Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636714 (CVE-2017-16548) - <net-misc/rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr function (CVE-2017-16548)
Summary: <net-misc/rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr functi...
Status: RESOLVED FIXED
Alias: CVE-2017-16548
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.samba.org/show_bug.c...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: CVE-2017-17433, CVE-2017-17434
Blocks:
  Show dependency tree
 
Reported: 2017-11-06 17:53 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-17 03:39 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/rsync-3.1.2-r1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-06 17:53:34 UTC 
CVE-2017-16548 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16548):
  The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development
  does not check for a trailing '\0' character in an xattr name, which allows
  remote attackers to cause a denial of service (heap-based buffer over-read
  and application crash) or possibly have unspecified other impact by sending
  crafted data to the daemon.
Comment 1 Larry the Git Cow gentoo-dev 2017-11-14 22:40:29 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61f33ecb79092b9b86d8a95da0950215e6194122

commit 61f33ecb79092b9b86d8a95da0950215e6194122
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-11-14 22:40:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-11-14 22:40:01 +0000

    net-misc/rsync: Rev bump to fix CVE-2017-16548
    
    Bug: https://bugs.gentoo.org/636714
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 .../rsync/files/rsync-3.1.2-CVE-2017-16548.patch   | 17 +++++
 net-misc/rsync/rsync-3.1.2-r1.ebuild               | 89 ++++++++++++++++++++++
 2 files changed, 106 insertions(+)}
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-14 22:42:48 UTC 
@ Arches,

please test and mark stable: =net-misc/rsync-3.1.2-r1
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2017-11-15 13:55:02 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-15 23:24:51 UTC 
ppc/ppc64 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-16 01:38:05 UTC 
x86 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-16 07:35:49 UTC 
ia64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-17 11:23:11 UTC 
Stable on alpha.
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:32:19 UTC 
hppa is already stable by

commit 82185532b04f834a3ec3433d259323feaad694ac
Author: Jeroen Roovers <jer@gentoo.org>
Date:   Thu Nov 16 08:58:42 2017 +0100

    net-misc/rsync: Stable for HPPA too.
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-18 09:41:54 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 10 Markus Meier gentoo-dev 2017-11-19 19:46:58 UTC 
arm stable
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-10 19:12:20 UTC 
Superseded by bug 640570.
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-16 12:20:31 UTC 
Added to an existing GLSA.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2018-01-17 03:39:32 UTC 
This issue was resolved and addressed in
 GLSA 201801-16 at https://security.gentoo.org/glsa/201801-16
by GLSA coordinator Mikle Kolyada (Zlogene).