Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC

Bug 49534

Summary: net-misc/rsync : directory traversal vulnerability
Product: Gentoo Security Reporter: gen2daniel <gen2daniel>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: m.debruijne
Priority: Highest Flags: koon: Assigned_To? (koon)
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426
Whiteboard: A3 [glsa] koon
Package list:
Runtime testing required: ---
Bug Depends on: 49707    
Bug Blocks:    
Attachments:
Description Flags
2.6.0-sanitize.patch none

Description gen2daniel 2004-04-30 13:37:54 UTC
From the rsync homepage:
  There is a security fix included in 2.6.1 that affects only people
  running a read/write daemon WITHOUT using chroot. If the user privs
  that such an rsync daemon is using is anything above "nobody", you are
  at risk of someone crafting an attack that could write a file outside
  of the module's "path". Please either enable chroot or upgrade to 2.6.1.
  People not running a daemon, running a read-only daemon, or running a
  chrooted daemon are totally unaffected.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0426 to this issue.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 solar (RETIRED) gentoo-dev 2004-04-30 20:14:40 UTC
2.6.1 does not exists. 
2.6.2 does however and I'll add this to the tree shortly.
Comment 2 solar (RETIRED) gentoo-dev 2004-04-30 20:29:05 UTC
*rsync-2.6.2 (30 Apr 2004)

  30 Apr 2004; <solar@gentoo.org> rsync-2.6.2.ebuild:
  version bump for security update CAN-2004-0426, bug 49534 this version also
  seems to have the proxy-auth patch merged upstream, USE=acl disabled for now
  due to patching conflicts

Comment 3 solar (RETIRED) gentoo-dev 2004-04-30 20:33:55 UTC
Current keywords
KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ia64 ~ppc64 ~s390"

Arch maintainers please test and mark stable.
Comment 4 Michael McCabe (RETIRED) gentoo-dev 2004-05-01 11:03:44 UTC
Stable on s390
Comment 5 Joshua Kinard gentoo-dev 2004-05-01 17:19:24 UTC
Marked stable on mips.
Comment 6 Jon Portnoy (RETIRED) gentoo-dev 2004-05-01 17:25:32 UTC
Stable on x86 + amd64.
Comment 7 Guy Martin (RETIRED) gentoo-dev 2004-05-01 18:55:28 UTC
Stable on hppa.
Comment 8 Ciaran McCreesh 2004-05-02 02:35:06 UTC
-r1 stable on sparc
Comment 9 Chris Russell (RETIRED) gentoo-dev 2004-05-02 04:55:40 UTC
It seems this version has lost the magic that makes it look in /etc/rsync/ for rsyncd.conf   (like bug 12902 ?)

I'm seeing this in rsync-2.6.2-r1 on x86 and sparc64 but presumably other arch's are similarly affected.

Re-adding arch's for additional QA.


isengard root # grep rsync /var/log/daemon.log|tail
May  2 23:23:03 isengard rsyncd[13326]: rsync: unable to open configuration file "/etc/rsyncd.conf": No such file or directory 
May  2 23:23:03 isengard rsyncd[13326]: rsync error: syntax or usage error (code 1) at clientserver.c(586) 
isengard root # qpkg rsync -c -v
net-misc/rsync-2.6.2-r1 *
0/22
Comment 10 Tom Gall (RETIRED) gentoo-dev 2004-05-02 07:24:07 UTC
2.6.2 and 2.6.2-r1 both marked stable on ppc64
Comment 11 SpanKY gentoo-dev 2004-05-02 07:30:35 UTC
stable on ppc/arm

just need alpha/ia64
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2004-05-02 13:33:48 UTC
Stable on alpha.
Comment 13 Martin Holzer (RETIRED) gentoo-dev 2004-05-03 12:38:00 UTC
please mark ia64 stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 06:33:41 UTC
rsync-2.6.2-r2 ready for a GLSA draft
-K
Comment 15 Jeffrey Forman (RETIRED) gentoo-dev 2004-05-04 17:28:17 UTC
This issue is being handled. At present time, 2.6.2 has been added to the package.mask file, so users should stay at 2.6.0 for the time being.

-jeffrey

reference bug 49933
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-05-05 01:43:55 UTC
bug 49933 blocks 2.6.2-r2, going back to "wait for ebuild" status.
-K
Comment 17 Tobias Weisserth 2004-05-19 11:25:42 UTC
Just for reference:

http://www.debian.org/security/2004/dsa-499

regards,
Tobias
Comment 18 SpanKY gentoo-dev 2004-07-08 22:53:05 UTC
Created attachment 35051 [details, diff]
2.6.0-sanitize.patch
Comment 19 SpanKY gentoo-dev 2004-07-08 23:02:00 UTC
as far as i can tell from pouring through the mail/cvs archives, and checking out the debian/redhat patches, the attached patch should be all we need ...

seems like the info was obfuscated, but it seems like the commit happened on Mar 27 2004:
http://lists.samba.org/archive/rsync-cvs/2004-March.txt.gz

those cvs patches were touched up to apply semi-cleanly to 2.6.0

ive sat on this long enough; can someone please double check the patch for me before i go committing 2.6.0-r2 and since 2.6.{1,2} seem pretty hosed ?
Comment 20 SpanKY gentoo-dev 2004-07-09 15:41:23 UTC
as CondorDes pointed out on irc, the hunk for clientserver.c was reversed ... it actually duplicated a block of code that was supposed to be removed ;)

while it doesnt introduce the vuln, it isnt correct :)

ive fixed the patch and added 2.6.0-r2 to portage ... i guess we just need GLSA now ?
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2004-07-10 03:06:26 UTC
First we need it stable :)
Arches : please mark net-misc/rsync-2.6.0-r2 stable.

I'll take care of the draft, I submitted one in the old days already.
Comment 22 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-07-10 03:12:37 UTC
Done on ppc.
Comment 23 SpanKY gentoo-dev 2004-07-10 09:08:36 UTC
hppa stable
Comment 24 Jason Wever (RETIRED) gentoo-dev 2004-07-10 10:08:36 UTC
Stable on sparc.
Comment 25 Ian Leitch (RETIRED) gentoo-dev 2004-07-10 15:19:58 UTC
Stable on x86.
Comment 26 Bryan Østergaard (RETIRED) gentoo-dev 2004-07-10 17:51:38 UTC
Stable on alpha.
Comment 27 Lars Weiler (RETIRED) gentoo-dev 2004-07-10 18:04:25 UTC
Removing ppc from Cc, as it has been forgotten.
Comment 28 Hardave Riar (RETIRED) gentoo-dev 2004-07-10 21:07:15 UTC
Stable on mips
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2004-07-12 01:22:10 UTC
amd64 : please mark rsync-2.6.0-r2 stable so that the GLSA can go out.
Comment 30 Travis Tilley (RETIRED) gentoo-dev 2004-07-12 01:48:02 UTC
sorry for the delay. stable on amd64
Comment 31 Kurt Lieber (RETIRED) gentoo-dev 2004-07-12 06:53:42 UTC
glsa 200407-10
Comment 32 Tom Gall (RETIRED) gentoo-dev 2004-07-13 19:31:02 UTC
stable on ppc64