified when it was created.
+.RE 
+.IP 
+This option may help an under-powered client server if the extra pattern
+matching is slowing things down on a huge transfer.  It can also be used
+to work around a bug in the verification logic, possibly after using the
+\fB\-\-list\-only\fP option combined with \fB\-\-trust\-sender\fP to look
+over the full file list.
+.IP 
 .IP "\fB\-\-chown=USER:GROUP\fP"
 This option forces all files to be owned by USER
 with group GROUP.  This is a simpler interface than using \fB\-\-usermap\fP and
openSUSE Build Service is sponsored by
Places