Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 35036
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: fbusse@gmx.de
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 35036 depends on: Show dependency tree
Bug 35036 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-12-04 01:55 0000 
rsync 2.5.7 fixes a remotly exploitable heap overflow, that, together with the
do_brk bug in the kernel, could result in a remote root exploit.
I suggest an updated ebuild and a message to rsync-mirror admins ASAP.

------- Comment #1 From Donnie Berkholz 2003-12-04 01:56:54 0000 ------- 
Already been done.

------- Comment #2 From Seemant Kulleen (RETIRED) 2003-12-04 01:58:01 0000 ------- 
we caught this as it came out from the rsync folks :)
Thanks for being vigilant as well though :)

------- Comment #3 From Seemant Kulleen (RETIRED) 2003-12-04 02:06:14 0000 ------- 
actually I'll reopen -- we may as well track the GLSA request with this bug

------- Comment #4 From fbusse@gmx.de 2003-12-04 02:11:06 0000 ------- 
Is anybody going to check if the mirrors actually all updated rsyncd (and their
kernel)?

------- Comment #5 From solar 2003-12-04 07:27:56 0000 ------- 
Gentoo uses 105 mirrors world wide. Many of these mirror's are not even
using Gentoo or Linux so getting them to update thier kernels is going
to be quite a task, however a mail has been sent to the gentoo-mirrors@
mailing list regarding
http://marc.theaimsgroup.com/?l=rsync-announce&m=107051741303720&w=2

A complete list of rsync mirror's is being compiled now and remote 
version testing script is in the works.  What we are looking at doing
here is removing all servers from the main rotation and having them
report in when they have updated to version 2.5.7 if they are not 
already running 2.5.7

Everyone else should rsync with a mirror you trust then
emerge =net-misc/rsync-2.5.7

------- Comment #6 From Seemant Kulleen (RETIRED) 2003-12-07 09:49:59 0000 ------- 
closing since we've publicised this via glsa and gwn
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug