Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 728852 - <net-misc/rsync-3.2.0: Multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Summary: <net-misc/rsync-3.2.0: Multiple vulnerabilities (CVE-2016-{9840,9841,9842,9843})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://rsync.samba.org/ftp/rsync/rsy...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: 728868 728898 729582
Blocks: CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843
  Show dependency tree
 
Reported: 2020-06-19 23:20 UTC by Sam James
Modified: 2020-07-28 19:34 UTC (History)
2 users (show)

See Also:
Package list:
net-misc/rsync-3.2.0-r1
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 23:20:22 UTC 
From 3.2.0 release notes:
"Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840."

Also:
"Avoid a potential out-of-bounds read in daemon mode if argc can be made to become 0."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-19 23:21:21 UTC 
[Note that USE=system-zlib is not vulnerable to this, because of the fixes in bug 601828].
Comment 2 Larry the Git Cow gentoo-dev 2020-06-20 01:28:14 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8b0a10cde068cb69c2714a61b5f8d00e96ea99

commit 9f8b0a10cde068cb69c2714a61b5f8d00e96ea99
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-20 01:20:59 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-20 01:28:09 +0000

    net-misc/rsync: Bump to version 3.2.0. Removed old
    
    Bug: https://bugs.gentoo.org/728852
    Package-Manager: Portage-2.3.101, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/rsync/Manifest                            |  2 +-
 net-misc/rsync/files/rsync-3.2.0-simd_check.patch  | 24 ++++++++++++++++++++++
 .../rsync/files/rsync-3.2.0_pre3-simd_check.patch  | 24 ----------------------
 ...{rsync-3.2.0_pre3.ebuild => rsync-3.2.0.ebuild} |  4 ++--
 4 files changed, 27 insertions(+), 27 deletions(-)
Comment 3 NATTkA bot gentoo-dev 2020-06-21 09:32:29 UTC 
Unable to check for sanity:

> no match for package: net-misc/rsync-3.2.0
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-21 20:32:08 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-21 22:08:13 UTC 
arm64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-22 07:00:30 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:07 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-22 07:01:48 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-06-22 07:02:12 UTC 
s390 stable
Comment 10 Rolf Eike Beer archtester 2020-06-22 18:36:00 UTC 
hppa/sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-06-25 07:00:29 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Larry the Git Cow gentoo-dev 2020-06-25 08:34:47 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eb79a6c9300e9385ffb6eac6fff0ef041bef693

commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-06-25 08:22:20 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-06-25 08:34:41 +0000

    net-misc/rsync: Security cleanup
    
    Bug: https://bugs.gentoo.org/728852
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-misc/rsync/Manifest           |  1 -
 net-misc/rsync/rsync-3.1.3.ebuild | 91 ---------------------------------------
 2 files changed, 92 deletions(-)
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2020-06-25 09:23:51 UTC 
commit 98406e6c893975bb61cddd26dfbb083bc03c6cb4
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Jun 25 11:19:46 2020

    Revert "net-misc/rsync: Security cleanup"

    This reverts commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693.
    because >=rsync-3.2.0 has no riscv keyword yet

    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-06-26 16:30:35 UTC 
Cleanup done.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-07-28 19:34:52 UTC 
This issue was resolved and addressed in
 GLSA 202007-54 at https://security.gentoo.org/glsa/202007-54
by GLSA coordinator Sam James (sam_c).