Summary: | net-misc/rsync: August 2004 Security Advisory - path-sanitizing bug if not using chroot | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Wernfried Haas (RETIRED) <amne> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | condordes, squinky86 |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://samba.org/rsync/#security_aug04 | ||
Whiteboard: | B4? [glsa] jaervosz | ||
Package list: | Runtime testing required: | --- |
Description
Wernfried Haas (RETIRED)
2004-08-14 04:27:26 UTC
Jon or Mike will work at this? 2.6.0-r3 and 2.6.2-r4 have the updated patch and are now in portage Arches please mark net-misc/rsync-2.6.0-r3 stable tested on x86 ppc sparc arm hppa amd64 ia64 and marked stable marked stable on ppc64, thanks! marked stable on mips Stable on alpha. OK, so if you somehow pass something that looks like "foo/..//bar" to sanitize_path, you will get "/foo/bar" back, which is bad because of the leading slash. I looked at this with an eye towards the Impact section of the GLSA, and here's where I see this being a problem (all line numbers are from rsync 2.6.0): - The files_from option on the server itself (options.c:677) - Symlinks. There's a usage of sanitize_path on external data without clean_fname first. I could be wrong about this one, though ... I haven't had a chance to follow that data structure through. (flist.c:580) - Files that are listed in the files_from file itself. (flist.c:946) - Possibly other command-line arguments (see clientserver.c:431) although I suspect those are sanitized later (again, I haven't had time to check). In all (potential) cases, the patch looks good. Please keep in mind I'm not that familiar with the rsync source myself, so I could be wrong on some of these. I would appreciate it if the reporter--or someone else familiar with rsync--could take a look at these and let us know which are actually valid so we can include that information in the GLSA. The original reporter just picked up the advisory and doesn't have a clue about the rsync source code - sorry ;-) GLSA 200408-17 s390 please remember to mark stable to benifit from GLSA. |