Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646818 (CVE-2018-5764) - <net-misc/rsync-3.1.3: Security bypass vulnerability
Summary: <net-misc/rsync-3.1.3: Security bypass vulnerability
Status: RESOLVED FIXED
Alias: CVE-2018-5764
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-02-06 18:36 UTC by GLSAMaker/CVETool Bot
Modified: 2018-05-08 15:29 UTC (History)
1 user (show)

See Also:
Package list:
=net-misc/rsync-3.1.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-02-06 18:36:47 UTC
CVE-2018-5764 (https://nvd.nist.gov/vuln/detail/CVE-2018-5764):
  The parse_arguments function in options.c in rsyncd in rsync before 3.1.3
  does not prevent multiple --protect-args uses, which allows remote attackers
  to bypass an argument-sanitization protection mechanism.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-02-06 18:37:57 UTC
@Maintainers 3.1.3 is already in tree, please call for stabilization when ready.

Thank you
Comment 2 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-06 23:12:43 UTC
ia64 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-06 23:27:08 UTC
commit 9c273ebd52e51556f86ec057c18fc0a138a70356
Author: Rolf Eike Beer <eike@sf-mail.de>
Date:   Wed Feb 7 00:21:21 2018 +0100

    net-misc/rsync: stable 3.1.3 for hppa/sparc, bug #646818
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-02-07 06:09:51 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2018-02-09 08:40:17 UTC
amd64 stable
Comment 6 Mart Raudsepp gentoo-dev 2018-03-02 10:33:08 UTC
arm64 stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-05 10:37:42 UTC
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2018-03-06 19:38:12 UTC
arm stable
Comment 9 Matt Turner gentoo-dev 2018-03-12 01:07:04 UTC
ppc/ppc64 done
Comment 10 Markus Meier gentoo-dev 2018-03-13 17:52:26 UTC
arm stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-03-22 17:27:14 UTC
sh stable
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-01 20:50:10 UTC
s390 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-05-03 08:10:58 UTC
glsa request filed
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2018-05-08 15:29:36 UTC
This issue was resolved and addressed in
 GLSA 201805-04 at https://security.gentoo.org/glsa/201805-04
by GLSA coordinator Aaron Bauman (b-man).