Summary: | <net-misc/rsync-3.1.0-r1: Denial of Service (CVE-2014-2855) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/04/14/5 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-04-15 09:52:40 UTC
+*rsync-3.1.0-r1 (15 Apr 2014) + + 15 Apr 2014; Lars Wendler <polynomial-c@gentoo.org> -rsync-3.1.0.ebuild, + +rsync-3.1.0-r1.ebuild, + +files/rsync-3.1.1_pre1-avoid_infinite_wait_reading_secrets_file.patch: + Security bump (bug #507698. Removed vulnerable version. + No stabilization needed as the affected version still is ~arch everywhere. (In reply to Lars Wendler (Polynomial-C) from comment #1) > No stabilization needed as the affected version still is ~arch everywhere. Are you sure that 3.0.9 is not affected? (In reply to Agostino Sarubbo from comment #2) > (In reply to Lars Wendler (Polynomial-C) from comment #1) > > No stabilization needed as the affected version still is ~arch everywhere. > > Are you sure that 3.0.9 is not affected? No. To be honest I trusted the bug report from launchpad which only mentions rsync-3.1.0. (In reply to Lars Wendler (Polynomial-C) from comment #3) > No. To be honest I trusted the bug report from launchpad which only mentions > rsync-3.1.0. In the doubt...if it is not causing regressions, we can stabilize it to stay safe... (In reply to Agostino Sarubbo from comment #4) > (In reply to Lars Wendler (Polynomial-C) from comment #3) > > No. To be honest I trusted the bug report from launchpad which only mentions > > rsync-3.1.0. > > In the doubt...if it is not causing regressions, we can stabilize it to stay > safe... I did tests with =net-misc/rsync-3.0.9-r3 and unpatched rsync-3.1.0. rsync-3.0.9-r3 is not affected by this bug, only rsync-3.1.0 and rsync-3.1.1_pre1 (not in portage) are. So no need to rush into stabilization here. Since we have verification version rsync-3.0.9-r3 is not vulnerable and since version 3.1.0 was never stable, and has been removed. With rsync-3.1.0-r1 is a non vulnerable version and can be stabilized separately when ready, I am closing the bug with NOGLSA. CVE-2014-2855 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2855): The check_secret function in authenticate.c in rsync 3.1.0 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a user name which does not exist in the secrets file. |