Summary: | net-misc/rsync : directory traversal vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | gen2daniel <gen2daniel> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | critical | CC: | m.debruijne | ||||
Priority: | Highest | Flags: | koon:
Assigned_To?
(koon) |
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0426 | ||||||
Whiteboard: | A3 [glsa] koon | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | 49707 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
gen2daniel
2004-04-30 13:37:54 UTC
2.6.1 does not exists. 2.6.2 does however and I'll add this to the tree shortly. *rsync-2.6.2 (30 Apr 2004) 30 Apr 2004; <solar@gentoo.org> rsync-2.6.2.ebuild: version bump for security update CAN-2004-0426, bug 49534 this version also seems to have the proxy-auth patch merged upstream, USE=acl disabled for now due to patching conflicts Current keywords KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ia64 ~ppc64 ~s390" Arch maintainers please test and mark stable. Stable on s390 Marked stable on mips. Stable on x86 + amd64. Stable on hppa. -r1 stable on sparc It seems this version has lost the magic that makes it look in /etc/rsync/ for rsyncd.conf (like bug 12902 ?) I'm seeing this in rsync-2.6.2-r1 on x86 and sparc64 but presumably other arch's are similarly affected. Re-adding arch's for additional QA. isengard root # grep rsync /var/log/daemon.log|tail May 2 23:23:03 isengard rsyncd[13326]: rsync: unable to open configuration file "/etc/rsyncd.conf": No such file or directory May 2 23:23:03 isengard rsyncd[13326]: rsync error: syntax or usage error (code 1) at clientserver.c(586) isengard root # qpkg rsync -c -v net-misc/rsync-2.6.2-r1 * 0/22 2.6.2 and 2.6.2-r1 both marked stable on ppc64 stable on ppc/arm just need alpha/ia64 Stable on alpha. please mark ia64 stable rsync-2.6.2-r2 ready for a GLSA draft -K This issue is being handled. At present time, 2.6.2 has been added to the package.mask file, so users should stay at 2.6.0 for the time being. -jeffrey reference bug 49933 bug 49933 blocks 2.6.2-r2, going back to "wait for ebuild" status. -K Just for reference: http://www.debian.org/security/2004/dsa-499 regards, Tobias Created attachment 35051 [details, diff]
2.6.0-sanitize.patch
as far as i can tell from pouring through the mail/cvs archives, and checking out the debian/redhat patches, the attached patch should be all we need ... seems like the info was obfuscated, but it seems like the commit happened on Mar 27 2004: http://lists.samba.org/archive/rsync-cvs/2004-March.txt.gz those cvs patches were touched up to apply semi-cleanly to 2.6.0 ive sat on this long enough; can someone please double check the patch for me before i go committing 2.6.0-r2 and since 2.6.{1,2} seem pretty hosed ? as CondorDes pointed out on irc, the hunk for clientserver.c was reversed ... it actually duplicated a block of code that was supposed to be removed ;) while it doesnt introduce the vuln, it isnt correct :) ive fixed the patch and added 2.6.0-r2 to portage ... i guess we just need GLSA now ? First we need it stable :) Arches : please mark net-misc/rsync-2.6.0-r2 stable. I'll take care of the draft, I submitted one in the old days already. Done on ppc. hppa stable Stable on sparc. Stable on x86. Stable on alpha. Removing ppc from Cc, as it has been forgotten. Stable on mips amd64 : please mark rsync-2.6.0-r2 stable so that the GLSA can go out. sorry for the delay. stable on amd64 glsa 200407-10 stable on ppc64 |