Backport patches from upstream to fix among other things CVE-2017-17433

Note that there is no xattr support on OpenBSD so we're not affected by
all the bugs upstreams fixed

discussed with jca, naddy and espie
ok espie (maintainer)

net/rsync/Makefile

@@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.77 2016/04/06 21:17:29 sthen Exp $
+# $OpenBSD: Makefile,v 1.78 2017/12/19 19:58:39 danj Exp $
 
 COMMENT =	mirroring/synchronization over low bandwidth links
 
 DISTNAME =	rsync-3.1.2
-REVISION =	0
+REVISION =	1
 CATEGORIES =	net
 HOMEPAGE =	https://rsync.samba.org/
 

net/rsync/patches/patch-receiver_c

@@ -0,0 +1,45 @@
+$OpenBSD: patch-receiver_c,v 1.3 2017/12/19 19:58:39 danj Exp $
+
+Backport from upstream
+3e06d40029cfdce9d0f73d87cfd4edaf54be9c51
+5509597decdbd7b91994210f700329d8a35e70a1
+f5e8a17e093065fb20fea00a29540fe2c7896441
+
+Index: receiver.c
+--- receiver.c.orig
++++ receiver.c
+@@ -583,6 +583,12 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 		if (DEBUG_GTE(RECV, 1))
+ 			rprintf(FINFO, "recv_files(%s)\n", fname);
+ 
++		if (daemon_filter_list.head && (*fname != '.' || fname[1] != '\0')
++		 && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
++			rprintf(FERROR, "attempt to hack rsync failed.\n");
++			exit_cleanup(RERR_PROTOCOL);
++		}
++
+ #ifdef SUPPORT_XATTRS
+ 		if (preserve_xattrs && iflags & ITEM_REPORT_XATTR && do_xfers
+ 		 && !(want_xattr_optim && BITS_SET(iflags, ITEM_XNAME_FOLLOWS|ITEM_LOCAL_CHANGE)))
+@@ -651,12 +657,6 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 
+ 		cleanup_got_literal = 0;
+ 
+-		if (daemon_filter_list.head
+-		    && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0) {
+-			rprintf(FERROR, "attempt to hack rsync failed.\n");
+-			exit_cleanup(RERR_PROTOCOL);
+-		}
+-
+ 		if (read_batch) {
+ 			int wanted = redoing
+ 				   ? we_want_redo(ndx)
+@@ -728,7 +728,7 @@ int recv_files(int f_in, int f_out, char *local_name)
+ 				break;
+ 			}
+ 			if (!fnamecmp || (daemon_filter_list.head
+-			  && check_filter(&daemon_filter_list, FLOG, fname, 0) < 0)) {
++			  && check_filter(&daemon_filter_list, FLOG, fnamecmp, 0) < 0)) {
+ 				fnamecmp = fname;
+ 				fnamecmp_type = FNAMECMP_FNAME;
+ 			}

net/rsync/patches/patch-rsync_c

@@ -0,0 +1,28 @@
+$OpenBSD: patch-rsync_c,v 1.2 2017/12/19 19:58:39 danj Exp $
+
+Backport from upstream
+70aeb5fddd1b2f8e143276f8d5a085db16c593b9
+
+Index: rsync.c
+--- rsync.c.orig
++++ rsync.c
+@@ -49,6 +49,7 @@ extern int flist_eof;
+ extern int file_old_total;
+ extern int keep_dirlinks;
+ extern int make_backups;
++extern int sanitize_paths;
+ extern struct file_list *cur_flist, *first_flist, *dir_flist;
+ extern struct chmod_mode_struct *daemon_chmod_modes;
+ #ifdef ICONV_OPTION
+@@ -396,6 +397,11 @@ int read_ndx_and_attrs(int f_in, int f_out, int *iflag
+ 	if (iflags & ITEM_XNAME_FOLLOWS) {
+ 		if ((len = read_vstring(f_in, buf, MAXPATHLEN)) < 0)
+ 			exit_cleanup(RERR_PROTOCOL);
++
++		if (sanitize_paths) {
++			sanitize_path(buf, buf, "", 0, SP_DEFAULT);
++			len = strlen(buf);
++		}
+ 	} else {
+ 		*buf = '\0';
+ 		len = -1;

net/rsync/patches/patch-xattrs_c

@@ -0,0 +1,19 @@
+$OpenBSD: patch-xattrs_c,v 1.1 2017/12/19 19:58:39 danj Exp $
+
+Backport from upstream
+47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1
+
+Index: xattrs.c
+--- xattrs.c.orig
++++ xattrs.c
+@@ -696,6 +696,10 @@ void receive_xattr(int f, struct file_struct *file)
+ 			out_of_memory("receive_xattr");
+ 		name = ptr + dget_len + extra_len;
+ 		read_buf(f, name, name_len);
++		if (name_len < 1 || name[name_len-1] != '\0') {
++			rprintf(FERROR, "Invalid xattr name received (missing trailing \\0).\n");
++			exit_cleanup(RERR_FILEIO);
++		}
+ 		if (dget_len == datum_len)
+ 			read_buf(f, ptr, dget_len);
+ 		else {