============================================================================ rsnapshot Security Advisory 001 security@rsnapshot.org http://www.rsnapshot.org/security/ Apr 10th, 2005 Nathan Rosenquist ============================================================================ Severity: high Vulnerability: local privilege escalation Fix provided: yes ------------- 1) Background ------------- rsnapshot is a filesystem snapshot utility for making backups of local and remote systems. Using rsync and hard links, it is possible to keep multiple, full backups instantly available. The disk space required is just a little more than the space of one full backup, plus incrementals. ---------------------- 2) Problem description ---------------------- The copy_symlink() subroutine in rsnapshot incorrectly changes file ownership on the files pointed to by symlinks, not on the symlinks themselves. This would allow, under certain circumstances, an arbitrary user to take ownership of a file on the main filesystem. This subroutine is called under the following circumstances: a) If the cmd_cp parameter has NOT been enabled, OR b) If the backup_script parameter is set, and the backup script generates symlinks as part of its output c) AND if the attacker can create symlinks in a directory that is backed up, either by creating them directly or influencing a backup script. This vulnerability has been fixed in rsnapshot versions 1.1.7 and 1.2.1. It is recommended that all users upgrade immediately. ----------------------- 3) Upgrade Instructions ----------------------- For users of rsnapshot 1.2.0, download and install version 1.2.1. For users of rsnapshot 1.1.6 or earlier, download and install version 1.1.7. --------------- rsnapshot 1.2.1 --------------- http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz http://www.rsnapshot.org/downloads/rsnapshot-1.2.1.tar.gz.asc [...] --------------- rsnapshot 1.1.7 --------------- http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz http://www.rsnapshot.org/downloads/rsnapshot-1.1.7.tar.gz.asc [...] -------------- 4) Workarounds -------------- Enable the cmd_cp parameter (requires GNU cp, and works best on Linux). Make sure any scripts specified by the backup_script parameter do not create symlinks.
kloeri: please bump... If you think 1.2.1 is a stable candidate, I guess only this one is needed... But if you don't think it's a stable candidate, you'll probably have to add the two fixed versions.
I've added 1.2.1 to the tree and stabled it.
Thanks Bryan, please remove insecure versions from the tree if it is safe to do so. This is ready for GLSA.
Removed all vulnerable versions.
GLSA 200504-12
Version 1.1.7 added as a fixed version to the GLSA. No update needed.
