new file mode 100644
@@ -0,0 +1,31 @@
+From fabef23bea6e9963c06e218586fda1a823e3c6bf Mon Sep 17 00:00:00 2001
+From: Wayne Davison <wayne@opencoder.net>
+Date: Mon, 8 Aug 2022 21:30:21 -0700
+Subject: [PATCH] Fix --relative when copying an absolute path.
+
+CVE: CVE-2022-29154
+Upstream-Status: Backport from [https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf]
+Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net>
+---
+ exclude.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/exclude.c b/exclude.c
+index 2394023f..ba5ca5a3 100644
+--- a/exclude.c
++++ b/exclude.c
+@@ -434,8 +434,10 @@ void add_implied_include(const char *arg)
+ *p++ = *cp++;
+ break;
+ case '/':
+- if (p[-1] == '/') /* This is safe because of the initial slash. */
++ if (p[-1] == '/') { /* This is safe because of the initial slash. */
++ cp++;
+ break;
++ }
+ if (relative_paths) {
+ filter_rule const *ent;
+ int found = 0;
+--
+2.39.2
+
@@ -17,6 +17,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
file://CVE-2016-9842.patch \
file://CVE-2016-9843.patch \
file://CVE-2022-29154.patch \
+ file://0001-Fix-relative-when-copying-an-absolute-path.patch \
"
SRC_URI[md5sum] = "1581a588fde9d89f6bc6201e8129afaf"
Fixes [YOCTO #15383] This bug was introduced into upstream when fixing CVE-2022-29154. It was later discovered and fixed upstream but this fix didn't make it into poky yet. The added patch is taken from upstreams git repository: https://github.com/WayneD/rsync/commit/fabef23bea6e9963c06e218586fda1a823e3c6bf Signed-off-by: Matthias Schmitz <matthias.schmitz@port4949.net> --- ...lative-when-copying-an-absolute-path.patch | 31 +++++++++++++++++++ meta/recipes-devtools/rsync/rsync_3.1.3.bb | 1 + 2 files changed, 32 insertions(+) create mode 100644 meta/recipes-devtools/rsync/files/0001-Fix-relative-when-copying-an-absolute-path.patch