Bugzilla Bug 216887

integer overflow -> heap-based buffer overflow on rsync 3.0  and later, only
when xattr is enabled.

This issue is currently under embargo until rsync upstream announces the fix.

Tomas Hoger:
Seems that the code that is fixed by your patch is included in
rsync-2.6.9/patches/acls.diff, so it seems it may be used by 2.6.9 as
well.

rsync-3.0.2 was released with the fix and in the tree

Vapier, thanks for noting this.

2.6.9 also needs to be fixed because it applies the xattr patches. Or should
3.0.2 go through straight stabling?
http://rsync.samba.org/ftp/rsync/security/rsync-3.0.1-xattr-alloc.diff

while i dont have a problem with rsync-3.0.2 going stable, it may be a little
too soon for the rsync-3 series

rsync-2.6.9-r6 in the tree with the upstream fix

Arches, please test and mark stable:
=net-misc/rsync-2.6.9-r6
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh
sparc x86"

On x86:

    rsync 2.6.9 configuration successful

make
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c rsync.c -o rsync.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c generator.c -o
generator.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c receiver.c -o
receiver.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c cleanup.c -o cleanup.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c sender.c -o sender.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c exclude.c -o exclude.o
i686-pc-linux-gnu-gcc -std=gnu99 -I. -I. -O2 -march=pentium-m
-fomit-frame-pointer -pipe -DHAVE_CONFIG_H -Wall -W  -c util.c -o util.o
util.c:1264: error: conflicting types for '_realloc_array'
proto.h:325: error: previous declaration of '_realloc_array' was here
make: *** [util.o] Error 1

Portage 2.1.4.4 (default-linux/x86/2007.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.23-tuxonice-r10 i686)
=================================================================
System uname: 2.6.23-tuxonice-r10 i686 Intel(R) Celeron(R) M processor 1.50GHz
Timestamp of tree: Thu, 10 Apr 2008 12:45:03 +0000
app-shells/bash:     3.2_p17-r1
dev-lang/python:     2.4.4-r9, 2.5.1-r5
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf
/etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=pentium-m -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer parallel-fetch sandbox sfperms sign
strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.virginmedia.com/
ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.tiscali.nl/"
LC_ALL="en_GB.UTF-8"
LINGUAS="pl en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X acl acpi alsa berkdb cairo cdr cli cracklib crypt dbus dri dvd dvdr
dvdread eds emboss encode esd evo fam firefox fortran gdbm gif gpm gstreamer
hal iconv ipv6 isdnlog jpeg kde kdehiddenvisibility kerberos ldap mad midi
mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp oss pam
pcre pdf perl png pppd python qt3 qt3support qt4 quicktime readline reflection
sdl session slang spell spl ssl svg tcpd tiff truetype unicode vorbis
win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" APACHE2_MODULES="actions alias
auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm
authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache
dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache
filter headers include info log_config logio mem_cache mime mime_magic
negotiation rewrite setenvif speling status unique_id userdir usertrack
vhost_alias" ELIBC="glibc" INPUT_DEVICES="mouse keyboard synaptics"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="pl en_GB" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS,
MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

ppc stable

alpha/ia64/sparc stable, and compiles fine on x86

ppc64 stable

I can reproduce the failure on x86, if the acl USE-flag is set.

amd64 stable (no acl-related problems here)

Stable for HPPA.

base-system, please advise wrt comments #6 and #10.

btw, updating severity to major, dunno why it was on trivial.

Yup, works here if USE="-acl".

odd that it builds for so many of us

should be fixed in cvs now

x86 stable

A2->A1 since this affects the server too.

GLSA 200804-16

Fixed in release snapshot.