Comment 1 Lars Wendler (Polynomial-C) (RETIRED) 2015-02-14 08:20:57 UTC

Arches please test and mark stable =net-misc/rsync-3.1.1 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~hppa-hpux ~ia64-hpux ~x86-interix ~amd64-linux ~arm-linux ~ia64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris

Comment 2 Jeroen Roovers (RETIRED) 2015-02-14 09:52:10 UTC

Stable for HPPA.

Comment 3 Agostino Sarubbo 2015-02-14 13:20:25 UTC

amd64 stable

Comment 4 Agostino Sarubbo 2015-02-14 13:20:53 UTC

x86 stable

Comment 5 Agostino Sarubbo 2015-02-14 13:23:49 UTC

I stabilized but I did not understand at all the bug.

> rsync 3.1.1 allows remote attackers to write to arbitrary files via a
> symlink attack on a file in the synchronization path.

The description says that 3.1.1 is vulnerable, then why we are stabilizing 3.1.1?

Comment 6 Kristian Fiskerstrand (RETIRED) 2015-02-14 13:26:27 UTC

(In reply to Agostino Sarubbo from comment #5)
> I stabilized but I did not understand at all the bug.
> 
> > rsync 3.1.1 allows remote attackers to write to arbitrary files via a
> > symlink attack on a file in the synchronization path.
> 
> The description says that 3.1.1 is vulnerable, then why we are stabilizing
> 3.1.1?

You are of course correct. Are we aware of any fix for this issue?

Comment 7 Agostino Sarubbo 2015-02-14 13:32:54 UTC

(In reply to Kristian Fiskerstrand from comment #6)
> You are of course correct. Are we aware of any fix for this issue?

The nvd description points to https://bugzilla.samba.org/show_bug.cgi?id=10977

which says there is a fix...but I imagine is more a workaround.

Comment 8 Markus Meier 2015-02-26 18:47:32 UTC

arm stable

Comment 9 Yury German 2015-03-16 04:12:48 UTC

Since we hare half way through stabilization of net-misc/rsync-3.1.1
Do we want to complete the stabilization?

Comment 10 Jeroen Roovers (RETIRED) 2015-04-21 20:36:42 UTC

This bug report is weird.

Stable for PPC64.

Comment 11 Mikle Kolyada (RETIRED) 2015-04-26 13:34:04 UTC

sparc stable

Comment 12 Agostino Sarubbo 2015-04-28 07:30:36 UTC

alpha stable

Comment 13 Pacho Ramos 2015-05-15 12:03:36 UTC

ppc stable

Comment 14 Aaron Bauman (RETIRED) 2016-04-05 10:56:01 UTC

Debian Patch:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778333

Upstream included this in 3.1.2 which is stable in the tree:

https://git.samba.org/?p=rsync.git;a=commit;h=962f8b90045ab331fc04c9e65f80f1a53e68243b

Added to existing GLSA.

Comment 15 GLSAMaker/CVETool Bot 2016-05-30 20:02:30 UTC

This issue was resolved and addressed in
 GLSA 201605-04 at https://security.gentoo.org/glsa/201605-04
by GLSA coordinator Yury German (BlueKnight).