Summary: | net-misc/rsync integer overflow (CVE-2006-2083) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | dertobi123, killerfox, tcort |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://samba.anu.edu.au/ftp/rsync/rsync-2.6.8-NEWS | ||
Whiteboard: | C1 [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2006-04-28 21:43:47 UTC
This is fixed in 2.6.8 which is already in the tree but the advisory is not public yet. Arch Security Liaisons please test and mark stable. x86 all done :) ppc stable stable on ppc64 amd64 stable. sparc stable. hppa stable Stable on alpha + ia64. jaervosz: this is already stable on ppc64. or do I miss an argument why you CC'd us again? Please readd, if I missunderstand this... Ready for GLSA. For the drafter : << The vulnerable function is only present when the rsync binary was compiled with the configuration option --enable-xattr-support. This is enabled by default on Fedora Core 5. Furthermore, for the rsync server daemon to be exploited, an attacker must have write access to a module on the server. This is due to the vulnerable code being called only from the recv_file_list() function, which is used when receiving files from the connected peer. >> USE=acl triggers the --enable-xattr-support for Gentoo. rsync has only ~ppc-macos keywords (no stable keyword for any version). In package.mask. Not stabling. GLSA 200605-05 arm, mips, s390 don't forget to mark stable to benefit from the GLSA. Stable on mips. |