FS#42806 : [rsync] path hijacking vulnerability

FS#42806 - [rsync] path hijacking vulnerability

Attached to Project: Arch Linux
Opened by Yardena Cohen (yardenac) - Sunday, 16 November 2014, 03:56 GMT
Last edited by Pierre Schmitz (Pierre) - Friday, 15 May 2015, 12:45 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Christian Rebischke (Shibumi) (2015-03-11)
Private	No

Details

An evil server can force rsync 3.1.1 to write arbitrary data to the filesystem, which can lead to remote code execution.

https://bugzilla.samba.org/show_bug.cgi?id=10936

This task depends upon

Closed by Pierre Schmitz (Pierre)
Friday, 15 May 2015, 12:45 GMT
Reason for closing: Upstream

Comment by Pierre Schmitz (Pierre) - Sunday, 16 November 2014, 17:02 GMT

This needs to be fixed upstream; nothing I can do here.

Comment by Ido Rosen (idorosen) - Monday, 05 January 2015, 02:10 GMT

These two commits address the bug, please apply them as patches:

https://git.samba.org/?p=rsync.git;a=commit;h=371242e4e8150d4f9cc74cdf2d75d8250535175e

and

https://git.samba.org/?p=rsync.git;a=commit;h=4cad402ea8a91031f86c53961d78bb7f4f174790

Comment by Christian Rebischke (Shibumi) - Thursday, 19 February 2015, 20:10 GMT

Is this issue fixed? Does it have a CVE? I ask because I am in the Archlinux-CVE-Monitoring team.
Btw the issue seems fixed upstream: https://bugzilla.samba.org/show_bug.cgi?id=10936

Comment by Pierre Schmitz (Pierre) - Friday, 20 February 2015, 16:57 GMT

The reports states that this was fixed in 3.1.1. I don't see a newer rsync release anyway.

Comment by Pascal Ernster (hardfalcon) - Monday, 13 April 2015, 05:53 GMT

There seems to be yet another bug report upstream for fixing another aspect of the same CVE:

https://bugzilla.samba.org/show_bug.cgi?id=10936#c6
https://bugzilla.samba.org/show_bug.cgi?id=10977

Unfortunately, they've still no fixed it completely, but they've at least fixed it for inc-recursive transfers (which are the defaults):
https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b

So for non-inc-recursive transfers, there's still no fix, but Archlinux could at least ship the above-mentioned patch.

Comment by Pierre Schmitz (Pierre) - Friday, 15 May 2015, 12:45 GMT

This will get fixed once upstream decides it's worth a release.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#42806 - [rsync] path hijacking vulnerability

Details

Loading...